[Distutils] Security issue with Distutils register is still actual

Tarek Ziadé ziade.tarek at gmail.com
Wed Nov 3 23:26:39 CET 2010

2010/11/3 Jim Fulton <jim at zope.com>:
> On Wed, Nov 3, 2010 at 3:56 PM, anatoly techtonik <techtonik at gmail.com> wrote:
>> On Wed, Nov 3, 2010 at 4:07 PM, Tarek Ziadé <ziade.tarek at gmail.com> wrote:
>>>> I should have looked more carefully at the issue. The refusal to
>>>> use a password without storing it *is* a fairly narrow bug.
>>> Yes this is a bug. the password should be reused by upload. There's
>>> code for this but it seems to fails
>> Fix landed.
>> http://bugs.python.org/issue9995
>>>>> This is a case where we need to come up with a better way of doing things.
>>>>> Someone needs to propose something and folks need to weigh in.
>>>> I would love to see a solution to the broader problem.
>>>> I really don't want to have to enter a password every time I
>>>> upload a package.
>>> me neither :)
>> Does anybody know where is documentation on supported authentication in PyPI?
>>>> I guess a good solution would be to integrate with existing
>>>> password-management tools. This could be prototyped as an
>>>> a separate upload tool.
>>> I have mentored a project in GSOC last year exactly for this case:
>>> keyring (avialable at PyPI)
>>> It is already successfully used in Mercurial (mercurial-keyring) that
>>> suffers the same problem when doing http/https
>>> The next step was to integrate keyring in distutils/upload but was not
>>> done yet due to a lack of time.
>> Network protection is still weak. The password is sent nearly in cleartext.
> Right, we'd want to use https as well. Presumably, that's the easy part.


> Jim
> --
> Jim Fulton

Tarek Ziadé | http://ziade.org

More information about the Distutils-SIG mailing list