@@ -732,25 +732,9 @@ account. There are two options:
7327321. Create an account manually `using the form on the PyPI website
733733 <https://pypi.python.org/pypi?%3Aaction=register_form> `_.
734734
735- 2. Have an account created as part of registering your first project (see option
736- #2 below).
737-
738-
739- Register your project
740- ---------------------
741-
742- Next, you need to register your project. There are two ways to do this:
743-
744- 1. **(Recommended): ** Use `the form on the PyPI website
745- <https://pypi.python.org/pypi?%3Aaction=submit_form> `_, to upload your
746- ``PKG-INFO `` info located in your local project tree at
747- ``myproject.egg-info/PKG-INFO ``. If you don't have that file or directory,
748- then run ``python setup.py egg_info `` to have it generated. Using the form is
749- a secure option over using #2 below, which passes your credentials over
750- plaintext.
751- 2. Run ``python setup.py register ``. If you don't have a user account already,
752- a wizard will create one for you.
753-
735+ 2. **(Not recommended): ** Have an account created as part of
736+ registering your first project (not recommended due to the
737+ related security concerns, see option #3 below).
754738
755739If you created your account using option #1 (the form), you'll need to manually
756740write a ``~/.pypirc `` file like so.
@@ -765,8 +749,33 @@ write a ``~/.pypirc`` file like so.
765749 username = <username>
766750 password = <password>
767751
768- You can leave out the password line if below you use twine with its
769- ``-p PASSWORD `` argument.
752+ You can leave out the password line if you use twine with its
753+ ``-p PASSWORD `` argument or prefer to simply enter your password
754+ when prompted.
755+
756+
757+ Register your project
758+ ---------------------
759+
760+ Next, if this is the first release, you currently need to explicitly register your
761+ project prior to uploading.
762+
763+ There are three ways to do this:
764+
765+ 1. Use `the form on the PyPI website
766+ <https://pypi.python.org/pypi?%3Aaction=submit_form> `_, to upload your
767+ ``PKG-INFO `` info located in your local project tree at
768+ ``myproject.egg-info/PKG-INFO ``. If you don't have that file or directory,
769+ then run ``python setup.py egg_info `` to have it generated.
770+ 2. Run ``twine register dist/* ``, and :ref: `twine ` will register your project
771+ based on the package metadata in the specified files. Your ``~/.pypirc ``
772+ must already be appropriately configured for twine to work.
773+ 3. **(Not recommended): ** Run ``python setup.py register ``. If you don't have
774+ a user account already, a wizard will create one for you. This approach is
775+ covered here due to it being mentioned in other guides, but it is not
776+ recommended as it may use a plaintext HTTP or unverified HTTPS connection
777+ on some Python versions, allowing your username and password to be intercepted
778+ during transmission.
770779
771780
772781Upload your distributions
@@ -777,7 +786,7 @@ Finally, you can upload your distributions to :term:`PyPI <Python Package Index
777786
778787There are two options:
779788
780- 1. ** (Recommended): ** Use :ref: `twine `
789+ 1. Use :ref: `twine `
781790
782791 ::
783792
@@ -786,7 +795,7 @@ There are two options:
786795 The biggest reason to use twine is that ``python setup.py upload `` (option #2
787796 below) uploads files over plaintext. This means anytime you use it you expose
788797 your username and password to a MITM attack. Twine uses only verified TLS to
789- upload to PyPI protecting your credentials from theft.
798+ upload to PyPI in order to protect your credentials from theft.
790799
791800 Secondly it allows you to precreate your distribution files. ``python
792801 setup.py upload `` only allows you to upload something that you've created in
@@ -800,12 +809,16 @@ There are two options:
800809 the one directly executing ``gpg --detach-sign -a <filename> ``.
801810
802811
803- 2. Use :ref: `setuptools `:
812+ 2. ** (Not recommended): ** Use :ref: `setuptools `:
804813
805814 ::
806815
807816 python setup.py sdist bdist_wheel upload
808817
818+ This approach is covered here due to it being mentioned in other guides, but it
819+ is not recommended as it may use a plaintext HTTP or unverified HTTPS connection
820+ on some Python versions, allowing your username and password to be intercepted
821+ during transmission.
809822
810823----
811824
0 commit comments