[Catalog-sig] Mandatory Reset of PyPI Passwords
Richard Jones
richard at python.org
Wed Feb 13 12:14:57 CET 2013
On 13 February 2013 05:10, Jacob Kaplan-Moss <jacob at jacobian.org> wrote:
> On Tue, Feb 12, 2013 at 6:31 AM, Donald Stufft <donald.stufft at gmail.com> wrote:
>> Since the wiki.python.org database was likely compromised and it was using a
>> weak
>> hash we should probably assume that all passwords in there have been leaked.
>> Because
>> of this I want to formally propose that PyPI reset it's passwords.
>
> I agree -- please do, sooner rather than later.
>
> If I was the Benevolent Ops Person for PyPI I would reset them
> immediately and deal with the fallout. But I'm not the one who'd get
> angry emails, so any amount of grace period that Richard/MvL/etc won't
> get any argument from me.
My intention is to:
1. deploy the passlib improvements (which have been merged but not tested),
2. fix the email password reset debacle (mostly written, not tested),
3. send email to all registered users indicating that all users must
change their password and a forced reset will take place in a week's
time for users who have not done so, and
4. add some additional admin tools to make handling the broken-email
stragglers easier.
Oh, and if I can find the spare few cycles necessary along the way,
5. add automated email sent to package role holders (maintainers and
owners) when their package is updated in any way.
Richard
More information about the Catalog-SIG
mailing list