[Catalog-sig] Pull request to migrate PyPI to bcrypt

M.-A. Lemburg mal at egenix.com
Mon Feb 11 13:26:34 CET 2013 

Giovanni Bajo wrote:
> Il giorno 11/feb/2013, alle ore 12:27, Jesse Noller <jnoller at gmail.com> ha scritto:
> 
>> Ok, that has to be made clear to the poor guy merging the PR
>>
>> I'm also fine with Christian's migration path; I share his concerns about your approach.
> 
> 
> This is harder to fix. Christian's main concern is that he doesn't trust me and my proposed solution because he didn't see it elsewhere. I saw it mentioned many times around, but I think that, at the end of the day, that's a red herring: the point is that I'm not in his (and/or your) trust circle, but that's fine, we can still find a way around it. It's probably useless for me to keep arguing though.
> 
> I think that a migration path on login from an unsalted SHA1 is completely wrong, so I have a proposal: I will submit it if we agree on resetting all the passwords immediately; or within a short timeframe (eg: 2 months), and notify all the users to login once as soon as possible (so after 2 months we reset passwords of users who haven't logged in).
> 
> Would that work?

Why not leave the decision to change the password to the PyPI users
and only do a blog post and perhaps have a banner on PyPI to notify
them ?

After all, unlike for the wiki installation, the PyPI passwords were
not compromised.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list