On 19 February 2013 06:42, Antoine Pitrou <[email protected]> wrote: > Donald Stufft <donald.stufft <at> gmail.com> writes: >> >> The reason I believe we should reset is because there is a high likelyhood >> that >> people used the same login/password on PyPI as they did on wiki.python.org >> and >> thus even if we migrate to a stronger hash many accounts may be already >> compromised, or will be in the future. > > For the record, the password reset is a UI trainwreck when using distutils > (2.7 version): > > $ python setup.py register > running register > running check > Registering pathlib to http://pypi.python.org/pypi > Server response (401): basic auth failed
Thanks for trying this out, and as you say, the UI isn't ideal. The above message is generated by urllib2 - the message we try to pass back to the client is chewed up by the Basic Auth handler. Even if we did pass back a message specific to the client saying "please go to the website to reset your password" it wouldn't be displayed. Having distutils handle all that and display a message like that would be nice, but given it's tied to Python releases we're not going to fix it any time soon. Resetting the password through the command-line is not possible without moving the .pypirc file out of the way completely. This is not ideal, as you noted. > By the way, https://pypi.python.org/pypi still tells me "Please reset your > password before 2013-02-22" even though I've already changed my password. Indeed. I figure it's only going to be up temporarily and people who have reset their passwords wouldn't mind seeing that message for the few days before the forced reset. After the reset I'll be modifying the note to explain why passwords aren't working any more. Richard _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
