[Distutils] pypissh

[Antoine Pitrou]

Donald Stufft <donald <at> stufft.io> writes:
> >> 
> >> Rolling up answers to multiple questions in here.
> >> 
> >> 1) Warehouse is the name of the software that will power PyPI 2.0.
> >> 2) Nothing about the future of Warehouse is set in stone and API
> >>    breakages and the like will be discussed before hand.
> >> 3) The way the migration was going to work was posted to this list
> >>    already
(https://mail.python.org/pipermail/distutils-sig/2013-July/022096.html).
> >> 4) In regards to the PyPISSH I don't know exactly what tooling I want
to replace it with, it might
> >>    simply be a saner implementation of SSH Authentication, it might be
TLS Client Certs,
> >>    or OAuth Tokens. Personally I'm leaning towards TLS Client Certs and
possibly OAuth
> >>    tokens but that will be decided down the road.
> > 
> > To refine my statement, the current server implementation of using
opensshd with some authorized_keys
> trickery is what the infra team is declining to support long term.
Something built around Twisted's SSH
> server impl (for example) could be a suitable replacement since that would
be secure by default as opposed
> to the current system where any failure on our part gives you shell access
to the PyPI server. I know of no
> current issues, but long-term it isn't a position we want to be in in
terms of support.
> > 
> > --Noah
> > 
> > 
> 
> Yes, if SSH Authentication is kept long term it will likely be replaced by
an implementation using Twisted
> on the server side and I dunno what but something that doesn't involve
shelling out to a command named
> ``ssh`` on the client side so that it can work out of the box on more OSs.

Just out of curiosity, does it mean Warehouse is Python 2 software at this
point?

(thanks for the answers above, by the way. TLS client certs sound ok,
especially if you
let users choose their CA)

Regards

Antoine.