[Catalog-sig] Mandatory Reset of PyPI Passwords

[Richard Jones]

On 14 February 2013 10:46, Giovanni Bajo <rasky at develer.com> wrote:
> The package "itsdangerous" provides some drop-in crypto for sending a time-based token that doesn't need to be stored on your database (or wherever you're now storing the OTK). Up to you if it's worth it, since IIUC you've already implemented it.

Thanks, I think I will use that instead of doing more database work.


> Task #12 applies to "security-related changes", for which a definition is given:
> https://docs.google.com/a/develer.com/document/d/1DgQdDCZY5LiTY5mvfxVVE4MTWiaqIGccK3QCUI8np4k/edit
> ==================================================
> We define “security-related” change any profile change in PyPI that allows a new GPG fingerprint to be valid for a given package. The currently identified security-related changes are:
>         • Modifying the GPG fingerprint in a package owner or maintainer profile.
>         • Adding a new owner or maintainer to a package
>         • Any change to the second-factor authentication system itself
> ==================================================
>
> So if your goal was to send an email when a new release is published, that's not a security-related change.

Thanks for the clarification. I'm having trouble accessing google docs
at the moment for some reason.


     Richard