[Distutils] [Catalog-sig] [distutils] make the storage of the password optional in .pypirc

Tres Seaver tseaver at palladion.com
Sun Jan 11 01:40:54 CET 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin v. Löwis wrote:
>>>> Here's some:  how about instead of an ssh-like system, use ssh itself.  Front
>>>> PyPI with an ssh server that users connect to.  That way it is both secure and
>>>> the infrastructure (agent, etc.) is already in place.
>>> Yes please.  I'd rather have one agent running and reuse my SSH key for
>>> authentication.
>> That would be awesome indeed. But that would involve quite some
>> changes on server side,
>> I'll forward this mail to catalog-sig for Richard, Martin and others's feedback
> 
> I'm fairly skeptical. First, the infrastructure is *not* yet in place.
> Nobody has uploaded SSH keys to PyPI, and in order to allow SSH access,
> we probably would need to create a Unix account, which then runs a fixed
> (Python) program on ssh login.

Right, a single account with multiple keys (each with 'command='do_pypi
- -u <userid>').

> That is much less secure than the current
> setup, in the sense that this program can probably tricked much easier
> than Apache can. So it opens a door for people hacking into the system;
> all they have to do is to create a fake PyPI account and upload an SSH
> key...

Zope has been using the 'command=' bit to do SSH-protected CVS / SVN
access since 2000 with a lot of success;  370+ committers have keys on
the system.  The command being executed is actually a small shell
script, which barfs if the program being run is not one of 'svn', 'cvs',
or 'scp' (for uploading tarballs).

> To improve password storage, I think it would be better to use the
> platform's secure password storage services where available (e.g.
> OSX Keychain, KDE KWallet, etc). Of course, such a library should be
> developed independently of distutils. For Keychain, there is already
> 
> http://muffinresearch.co.uk/archives/2008/02/05/python-keychainpy-access-to-the-mac-osx-keychain/

Not only are PyPI passwords stored in the clear on user's hard drives,
they are sent in the clear on every authenticated request to the web
interface (basic auth over unencrypted HTTP):  it seems to me we ought
to worry about both those issues more.


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJaUAW+gerLs4ltQ4RAhFXAJ47WOzMAe12m+YD5BNu22BzTU+QRQCeLTbX
DSaVk1I96K5mzaZro98HUTU=
=8sRs
-----END PGP SIGNATURE-----

More information about the Distutils-SIG mailing list