[Distutils] PyPI Migrated to New Infrastructure with some Breakage

martin at v.loewis.de martin at v.loewis.de
Sun Jan 26 12:03:31 CET 2014


Quoting Richard Jones <richard at python.org>:

> Thanks everyone who helped make this happen.
>
> From my perspective* I believe the ssh upload mechanism was added to
> address security issues around the basic-auth-over-http method used
> historically. Now uploads *may* be done over https, and those using the ssh
> method can move over to using twine or pip upload, I think that it's
> reasonable to discontinue support for ssh uploads.

There is one usecase that still isn't addressed by any of the alternatives:
Automated uploads still require the password to be stored on disk. So if the
laptop is stolen, the password may get stolen as well.

With SSH upload, the authentication comes from the ssh-agent, which protects
the credentials better (i.e. if the laptop is powered-down, or requires the
user to enter a password on access, the key is protected).

It has been suggested to resolve this using the keyring library (which would
give the same protection to the password as ssh-agent to the private key),
but
a) I don't think it actually *has* been implemented, and
b) to properly implement it (i.e. without monkey-patching register/upload),
    it would have to be done in CPython, and
c) that would require to put keyring into CPython, which could happen
    in Python 3.5 at the earliest.

So I suggest that somebody does a), and then provides a package that works
around b) and c) by monkeypatching distutils (just like pypissh does).

In any case, if you really chose to discontinue SSH access, I suggest that
you also change the UI to drop registration of SSH keys, and then ultimately
remove them from the schema.

BTW, you can get an indication of how many users this might affect by checking
how many users have keys registered.

Regards,
Martin




More information about the Distutils-SIG mailing list