[Catalog-sig] Pull request to migrate PyPI to bcrypt
Giovanni Bajo
rasky at develer.com
Mon Feb 11 13:05:48 CET 2013
Il giorno 11/feb/2013, alle ore 12:27, Jesse Noller <jnoller at gmail.com> ha scritto:
> Ok, that has to be made clear to the poor guy merging the PR
>
> I'm also fine with Christian's migration path; I share his concerns about your approach.
This is harder to fix. Christian's main concern is that he doesn't trust me and my proposed solution because he didn't see it elsewhere. I saw it mentioned many times around, but I think that, at the end of the day, that's a red herring: the point is that I'm not in his (and/or your) trust circle, but that's fine, we can still find a way around it. It's probably useless for me to keep arguing though.
I think that a migration path on login from an unsalted SHA1 is completely wrong, so I have a proposal: I will submit it if we agree on resetting all the passwords immediately; or within a short timeframe (eg: 2 months), and notify all the users to login once as soon as possible (so after 2 months we reset passwords of users who haven't logged in).
Would that work?
--
Giovanni Bajo :: rasky at develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130211/0c9fcb9d/attachment.bin>
More information about the Catalog-SIG
mailing list