[Distutils] pypissh

Donald Stufft donald at stufft.io
Wed Sep 4 21:22:25 CEST 2013 

On Sep 4, 2013, at 3:19 PM, Noah Kantrowitz <noah at coderanger.net> wrote:

> 
> On Sep 4, 2013, at 12:14 PM, Donald Stufft wrote:
> 
>> 
>> On Sep 4, 2013, at 2:36 PM, Vinay Sajip <vinay_sajip at yahoo.co.uk> wrote:
>> 
>>> 
>>> 
>>>> Obligatory reminder that we (I) have no intention of supporting pypissh as we move into the Era of Warehouse.
>>> 
>>> 
>>> 
>>> What *is* the Era of Warehouse, exactly? Is there any documentation which defines standards, interfaces etc., or a rough time frame/road map for such documentation? What are the deliverables? Is it expected that there could be multiple implementations of a standard, or just a single blessed implementation that everyone has to use? Does all or most of the discussion about Warehouse happen on this list, or does substantive discussion take place on some other list somewhere?
>>> 
>>> Regards,
>>> 
>>> Vinay Sajip
>> 
>> Rolling up answers to multiple questions in here.
>> 
>> 1) Warehouse is the name of the software that will power PyPI 2.0.
>> 2) Nothing about the future of Warehouse is set in stone and API
>>    breakages and the like will be discussed before hand.
>> 3) The way the migration was going to work was posted to this list
>>    already (https://mail.python.org/pipermail/distutils-sig/2013-July/022096.html).
>> 4) In regards to the PyPISSH I don't know exactly what tooling I want to replace it with, it might
>>    simply be a saner implementation of SSH Authentication, it might be TLS Client Certs,
>>    or OAuth Tokens. Personally I'm leaning towards TLS Client Certs and possibly OAuth
>>    tokens but that will be decided down the road.
> 
> To refine my statement, the current server implementation of using opensshd with some authorized_keys trickery is what the infra team is declining to support long term. Something built around Twisted's SSH server impl (for example) could be a suitable replacement since that would be secure by default as opposed to the current system where any failure on our part gives you shell access to the PyPI server. I know of no current issues, but long-term it isn't a position we want to be in in terms of support.
> 
> --Noah
> 
> 


Yes, if SSH Authentication is kept long term it will likely be replaced by an implementation using Twisted on the server side and I dunno what but something that doesn't involve shelling out to a command named ``ssh`` on the client side so that it can work out of the box on more OSs.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130904/9efdaa82/attachment.sig>

More information about the Distutils-SIG mailing list