[Distutils] Security issue with Distutils register is still actual

Jim Fulton jim at zope.com
Wed Nov 3 15:03:41 CET 2010

On Wed, Nov 3, 2010 at 9:58 AM, Jim Fulton <jim at zope.com> wrote:
> On Wed, Nov 3, 2010 at 7:35 AM, Tarek Ziadé <ziade.tarek at gmail.com> wrote:
>> On Wed, Nov 3, 2010 at 10:47 AM, anatoly techtonik <techtonik at gmail.com> wrote:
>>> Hello,
>>> Does anybody care that PyPI password are stored in a well-known
>>> location in cleartext and developers are forced to store them when
>>> they submit packages for review?
>>> http://bugs.python.org/issue9995
>> We have hundreds of bugs to fix for distutils. If you propose a patch
>> + test, things will speed up.
>> There are already tests for various register/upload scenarii, so it
>> should not be hard to copy-paste one to create your test
> While that's usually a reasonable response, this isn't a bug.

I should have looked more carefully at the issue. The refusal to
use a password without storing it *is* a fairly narrow bug.

> This is a case where we need to come up with a better way of doing things.
> Someone needs to propose something and folks need to weigh in.

I would love to see a solution to the broader problem.

I really don't want to have to enter a password every time I
upload a package.

I guess a good solution would be to integrate with existing
password-management tools. This could be prototyped as an
a separate upload tool.


Jim Fulton

More information about the Distutils-SIG mailing list