[Catalog-sig] [distutils] make the storage of the password optional in .pypirc

"Martin v. Löwis" martin at v.loewis.de
Sun Jan 11 04:35:36 CET 2009


>> That is much less secure than the current
>> setup, in the sense that this program can probably tricked much easier
>> than Apache can. So it opens a door for people hacking into the system;
>> all they have to do is to create a fake PyPI account and upload an SSH
>> key...
> 
> Zope has been using the 'command=' bit to do SSH-protected CVS / SVN
> access since 2000 with a lot of success;  370+ committers have keys on
> the system.  The command being executed is actually a small shell
> script, which barfs if the program being run is not one of 'svn', 'cvs',
> or 'scp' (for uploading tarballs).

Well, then good luck that nobody has tried to hack your script. E.g.
might it work that I somehow manage to upload a svn binary onto your
system (e.g. by first checking it in, and relying on an automated
checkout process that runs somewhere), then invoke this binary through
the shell account?

> Not only are PyPI passwords stored in the clear on user's hard drives,
> they are sent in the clear on every authenticated request to the web
> interface (basic auth over unencrypted HTTP):  it seems to me we ought
> to worry about both those issues more.

Perhaps. Contributions are welcome.

Regards,
Martin


More information about the Catalog-SIG mailing list