[Distutils] Security issue with Distutils register is still actual
anatoly techtonik
techtonik at gmail.com
Wed Nov 3 20:56:56 CET 2010
On Wed, Nov 3, 2010 at 4:07 PM, Tarek Ziadé <ziade.tarek at gmail.com> wrote:
>> I should have looked more carefully at the issue. The refusal to
>> use a password without storing it *is* a fairly narrow bug.
>
> Yes this is a bug. the password should be reused by upload. There's
> code for this but it seems to fails
Fix landed.
http://bugs.python.org/issue9995
>>> This is a case where we need to come up with a better way of doing things.
>>> Someone needs to propose something and folks need to weigh in.
>>
>> I would love to see a solution to the broader problem.
>>
>> I really don't want to have to enter a password every time I
>> upload a package.
>
> me neither :)
Does anybody know where is documentation on supported authentication in PyPI?
>> I guess a good solution would be to integrate with existing
>> password-management tools. This could be prototyped as an
>> a separate upload tool.
>
> I have mentored a project in GSOC last year exactly for this case:
> keyring (avialable at PyPI)
>
> It is already successfully used in Mercurial (mercurial-keyring) that
> suffers the same problem when doing http/https
>
> The next step was to integrate keyring in distutils/upload but was not
> done yet due to a lack of time.
Network protection is still weak. The password is sent nearly in cleartext.
--
anatoly t.
More information about the Distutils-SIG
mailing list