[Catalog-sig] [distutils] make the storage of the password optional in .pypirc
Tarek Ziadé
ziade.tarek at gmail.com
Sun Jan 11 10:29:21 CET 2009
On Sun, Jan 11, 2009 at 4:35 AM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>> Not only are PyPI passwords stored in the clear on user's hard drives,
>> they are sent in the clear on every authenticated request to the web
>> interface (basic auth over unencrypted HTTP): it seems to me we ought
>> to worry about both those issues more.
>
> Perhaps. Contributions are welcome.
Can we finish on the PyPI mirroring contribution before we start this one ?
(since you are our entry point Martin on these topics)
I have finished my tests on my side. And I have a branch ready here
https://svn.python.org/packages/branches/tarek-pypi/pypi/
I would like to make more tests with a realistic flow of data, and
I am waiting for some feedback/help on this work.
here's how we could proceed:
phase 1 : proving non-regression
1 - I need an access to the pypi log files produced by Apache
(a simple browsable view of the log directory should be enough and
not risky)
2 - on my side I can grab those files daily right and put them on my
PyPI server instance, and run the process like if I was on the real
server.
3 - I will make this version reachable on my server, so we can check
that there's no regression = the count of the package that existed
before the dump I had should be equal and grow the same way on both sides.
phase 2 - testing the mirroring
4 - I will maintain a fake "mirror" that will be registered and will
provide realistic stats (a copy of the pypi apache log, where I will
keep just one hit per package file)
5 - we will validate that the global-stats and local-stats files
generated are right, and that the counts are the sum of pypi and the
mirror. (pypi+1)
If we can do that before Pycon maybe Pycon sprints could be the place where
we launch the mirroring, and start the SSH project if Jean-Paul and
others are willing to jump in ?
Regards
Tarek
--
Tarek Ziadé | Association AfPy | www.afpy.org
Blog FR | http://programmation-python.org
Blog EN | http://tarekziade.wordpress.com/
More information about the Catalog-SIG
mailing list