On 4 September 2013 23:39, Antoine Pitrou <anto...@python.org> wrote: > PyPI is not a project like Fedora is. It is a community service for > thousands of different people, with wildly different processes and > constraints. You can't just order anyone "use your passwords like > Nick and DOnald do".
Sure - dealing with security issues for PyPI is always a complex balancing acting between security, backwards compatibility and avoiding raising barriers to entry. With the error message fixed, the current password rules are pretty simple, and easy to satisfy by typing a few more letters, pressing shift once or hitting a number key. Ramping things up to the level Fedora do is unlikely to happen any time soon, if it ever happens at all (especially since the shift to properly salted hashes likely added more security than tougher password rules ever will). On the other hand, pre-emptively filtering out passwords that are known to be picked up by the initial "quick-and-dirty" heuristics used by common password crackers (before they settle in to the more time consuming brute force searches) is a well established "defence in depth" strategy for password security, since it doesn't cost defenders much time to prevent them, and it doesn't save attackers much time to skip them. However, PyPI users need to recognise that it isn't the integrity of *their* accounts that we're primarily worried about when attempting to minimise login vulnerabilities. Our primary concern (after the integrity of PyPI itself), is the integrity of end users' machines. So when we place restrictions on uploaders, it's guided by a desire to be worthy of the exceptional levels of trust placed in the service by anyone that types "pip install <distribution>" or "easy_install <distribution>" or just downloads a file directly from the site. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
