[Catalog-sig] Mandatory Reset of PyPI Passwords
Richard Jones
richard at python.org
Thu Feb 14 05:28:33 CET 2013
On 14 February 2013 11:42, Richard Jones <richard at python.org> wrote:
> On 14 February 2013 10:46, Giovanni Bajo <rasky at develer.com> wrote:
>> The package "itsdangerous" provides some drop-in crypto for sending a time-based token that doesn't need to be stored on your database (or wherever you're now storing the OTK). Up to you if it's worth it, since IIUC you've already implemented it.
>
> Thanks, I think I will use that instead of doing more database work.
I have now verified the password migration and password reset changes
on testpypi. Some (most) of the older UI isn't fantastic and could be
worked on but it's functional. I will look at deploying tomorrow:
1. I will be configuring passlib so it handles the older sha1
passwords but uses bcrypt for newly-entered passwords.
2. There will be no migration since new passwords will be in the
correct format and older ones will be nuked in a week.
3. I will send an email out once I've verified the live system is
functioning correctly which talks about the reset and reasoning behind
it.
The curious can see all of this in the pypi mercurial repository.
I have not had time to implement the email on package changes feature,
but will get onto that soon.
Richard
More information about the Catalog-SIG
mailing list