[Catalog-sig] Pull request to migrate PyPI to bcrypt

Jesse Noller jnoller at gmail.com
Mon Feb 11 13:27:28 CET 2013 


On Feb 11, 2013, at 7:26 AM, "M.-A. Lemburg" <mal at egenix.com> wrote:

> Giovanni Bajo wrote:
>> Il giorno 11/feb/2013, alle ore 12:27, Jesse Noller <jnoller at gmail.com> ha scritto:
>> 
>>> Ok, that has to be made clear to the poor guy merging the PR
>>> 
>>> I'm also fine with Christian's migration path; I share his concerns about your approach.
>> 
>> 
>> This is harder to fix. Christian's main concern is that he doesn't trust me and my proposed solution because he didn't see it elsewhere. I saw it mentioned many times around, but I think that, at the end of the day, that's a red herring: the point is that I'm not in his (and/or your) trust circle, but that's fine, we can still find a way around it. It's probably useless for me to keep arguing though.
>> 
>> I think that a migration path on login from an unsalted SHA1 is completely wrong, so I have a proposal: I will submit it if we agree on resetting all the passwords immediately; or within a short timeframe (eg: 2 months), and notify all the users to login once as soon as possible (so after 2 months we reset passwords of users who haven't logged in).
>> 
>> Would that work?
> 
> Why not leave the decision to change the password to the PyPI users
> and only do a blog post and perhaps have a banner on PyPI to notify
> them ?
> 
> After all, unlike for the wiki installation, the PyPI passwords were
> not compromised.
> 

They were if they used the same one on the wiki


> -- 
> Marc-Andre Lemburg
> eGenix.com
> 
> Professional Python Services directly from the Source
>>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
> ________________________________________________________________________
> 
> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
> 
> 
>   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>           Registered at Amtsgericht Duesseldorf: HRB 46611
>               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list