I released devpi-server 4.2.0.
This is a security and functional update. Please read the full changelog
below for details. The following changes are the most important:
- We use different password hashing.
- By default the replication protocol is now disabled.
- Pushing releases to PyPI has been fixed for the recent changes made to
the upload API.
- Server state is now only created when using the new --init option.
- We now support IPv6 by using waitress >= 1.0.1.
If you need support, training, adjustments wrt packaging and
professional testing you may contact us through http://merlinux.eu.
Before devpi-server 4.2.0 passwords were hashed with a very weak
algorithm. It’s strongly recommended to change any passwords created
before 4.2.0 after upgrading! The password salt and hashes are exposed
via the /+changelog URL used for replication. If you use replication you
should use client side certificates or https with basic authentication
to secure /+changelog.
Starting with devpi-server 4.2.0 the replication protocol is disabled by
default to prevent accidental information leaks, like password hashes.
To enable the replication protocol, you have to use --role master when
starting the master devpi-server instance.
fix issue378: the replication protocol is now disabled by default.
fix push to PyPI by skipping failing “register” step and adding
additional fields in POST data on “file_upload”.
fix issue372: correctly set isolation_level for sqlite3 connections.
This also fixes Python 3.6 compatibility.
fix issue334: The event handler for the simple page cache failed when an
index was deleted and a new replica tried to run the event hooks.
fix issue314: Fetch external file on replica from original source if
master is down.
fix issue363: Replace weak password hashing with argon2 using passlib.
Existing logins will be migrated on login.
fix issue377: Add new --init option required to initialize a server
directory. This prevents accidental use of wrong or empty --serverdir.
fix issue285: require waitress >= 1.0.1 to enable IPv6 support.
I am in the situation where I have to install an egg-server on AIX box with
various flaws - in particular the complete SSL cert verification for
python.org and pypi.python.org is broken. There is nothing that can be done
to fix the broken state of the box. Would it be possible to install devpi
and disable all related SSL cert checks on global basis or do I have to
walk through the complete devpi code or the underlaying module dealing with