[Distutils] Security issue with Distutils register is still actual
Tarek Ziadé
ziade.tarek at gmail.com
Wed Nov 3 23:26:39 CET 2010
2010/11/3 Jim Fulton <jim at zope.com>:
> On Wed, Nov 3, 2010 at 3:56 PM, anatoly techtonik <techtonik at gmail.com> wrote:
>> On Wed, Nov 3, 2010 at 4:07 PM, Tarek Ziadé <ziade.tarek at gmail.com> wrote:
>>>> I should have looked more carefully at the issue. The refusal to
>>>> use a password without storing it *is* a fairly narrow bug.
>>>
>>> Yes this is a bug. the password should be reused by upload. There's
>>> code for this but it seems to fails
>>
>> Fix landed.
>> http://bugs.python.org/issue9995
>>
>>>>> This is a case where we need to come up with a better way of doing things.
>>>>> Someone needs to propose something and folks need to weigh in.
>>>>
>>>> I would love to see a solution to the broader problem.
>>>>
>>>> I really don't want to have to enter a password every time I
>>>> upload a package.
>>>
>>> me neither :)
>>
>> Does anybody know where is documentation on supported authentication in PyPI?
>>
>>>> I guess a good solution would be to integrate with existing
>>>> password-management tools. This could be prototyped as an
>>>> a separate upload tool.
>>>
>>> I have mentored a project in GSOC last year exactly for this case:
>>> keyring (avialable at PyPI)
>>>
>>> It is already successfully used in Mercurial (mercurial-keyring) that
>>> suffers the same problem when doing http/https
>>>
>>> The next step was to integrate keyring in distutils/upload but was not
>>> done yet due to a lack of time.
>>
>> Network protection is still weak. The password is sent nearly in cleartext.
>
> Right, we'd want to use https as well. Presumably, that's the easy part.
+1.
> Jim
>
> --
> Jim Fulton
>
--
Tarek Ziadé | http://ziade.org
More information about the Distutils-SIG
mailing list