[Catalog-sig] Mandatory Reset of PyPI Passwords

Giovanni Bajo rasky at develer.com
Wed Feb 13 12:32:14 CET 2013


Il giorno 13/feb/2013, alle ore 12:14, Richard Jones <richard at python.org> ha scritto:
> 
> 2. fix the email password reset debacle (mostly written, not tested),

Is this committed anywhere I can take a look?

> 5. add automated email sent to package role holders (maintainers and
> owners) when their package is updated in any way.

In my doc (task #12) I propose using a separate per-package security email, and in fact I was also proposing to ask confirmation by email, rather than just notify it.

Basically, PyPI would warn the maintainer that the requested action is a security change for the package, and it needs to be confirmed through a link sent to the security email. A security email would be an email associated to each package, that must be different from the maintainer email (possibly even a different domain, in fact, though I'm not sure we want to enforce it rather than just suggest it). The email text must say "user X has requested change Y to package Z. If you are user X, click here to approve it". Only the maintainer that originated the change request can approve it through the link. The email can be an alias that forwards it to different maintainers, though.

Changing the security email would also require a security confirmation, of course.

As transition, we can send such a email to the maintainer's email, with a footer/header that suggests to register a security email for the package.
-- 
Giovanni Bajo   ::  rasky at develer.com
Develer S.r.l.  ::  http://www.develer.com

My Blog: http://giovanni.bajo.it





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130213/ff0feb2c/attachment-0001.bin>


More information about the Catalog-SIG mailing list