Security issue with Distutils register is still actual
Hello, Does anybody care that PyPI password are stored in a well-known location in cleartext and developers are forced to store them when they submit packages for review? http://bugs.python.org/issue9995 -- anatoly t.
On Wed, Nov 3, 2010 at 10:47 AM, anatoly techtonik <techtonik@gmail.com> wrote:
Hello,
Does anybody care that PyPI password are stored in a well-known location in cleartext and developers are forced to store them when they submit packages for review? http://bugs.python.org/issue9995
We have hundreds of bugs to fix for distutils. If you propose a patch + test, things will speed up. There are already tests for various register/upload scenarii, so it should not be hard to copy-paste one to create your test
-- anatoly t. _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
-- Tarek Ziadé | http://ziade.org
On Wed, Nov 3, 2010 at 7:35 AM, Tarek Ziadé <ziade.tarek@gmail.com> wrote:
On Wed, Nov 3, 2010 at 10:47 AM, anatoly techtonik <techtonik@gmail.com> wrote:
Hello,
Does anybody care that PyPI password are stored in a well-known location in cleartext and developers are forced to store them when they submit packages for review? http://bugs.python.org/issue9995
We have hundreds of bugs to fix for distutils. If you propose a patch + test, things will speed up. There are already tests for various register/upload scenarii, so it should not be hard to copy-paste one to create your test
While that's usually a reasonable response, this isn't a bug. This is a case where we need to come up with a better way of doing things. Someone needs to propose something and folks need to weigh in. Jim
On Wed, Nov 3, 2010 at 9:58 AM, Jim Fulton <jim@zope.com> wrote:
On Wed, Nov 3, 2010 at 7:35 AM, Tarek Ziadé <ziade.tarek@gmail.com> wrote:
On Wed, Nov 3, 2010 at 10:47 AM, anatoly techtonik <techtonik@gmail.com> wrote:
Hello,
Does anybody care that PyPI password are stored in a well-known location in cleartext and developers are forced to store them when they submit packages for review? http://bugs.python.org/issue9995
We have hundreds of bugs to fix for distutils. If you propose a patch + test, things will speed up. There are already tests for various register/upload scenarii, so it should not be hard to copy-paste one to create your test
While that's usually a reasonable response, this isn't a bug.
I should have looked more carefully at the issue. The refusal to use a password without storing it *is* a fairly narrow bug.
This is a case where we need to come up with a better way of doing things. Someone needs to propose something and folks need to weigh in.
I would love to see a solution to the broader problem. I really don't want to have to enter a password every time I upload a package. I guess a good solution would be to integrate with existing password-management tools. This could be prototyped as an a separate upload tool. JIm -- Jim Fulton
On Wed, Nov 3, 2010 at 3:03 PM, Jim Fulton <jim@zope.com> wrote:
On Wed, Nov 3, 2010 at 9:58 AM, Jim Fulton <jim@zope.com> wrote:
On Wed, Nov 3, 2010 at 7:35 AM, Tarek Ziadé <ziade.tarek@gmail.com> wrote:
On Wed, Nov 3, 2010 at 10:47 AM, anatoly techtonik <techtonik@gmail.com> wrote:
Hello,
Does anybody care that PyPI password are stored in a well-known location in cleartext and developers are forced to store them when they submit packages for review? http://bugs.python.org/issue9995
We have hundreds of bugs to fix for distutils. If you propose a patch + test, things will speed up. There are already tests for various register/upload scenarii, so it should not be hard to copy-paste one to create your test
While that's usually a reasonable response, this isn't a bug.
I should have looked more carefully at the issue. The refusal to use a password without storing it *is* a fairly narrow bug.
Yes this is a bug. the password should be reused by upload. There's code for this but it seems to fails
This is a case where we need to come up with a better way of doing things. Someone needs to propose something and folks need to weigh in.
I would love to see a solution to the broader problem.
I really don't want to have to enter a password every time I upload a package.
me neither :)
I guess a good solution would be to integrate with existing password-management tools. This could be prototyped as an a separate upload tool.
I have mentored a project in GSOC last year exactly for this case: keyring (avialable at PyPI) It is already successfully used in Mercurial (mercurial-keyring) that suffers the same problem when doing http/https The next step was to integrate keyring in distutils/upload but was not done yet due to a lack of time. Tarek -- Tarek Ziadé | http://ziade.org
On Wed, Nov 3, 2010 at 4:07 PM, Tarek Ziadé <ziade.tarek@gmail.com> wrote:
I should have looked more carefully at the issue. The refusal to use a password without storing it *is* a fairly narrow bug.
Yes this is a bug. the password should be reused by upload. There's code for this but it seems to fails
Fix landed. http://bugs.python.org/issue9995
This is a case where we need to come up with a better way of doing things. Someone needs to propose something and folks need to weigh in.
I would love to see a solution to the broader problem.
I really don't want to have to enter a password every time I upload a package.
me neither :)
Does anybody know where is documentation on supported authentication in PyPI?
I guess a good solution would be to integrate with existing password-management tools. This could be prototyped as an a separate upload tool.
I have mentored a project in GSOC last year exactly for this case: keyring (avialable at PyPI)
It is already successfully used in Mercurial (mercurial-keyring) that suffers the same problem when doing http/https
The next step was to integrate keyring in distutils/upload but was not done yet due to a lack of time.
Network protection is still weak. The password is sent nearly in cleartext. -- anatoly t.
On Wed, Nov 3, 2010 at 3:56 PM, anatoly techtonik <techtonik@gmail.com> wrote:
On Wed, Nov 3, 2010 at 4:07 PM, Tarek Ziadé <ziade.tarek@gmail.com> wrote:
I should have looked more carefully at the issue. The refusal to use a password without storing it *is* a fairly narrow bug.
Yes this is a bug. the password should be reused by upload. There's code for this but it seems to fails
Fix landed. http://bugs.python.org/issue9995
This is a case where we need to come up with a better way of doing things. Someone needs to propose something and folks need to weigh in.
I would love to see a solution to the broader problem.
I really don't want to have to enter a password every time I upload a package.
me neither :)
Does anybody know where is documentation on supported authentication in PyPI?
I guess a good solution would be to integrate with existing password-management tools. This could be prototyped as an a separate upload tool.
I have mentored a project in GSOC last year exactly for this case: keyring (avialable at PyPI)
It is already successfully used in Mercurial (mercurial-keyring) that suffers the same problem when doing http/https
The next step was to integrate keyring in distutils/upload but was not done yet due to a lack of time.
Network protection is still weak. The password is sent nearly in cleartext.
Right, we'd want to use https as well. Presumably, that's the easy part. Jim -- Jim Fulton
2010/11/3 Jim Fulton <jim@zope.com>:
On Wed, Nov 3, 2010 at 3:56 PM, anatoly techtonik <techtonik@gmail.com> wrote:
On Wed, Nov 3, 2010 at 4:07 PM, Tarek Ziadé <ziade.tarek@gmail.com> wrote:
I should have looked more carefully at the issue. The refusal to use a password without storing it *is* a fairly narrow bug.
Yes this is a bug. the password should be reused by upload. There's code for this but it seems to fails
Fix landed. http://bugs.python.org/issue9995
This is a case where we need to come up with a better way of doing things. Someone needs to propose something and folks need to weigh in.
I would love to see a solution to the broader problem.
I really don't want to have to enter a password every time I upload a package.
me neither :)
Does anybody know where is documentation on supported authentication in PyPI?
I guess a good solution would be to integrate with existing password-management tools. This could be prototyped as an a separate upload tool.
I have mentored a project in GSOC last year exactly for this case: keyring (avialable at PyPI)
It is already successfully used in Mercurial (mercurial-keyring) that suffers the same problem when doing http/https
The next step was to integrate keyring in distutils/upload but was not done yet due to a lack of time.
Network protection is still weak. The password is sent nearly in cleartext.
Right, we'd want to use https as well. Presumably, that's the easy part.
+1.
Jim
-- Jim Fulton
-- Tarek Ziadé | http://ziade.org
participants (3)
-
anatoly techtonik -
Jim Fulton -
Tarek Ziadé