Il giorno 13/feb/2013, alle ore 12:14, Richard Jones <[email protected]> ha scritto: > > 2. fix the email password reset debacle (mostly written, not tested),
Is this committed anywhere I can take a look? > 5. add automated email sent to package role holders (maintainers and > owners) when their package is updated in any way. In my doc (task #12) I propose using a separate per-package security email, and in fact I was also proposing to ask confirmation by email, rather than just notify it. Basically, PyPI would warn the maintainer that the requested action is a security change for the package, and it needs to be confirmed through a link sent to the security email. A security email would be an email associated to each package, that must be different from the maintainer email (possibly even a different domain, in fact, though I'm not sure we want to enforce it rather than just suggest it). The email text must say "user X has requested change Y to package Z. If you are user X, click here to approve it". Only the maintainer that originated the change request can approve it through the link. The email can be an alias that forwards it to different maintainers, though. Changing the security email would also require a security confirmation, of course. As transition, we can send such a email to the maintainer's email, with a footer/header that suggests to register a security email for the package. -- Giovanni Bajo :: [email protected] Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
