[Catalog-sig] [distutils] make the storage of the password optional in .pypirc

Tarek Ziadé ziade.tarek at gmail.com
Sun Jan 11 10:29:21 CET 2009


On Sun, Jan 11, 2009 at 4:35 AM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>> Not only are PyPI passwords stored in the clear on user's hard drives,
>> they are sent in the clear on every authenticated request to the web
>> interface (basic auth over unencrypted HTTP):  it seems to me we ought
>> to worry about both those issues more.
>
> Perhaps. Contributions are welcome.

Can we finish on the PyPI mirroring contribution before we start this one ?

(since you are our entry point Martin on these topics)

I have finished my tests on my side. And I have a branch ready here

https://svn.python.org/packages/branches/tarek-pypi/pypi/

I would like to make more tests with a realistic flow of data, and
I am waiting for some feedback/help on this work.

here's how we could proceed:

phase 1 : proving non-regression

1 - I need an access to the pypi log files produced by Apache
    (a simple browsable view of the log directory should be enough and
not risky)

2 - on my side I can grab those files daily right and put them on my
     PyPI server instance, and run the process like if I was on the real
     server.

3 - I will make this version reachable on my server, so we can check
     that there's no regression = the count of the package that existed
    before the dump I had should be equal and grow the same way on both sides.

phase 2 - testing the mirroring

4 - I will maintain a fake "mirror"  that will be registered and will
     provide realistic stats (a copy of the pypi apache log, where I will
     keep just one hit per package file)

5 - we will validate that the global-stats and local-stats files
     generated are right, and that the counts are the sum of pypi and the
     mirror. (pypi+1)

If we can do that before Pycon maybe Pycon sprints could be the place where
we launch the mirroring, and start the SSH project if Jean-Paul and
others are willing to jump in ?

Regards
Tarek

-- 
Tarek Ziadé | Association AfPy | www.afpy.org
Blog FR | http://programmation-python.org
Blog EN | http://tarekziade.wordpress.com/


More information about the Catalog-SIG mailing list