[Distutils] Security issue with Distutils register is still actual

anatoly techtonik techtonik at gmail.com
Wed Nov 3 20:56:56 CET 2010

On Wed, Nov 3, 2010 at 4:07 PM, Tarek Ziadé <ziade.tarek at gmail.com> wrote:
>> I should have looked more carefully at the issue. The refusal to
>> use a password without storing it *is* a fairly narrow bug.
> Yes this is a bug. the password should be reused by upload. There's
> code for this but it seems to fails

Fix landed.

>>> This is a case where we need to come up with a better way of doing things.
>>> Someone needs to propose something and folks need to weigh in.
>> I would love to see a solution to the broader problem.
>> I really don't want to have to enter a password every time I
>> upload a package.
> me neither :)

Does anybody know where is documentation on supported authentication in PyPI?

>> I guess a good solution would be to integrate with existing
>> password-management tools. This could be prototyped as an
>> a separate upload tool.
> I have mentored a project in GSOC last year exactly for this case:
> keyring (avialable at PyPI)
> It is already successfully used in Mercurial (mercurial-keyring) that
> suffers the same problem when doing http/https
> The next step was to integrate keyring in distutils/upload but was not
> done yet due to a lack of time.

Network protection is still weak. The password is sent nearly in cleartext.

anatoly t.

More information about the Distutils-SIG mailing list