[Catalog-sig] Mandatory Reset of PyPI Passwords
Antoine Pitrou
solipsis at pitrou.net
Mon Feb 18 20:42:34 CET 2013
Donald Stufft <donald.stufft <at> gmail.com> writes:
>
> The reason I believe we should reset is because there is a high likelyhood that
> people used the same login/password on PyPI as they did on wiki.python.org and
> thus even if we migrate to a stronger hash many accounts may be already
> compromised, or will be in the future.
For the record, the password reset is a UI trainwreck when using distutils
(2.7 version):
$ python setup.py register
running register
running check
Registering pathlib to http://pypi.python.org/pypi
Server response (401): basic auth failed
I now remove the "pypi" section from .pypirc in the hope it'll trigger a new
password prompt:
$ python setup.py register
running register
Traceback (most recent call last):
File "setup.py", line 28, in <module>
url='http://readthedocs.org/docs/pathlib/',
File "/usr/lib64/python2.7/distutils/core.py", line 152, in setup
dist.run_commands()
File "/usr/lib64/python2.7/distutils/dist.py", line 953, in run_commands
self.run_command(cmd)
File "/usr/lib64/python2.7/distutils/dist.py", line 972, in run_command
cmd_obj.run()
File "/usr/lib64/python2.7/distutils/command/register.py", line 47, in run
self._set_config()
File "/usr/lib64/python2.7/distutils/command/register.py", line 73, in _set_config
config = self._read_pypirc()
File "/usr/lib64/python2.7/distutils/config.py", line 73, in _read_pypirc
current['username'] = config.get(server, 'username')
File "/usr/lib64/python2.7/ConfigParser.py", line 567, in get
raise NoSectionError(section)
ConfigParser.NoSectionError: No section: 'pypi'
Oh. I now recreate an empty "pypi" section in the config file:
$ python setup.py register
running register
Traceback (most recent call last):
File "setup.py", line 28, in <module>
url='http://readthedocs.org/docs/pathlib/',
File "/usr/lib64/python2.7/distutils/core.py", line 152, in setup
dist.run_commands()
File "/usr/lib64/python2.7/distutils/dist.py", line 953, in run_commands
self.run_command(cmd)
File "/usr/lib64/python2.7/distutils/dist.py", line 972, in run_command
cmd_obj.run()
File "/usr/lib64/python2.7/distutils/command/register.py", line 47, in run
self._set_config()
File "/usr/lib64/python2.7/distutils/command/register.py", line 73, in _set_config
config = self._read_pypirc()
File "/usr/lib64/python2.7/distutils/config.py", line 73, in _read_pypirc
current['username'] = config.get(server, 'username')
File "/usr/lib64/python2.7/ConfigParser.py", line 576, in get
raise NoOptionError(option, section)
ConfigParser.NoOptionError: No option 'username' in section: 'pypi'
Ok, so I have to remove the whole config file for the thing to work (I may
lose other config data).
By the way, https://pypi.python.org/pypi still tells me "Please reset your
password before 2013-02-22" even though I've already changed my password.
Regards
Antoine.
More information about the Catalog-SIG
mailing list