Re: [pydotorg-www] PyPI security notice
I went through the procedure more than once and have received nothing on my e-mail account. How long might I have to wait --- Ian Mackey Network Services Manager University Computing Service - University of Cambridge New Museums Site Pembroke Street Cambridge CB2 3QH Tel:[+44/0]1223 768963 e-mail: iwm21@cam.ac.uk On 15 Feb 2013, at 01:23, richard@python.org wrote:
TL;DR: please log into PyPI and change your password.
Dear PyPI user iwm21,
Recently we have been auditing and improving security of the Python Package Index (PyPI) and other python.org hosts.
You may be aware that the wiki.python.org host was compromised. Since we must assume that all passwords stored in that system are also compromised, and we also assume that some users share passwords between python.org systems, I will be performing a password reset of all PyPI accounts in one week's time, at 2013-02-22 00:00 UTC.
If you log in before that deadline and change your password then you'll be fine, otherwise you'll need to use the password recovery form after the reset has occurred.
Additionally, I ask you to begin to access PyPI using HTTPS through the web. We're in the process of installing a new SSL certificate so the current Big Red Certificate Warning should go away very soon.
We are in the process of updating the Python packaging toolset to use HTTPS.
These steps are but a couple of those we're intending to take to better secure PyPI. If you are interested in these matters I encourage you to participate in the discussion on the catalog SIG:
http://mail.python.org/mailman/listinfo/catalog-sig
Finally, I apologise for any inconvenience these changes have caused.
Richard Jones <richard@python.org> PyPI Maintainer
On Sat, Feb 16, 2013, Ian Mackey wrote:
I went through the procedure more than once and have received nothing on my e-mail account.
How long might I have to wait
If you haven't received any response, please ask on the catalog-sig mailing list, pydotorg-www doesn't have any special information. -- Aahz (aahz@pythoncraft.com) <*> http://www.pythoncraft.com/ "Times are bad. Children no longer obey their parents, and everyone is writing a book." --Cicero
Am 20.02.13 05:55, schrieb Aahz:
On Sat, Feb 16, 2013, Ian Mackey wrote:
I went through the procedure more than once and have received nothing on my e-mail account.
How long might I have to wait
If you haven't received any response, please ask on the catalog-sig mailing list, pydotorg-www doesn't have any special information.
More specifically, please submit a support request to the issue tracker (linked from the PyPI page); state what email address you believe to be using, so we can verify that this is actually in PyPI's database. Regards, Martin
* "Martin v. Löwis" <martin@v.loewis.de>:
Am 20.02.13 05:55, schrieb Aahz:
On Sat, Feb 16, 2013, Ian Mackey wrote:
I went through the procedure more than once and have received nothing on my e-mail account.
How long might I have to wait
If you haven't received any response, please ask on the catalog-sig mailing list, pydotorg-www doesn't have any special information.
More specifically, please submit a support request to the issue tracker (linked from the PyPI page); state what email address you believe to be using, so we can verify that this is actually in PyPI's database.
And of course I can check and see if the mail actually went out :) Yes, it went out: Feb 15 02:23:32 albatross postfix/smtpd[12681]: 3Z6cDh53gbzSpQ: client=localhost[127.0.0.1] Feb 15 02:23:32 albatross postfix/cleanup[12365]: 3Z6cDh53gbzSpQ: warning: header From: richard@python.org from localhost[127.0.0.1]; from=<richard@python.org> to=<iwm21@cam.ac.uk> proto=ESMTP helo=<albatross.python.org> Feb 15 02:23:32 albatross postfix/cleanup[12365]: 3Z6cDh53gbzSpQ: warning: header Subject: PyPI security notice from localhost[127.0.0.1]; from=<richard@python.org> to=<iwm21@cam.ac.uk> proto=ESMTP helo=<albatross.python.org> Feb 15 02:23:32 albatross postfix/cleanup[12365]: 3Z6cDh53gbzSpQ: message-id=<20130215012332.9245932A0@virt-oku3tm.psf.osuosl.org> Feb 15 02:23:32 albatross postfix/qmgr[5832]: 3Z6cDh53gbzSpQ: from=<richard@python.org>, size=3601, nrcpt=1 (queue active) Feb 15 02:23:32 albatross postfix/smtpd[18392]: proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 3Z6cDh53gbzSpQ; from=<richard@python.org> to=<iwm21@cam.ac.uk> proto=ESMTP helo=<virt-oku3tm.psf.osuosl.org> see --> Feb 15 02:23:34 albatross postfix/smtp[29350]: 3Z6cDh53gbzSpQ: to=<iwm21@cam.ac.uk>, relay=mx.cam.ac.uk[131.111.8.148]:25, delay=1.9, delays=0.1/0/0.16/1.7, dsn=2.0.0, status=sent (250 OK id=1U6A1V-0000iN-WN) Feb 15 02:23:34 albatross postfix/qmgr[5832]: 3Z6cDh53gbzSpQ: removed -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebrandt@charite.de Campus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
And of course I can check and see if the mail actually went out :)
Yes, it went out:
Feb 15 02:23:32 albatross postfix/smtpd[12681]: 3Z6cDh53gbzSpQ: client=localhost[127.0.0.1] Feb 15 02:23:32 albatross postfix/cleanup[12365]: 3Z6cDh53gbzSpQ: warning: header From: richard@python.org from localhost[127.0.0.1]; from=<richard@python.org> to=<iwm21@cam.ac.uk> proto=ESMTP helo=<albatross.python.org> Feb 15 02:23:32 albatross postfix/cleanup[12365]: 3Z6cDh53gbzSpQ: warning: header Subject: PyPI security notice from localhost[127.0.0.1]; from=<richard@python.org> to=<iwm21@cam.ac.uk> proto=ESMTP helo=<albatross.python.org> Feb 15 02:23:32 albatross postfix/cleanup[12365]: 3Z6cDh53gbzSpQ: message-id=<20130215012332.9245932A0@virt-oku3tm.psf.osuosl.org> Feb 15 02:23:32 albatross postfix/qmgr[5832]: 3Z6cDh53gbzSpQ: from=<richard@python.org>, size=3601, nrcpt=1 (queue active) Feb 15 02:23:32 albatross postfix/smtpd[18392]: proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 3Z6cDh53gbzSpQ; from=<richard@python.org> to=<iwm21@cam.ac.uk> proto=ESMTP helo=<virt-oku3tm.psf.osuosl.org> see --> Feb 15 02:23:34 albatross postfix/smtp[29350]: 3Z6cDh53gbzSpQ: to=<iwm21@cam.ac.uk>, relay=mx.cam.ac.uk[131.111.8.148]:25, delay=1.9, delays=0.1/0/0.16/1.7, dsn=2.0.0, status=sent (250 OK id=1U6A1V-0000iN-WN) Feb 15 02:23:34 albatross postfix/qmgr[5832]: 3Z6cDh53gbzSpQ: removed
All times are GMT+1 (=CET). -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebrandt@charite.de Campus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
Check your spam folder. On Feb 16, 2013 7:41 PM, "Ian Mackey" <iwm21@cam.ac.uk> wrote:
I went through the procedure more than once and have received nothing on my e-mail account.
How long might I have to wait
--- Ian Mackey Network Services Manager University Computing Service - University of Cambridge New Museums Site Pembroke Street Cambridge CB2 3QH Tel:[+44/0]1223 768963 e-mail: iwm21@cam.ac.uk
On 15 Feb 2013, at 01:23, richard@python.org wrote:
TL;DR: please log into PyPI and change your password.
Dear PyPI user iwm21,
Recently we have been auditing and improving security of the Python Package Index (PyPI) and other python.org hosts.
You may be aware that the wiki.python.org host was compromised. Since we must assume that all passwords stored in that system are also compromised, and we also assume that some users share passwords between python.org systems, I will be performing a password reset of all PyPI accounts in one week's time, at 2013-02-22 00:00 UTC.
If you log in before that deadline and change your password then you'll be fine, otherwise you'll need to use the password recovery form after the reset has occurred.
Additionally, I ask you to begin to access PyPI using HTTPS through the web. We're in the process of installing a new SSL certificate so the current Big Red Certificate Warning should go away very soon.
We are in the process of updating the Python packaging toolset to use HTTPS.
These steps are but a couple of those we're intending to take to better secure PyPI. If you are interested in these matters I encourage you to participate in the discussion on the catalog SIG:
http://mail.python.org/mailman/listinfo/catalog-sig
Finally, I apologise for any inconvenience these changes have caused.
Richard Jones <richard@python.org> PyPI Maintainer
_______________________________________________ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
participants (5)
-
"Martin v. Löwis" -
Aahz -
Anthony Baxter -
Ian Mackey -
Ralf Hildebrandt