[Catalog-sig] Mandatory Reset of PyPI Passwords

Antoine Pitrou solipsis at pitrou.net
Mon Feb 18 20:42:34 CET 2013


Donald Stufft <donald.stufft <at> gmail.com> writes:
> 
> The reason I believe we should reset is because there is a high likelyhood that
> people used the same login/password on PyPI as they did on wiki.python.org and
> thus even if we migrate to a stronger hash many accounts may be already
> compromised, or will be in the future.

For the record, the password reset is a UI trainwreck when using distutils
(2.7 version):

$ python setup.py register
running register
running check
Registering pathlib to http://pypi.python.org/pypi
Server response (401): basic auth failed


I now remove the "pypi" section from .pypirc in the hope it'll trigger a new 
password prompt:

$ python setup.py register 
running register
Traceback (most recent call last):
  File "setup.py", line 28, in <module>
    url='http://readthedocs.org/docs/pathlib/',
  File "/usr/lib64/python2.7/distutils/core.py", line 152, in setup
    dist.run_commands()
  File "/usr/lib64/python2.7/distutils/dist.py", line 953, in run_commands
    self.run_command(cmd)
  File "/usr/lib64/python2.7/distutils/dist.py", line 972, in run_command
    cmd_obj.run()
  File "/usr/lib64/python2.7/distutils/command/register.py", line 47, in run
    self._set_config()
  File "/usr/lib64/python2.7/distutils/command/register.py", line 73, in _set_config
    config = self._read_pypirc()
  File "/usr/lib64/python2.7/distutils/config.py", line 73, in _read_pypirc
    current['username'] = config.get(server, 'username')
  File "/usr/lib64/python2.7/ConfigParser.py", line 567, in get
    raise NoSectionError(section)
ConfigParser.NoSectionError: No section: 'pypi'


Oh. I now recreate an empty "pypi" section in the config file:

$ python setup.py register 
running register
Traceback (most recent call last):
  File "setup.py", line 28, in <module>
    url='http://readthedocs.org/docs/pathlib/',
  File "/usr/lib64/python2.7/distutils/core.py", line 152, in setup
    dist.run_commands()
  File "/usr/lib64/python2.7/distutils/dist.py", line 953, in run_commands
    self.run_command(cmd)
  File "/usr/lib64/python2.7/distutils/dist.py", line 972, in run_command
    cmd_obj.run()
  File "/usr/lib64/python2.7/distutils/command/register.py", line 47, in run
    self._set_config()
  File "/usr/lib64/python2.7/distutils/command/register.py", line 73, in _set_config
    config = self._read_pypirc()
  File "/usr/lib64/python2.7/distutils/config.py", line 73, in _read_pypirc
    current['username'] = config.get(server, 'username')
  File "/usr/lib64/python2.7/ConfigParser.py", line 576, in get
    raise NoOptionError(option, section)
ConfigParser.NoOptionError: No option 'username' in section: 'pypi'


Ok, so I have to remove the whole config file for the thing to work (I may
lose other config data).

By the way, https://pypi.python.org/pypi still tells me "Please reset your 
password before 2013-02-22" even though I've already changed my password.

Regards

Antoine.




More information about the Catalog-SIG mailing list