On Sun, Jan 11, 2009 at 4:35 AM, "Martin v. Löwis" <[email protected]> wrote: >> Not only are PyPI passwords stored in the clear on user's hard drives, >> they are sent in the clear on every authenticated request to the web >> interface (basic auth over unencrypted HTTP): it seems to me we ought >> to worry about both those issues more. > > Perhaps. Contributions are welcome.
Can we finish on the PyPI mirroring contribution before we start this one ? (since you are our entry point Martin on these topics) I have finished my tests on my side. And I have a branch ready here https://svn.python.org/packages/branches/tarek-pypi/pypi/ I would like to make more tests with a realistic flow of data, and I am waiting for some feedback/help on this work. here's how we could proceed: phase 1 : proving non-regression 1 - I need an access to the pypi log files produced by Apache (a simple browsable view of the log directory should be enough and not risky) 2 - on my side I can grab those files daily right and put them on my PyPI server instance, and run the process like if I was on the real server. 3 - I will make this version reachable on my server, so we can check that there's no regression = the count of the package that existed before the dump I had should be equal and grow the same way on both sides. phase 2 - testing the mirroring 4 - I will maintain a fake "mirror" that will be registered and will provide realistic stats (a copy of the pypi apache log, where I will keep just one hit per package file) 5 - we will validate that the global-stats and local-stats files generated are right, and that the counts are the sum of pypi and the mirror. (pypi+1) If we can do that before Pycon maybe Pycon sprints could be the place where we launch the mirroring, and start the SSH project if Jean-Paul and others are willing to jump in ? Regards Tarek -- Tarek Ziadé | Association AfPy | www.afpy.org Blog FR | http://programmation-python.org Blog EN | http://tarekziade.wordpress.com/ _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
