[Distutils] [Catalog-sig] [distutils] make the storage of the password optional in .pypirc
Jim Fulton
jim at zope.com
Fri Jan 9 21:57:55 CET 2009
On Jan 9, 2009, at 3:18 PM, Martin v. Löwis wrote:
>>>> Here's some: how about instead of an ssh-like system, use ssh
>>>> itself. Front
>>>> PyPI with an ssh server that users connect to. That way it is
>>>> both secure and
>>>> the infrastructure (agent, etc.) is already in place.
>>> Yes please. I'd rather have one agent running and reuse my SSH
>>> key for
>>> authentication.
>>
>> That would be awesome indeed. But that would involve quite some
>> changes on server side,
>> I'll forward this mail to catalog-sig for Richard, Martin and
>> others's feedback
>
> I'm fairly skeptical. First, the infrastructure is *not* yet in place.
> Nobody has uploaded SSH keys to PyPI,
Right. PyPI would have to grow the ability to manage public keys for
users.
> and in order to allow SSH access,
> we probably would need to create a Unix account,
No, you would not.
> which then runs a fixed
> (Python) program on ssh login. That is much less secure than the
> current
> setup, in the sense that this program can probably tricked much easier
> than Apache can. So it opens a door for people hacking into the
> system;
> all they have to do is to create a fake PyPI account and upload an SSH
> key...
No. You'd have a new server process, written in Python using Twisted
or paramiko, that would would provide a small number of specialized
commands and that would read public keys from the pypi database for
authentication and update the database in response to commands,
Jim
--
Jim Fulton
Zope Corporation
More information about the Distutils-SIG
mailing list