[Distutils] Security issue with Distutils register is still actual

Tarek Ziadé ziade.tarek at gmail.com
Wed Nov 3 15:07:47 CET 2010


On Wed, Nov 3, 2010 at 3:03 PM, Jim Fulton <jim at zope.com> wrote:
> On Wed, Nov 3, 2010 at 9:58 AM, Jim Fulton <jim at zope.com> wrote:
>> On Wed, Nov 3, 2010 at 7:35 AM, Tarek Ziadé <ziade.tarek at gmail.com> wrote:
>>> On Wed, Nov 3, 2010 at 10:47 AM, anatoly techtonik <techtonik at gmail.com> wrote:
>>>> Hello,
>>>>
>>>> Does anybody care that PyPI password are stored in a well-known
>>>> location in cleartext and developers are forced to store them when
>>>> they submit packages for review?
>>>> http://bugs.python.org/issue9995
>>>>
>>>
>>> We have hundreds of bugs to fix for distutils. If you propose a patch
>>> + test, things will speed up.
>>> There are already tests for various register/upload scenarii, so it
>>> should not be hard to copy-paste one to create your test
>>
>> While that's usually a reasonable response, this isn't a bug.
>
> I should have looked more carefully at the issue. The refusal to
> use a password without storing it *is* a fairly narrow bug.

Yes this is a bug. the password should be reused by upload. There's
code for this but it seems to fails


>> This is a case where we need to come up with a better way of doing things.
>> Someone needs to propose something and folks need to weigh in.
>
> I would love to see a solution to the broader problem.
>
> I really don't want to have to enter a password every time I
> upload a package.

me neither :)

> I guess a good solution would be to integrate with existing
> password-management tools. This could be prototyped as an
> a separate upload tool.

I have mentored a project in GSOC last year exactly for this case:
keyring (avialable at PyPI)

It is already successfully used in Mercurial (mercurial-keyring) that
suffers the same problem when doing http/https

The next step was to integrate keyring in distutils/upload but was not
done yet due to a lack of time.


Tarek

-- 
Tarek Ziadé | http://ziade.org


More information about the Distutils-SIG mailing list