[Catalog-sig] Pull request to migrate PyPI to bcrypt

Jesse Noller jnoller at gmail.com
Mon Feb 11 13:25:51 CET 2013



On Feb 11, 2013, at 7:05 AM, Giovanni Bajo <rasky at develer.com> wrote:

> Il giorno 11/feb/2013, alle ore 12:27, Jesse Noller <jnoller at gmail.com> ha scritto:
> 
>> Ok, that has to be made clear to the poor guy merging the PR
>> 
>> I'm also fine with Christian's migration path; I share his concerns about your approach.
> 
> 
> This is harder to fix. Christian's main concern is that he doesn't trust me and my proposed solution because he didn't see it elsewhere. I saw it mentioned many times around, but I think that, at the end of the day, that's a red herring: the point is that I'm not in his (and/or your) trust circle, but that's fine, we can still find a way around it. It's probably useless for me to keep arguing though.
> 
> I think that a migration path on login from an unsalted SHA1 is completely wrong, so I have a proposal: I will submit it if we agree on resetting all the passwords immediately; or within a short timeframe (eg: 2 months), and notify all the users to login once as soon as possible (so after 2 months we reset passwords of users who haven't logged in).
> 
> Would that work?

Actually I was thinking about this in the shower: the likelihood that pypi users used the same passwords as they did on the wiki is probably much higher than any of us assume.

I'm in favor of an immediate reset if possible


> -- 
> Giovanni Bajo   ::  rasky at develer.com
> Develer S.r.l.  ::  http://www.develer.com
> 
> My Blog: http://giovanni.bajo.it
> 


More information about the Catalog-SIG mailing list