[Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

Paul Moore p.f.moore at gmail.com
Wed Dec 31 20:05:32 CET 2014

On 31 December 2014 at 18:42, Donald Stufft <donald at stufft.io> wrote:
> Just to speak to these two points. The purpose behind having a developer
> sign some files is that you can verify that those files were signed by
> the person holding the private key belonging to that developer.

Thanks for the explanation.

> Ideally you would not use the
> same password as you use for logging into PyPI because you send that password to
> PyPI anytime you login which would mean that PyPI would more or less know your
> private key.

My problem with this logic is that there's another attack vector that
this ignores - what if someone gets access to my PC, which has all of
these passwords in a "saved password" store that I use because it's a
pain to manage so many passwords (I don't, but you get the point ;-))?
I work in a number of secure environments where multiple complex
passwords are mandated - and typically password management becomes
sufficiently hard that people start to use shortcuts, defeating the
object of the whole exercise (heck, end users probably just use
"Password01" everywhere, "because it's too hard to remember all those

That's not to say that bad security practices justify anything, but on
the other hand human factors do imply that it's not automatically
guaranteed that two passwords are more secure than one. Single sign-on
is a goal for a lot of people for a reason...


More information about the Distutils-SIG mailing list