[Distutils] Security issue with Distutils register is still actual
Jim Fulton
jim at zope.com
Wed Nov 3 21:04:17 CET 2010
On Wed, Nov 3, 2010 at 3:56 PM, anatoly techtonik <techtonik at gmail.com> wrote:
> On Wed, Nov 3, 2010 at 4:07 PM, Tarek Ziadé <ziade.tarek at gmail.com> wrote:
>>> I should have looked more carefully at the issue. The refusal to
>>> use a password without storing it *is* a fairly narrow bug.
>>
>> Yes this is a bug. the password should be reused by upload. There's
>> code for this but it seems to fails
>
> Fix landed.
> http://bugs.python.org/issue9995
>
>>>> This is a case where we need to come up with a better way of doing things.
>>>> Someone needs to propose something and folks need to weigh in.
>>>
>>> I would love to see a solution to the broader problem.
>>>
>>> I really don't want to have to enter a password every time I
>>> upload a package.
>>
>> me neither :)
>
> Does anybody know where is documentation on supported authentication in PyPI?
>
>>> I guess a good solution would be to integrate with existing
>>> password-management tools. This could be prototyped as an
>>> a separate upload tool.
>>
>> I have mentored a project in GSOC last year exactly for this case:
>> keyring (avialable at PyPI)
>>
>> It is already successfully used in Mercurial (mercurial-keyring) that
>> suffers the same problem when doing http/https
>>
>> The next step was to integrate keyring in distutils/upload but was not
>> done yet due to a lack of time.
>
> Network protection is still weak. The password is sent nearly in cleartext.
Right, we'd want to use https as well. Presumably, that's the easy part.
Jim
--
Jim Fulton
More information about the Distutils-SIG
mailing list