[Catalog-sig] Mandatory Reset of PyPI Passwords
Richard Jones
richard at python.org
Tue Feb 19 05:21:01 CET 2013
On 19 February 2013 06:42, Antoine Pitrou <solipsis at pitrou.net> wrote:
> Donald Stufft <donald.stufft <at> gmail.com> writes:
>>
>> The reason I believe we should reset is because there is a high likelyhood that
>> people used the same login/password on PyPI as they did on wiki.python.org and
>> thus even if we migrate to a stronger hash many accounts may be already
>> compromised, or will be in the future.
>
> For the record, the password reset is a UI trainwreck when using distutils
> (2.7 version):
>
> $ python setup.py register
> running register
> running check
> Registering pathlib to http://pypi.python.org/pypi
> Server response (401): basic auth failed
Thanks for trying this out, and as you say, the UI isn't ideal.
The above message is generated by urllib2 - the message we try to pass
back to the client is chewed up by the Basic Auth handler. Even if we
did pass back a message specific to the client saying "please go to
the website to reset your password" it wouldn't be displayed.
Having distutils handle all that and display a message like that would
be nice, but given it's tied to Python releases we're not going to fix
it any time soon.
Resetting the password through the command-line is not possible
without moving the .pypirc file out of the way completely. This is not
ideal, as you noted.
> By the way, https://pypi.python.org/pypi still tells me "Please reset your
> password before 2013-02-22" even though I've already changed my password.
Indeed. I figure it's only going to be up temporarily and people who
have reset their passwords wouldn't mind seeing that message for the
few days before the forced reset. After the reset I'll be modifying
the note to explain why passwords aren't working any more.
Richard
More information about the Catalog-SIG
mailing list