[Catalog-sig] [distutils] make the storage of the password optional in .pypirc
ziade.tarek at gmail.com
Sun Jan 11 10:29:21 CET 2009
On Sun, Jan 11, 2009 at 4:35 AM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>> Not only are PyPI passwords stored in the clear on user's hard drives,
>> they are sent in the clear on every authenticated request to the web
>> interface (basic auth over unencrypted HTTP): it seems to me we ought
>> to worry about both those issues more.
> Perhaps. Contributions are welcome.
Can we finish on the PyPI mirroring contribution before we start this one ?
(since you are our entry point Martin on these topics)
I have finished my tests on my side. And I have a branch ready here
I would like to make more tests with a realistic flow of data, and
I am waiting for some feedback/help on this work.
here's how we could proceed:
phase 1 : proving non-regression
1 - I need an access to the pypi log files produced by Apache
(a simple browsable view of the log directory should be enough and
2 - on my side I can grab those files daily right and put them on my
PyPI server instance, and run the process like if I was on the real
3 - I will make this version reachable on my server, so we can check
that there's no regression = the count of the package that existed
before the dump I had should be equal and grow the same way on both sides.
phase 2 - testing the mirroring
4 - I will maintain a fake "mirror" that will be registered and will
provide realistic stats (a copy of the pypi apache log, where I will
keep just one hit per package file)
5 - we will validate that the global-stats and local-stats files
generated are right, and that the counts are the sum of pypi and the
If we can do that before Pycon maybe Pycon sprints could be the place where
we launch the mirroring, and start the SSH project if Jean-Paul and
others are willing to jump in ?
Tarek Ziadé | Association AfPy | www.afpy.org
Blog FR | http://programmation-python.org
Blog EN | http://tarekziade.wordpress.com/
More information about the Catalog-SIG