-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin v. Löwis wrote: >>>> Here's some: how about instead of an ssh-like system, use ssh itself. >>>> Front >>>> PyPI with an ssh server that users connect to. That way it is both secure >>>> and >>>> the infrastructure (agent, etc.) is already in place. >>> Yes please. I'd rather have one agent running and reuse my SSH key for >>> authentication. >> That would be awesome indeed. But that would involve quite some >> changes on server side, >> I'll forward this mail to catalog-sig for Richard, Martin and others's >> feedback > > I'm fairly skeptical. First, the infrastructure is *not* yet in place. > Nobody has uploaded SSH keys to PyPI, and in order to allow SSH access, > we probably would need to create a Unix account, which then runs a fixed > (Python) program on ssh login.
Right, a single account with multiple keys (each with 'command='do_pypi - -u <userid>'). > That is much less secure than the current > setup, in the sense that this program can probably tricked much easier > than Apache can. So it opens a door for people hacking into the system; > all they have to do is to create a fake PyPI account and upload an SSH > key... Zope has been using the 'command=' bit to do SSH-protected CVS / SVN access since 2000 with a lot of success; 370+ committers have keys on the system. The command being executed is actually a small shell script, which barfs if the program being run is not one of 'svn', 'cvs', or 'scp' (for uploading tarballs). > To improve password storage, I think it would be better to use the > platform's secure password storage services where available (e.g. > OSX Keychain, KDE KWallet, etc). Of course, such a library should be > developed independently of distutils. For Keychain, there is already > > http://muffinresearch.co.uk/archives/2008/02/05/python-keychainpy-access-to-the-mac-osx-keychain/ Not only are PyPI passwords stored in the clear on user's hard drives, they are sent in the clear on every authenticated request to the web interface (basic auth over unencrypted HTTP): it seems to me we ought to worry about both those issues more. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 [email protected] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJaUAW+gerLs4ltQ4RAhFXAJ47WOzMAe12m+YD5BNu22BzTU+QRQCeLTbX DSaVk1I96K5mzaZro98HUTU= =8sRs -----END PGP SIGNATURE----- _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
