Il giorno 12/feb/2013, alle ore 08:57, Nick Coghlan ncogh...@gmail.com ha
scritto:
On Tue, Feb 12, 2013 at 10:39 AM, Donald von Stufft
donald.stu...@gmail.com wrote:
The folks on the ruby side of things who are dealing with a lot of
the same problems as Python/PyPI is have put together a
Since the wiki.python.org database was likely compromised and it was using a
weak
hash we should probably assume that all passwords in there have been leaked.
Because
of this I want to formally propose that PyPI reset it's passwords.
I've recently created a PR (based on some of Giovanni
Il giorno 12/feb/2013, alle ore 12:31, Donald Stufft donald.stu...@gmail.com
ha scritto:
Since the wiki.python.org database was likely compromised and it was using a
weak
hash we should probably assume that all passwords in there have been leaked.
Because
of this I want to formally
[posted on behalf of Donald Stufft]
The folks on the ruby side of things who are dealing with a lot of
the same problems as Python/PyPI is have put together a document
containing a threat model and requirements of the system. While the
terminology is obviously ruby specific the concepts all apply
On 2013-02-12 07:11:42 +, Christian Theune said:
I'm resyncing this now completely, yet again, trying to avoid
pause/resume cycles.
Alright. I got it synced in a few hours after running it explicitly in
foreground.
I think I'll try to set something up with a higher timeout, higher
On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo ra...@develer.com wrote:
Hello Nick,
I've added the initial Requirements and Thread Model section to my document.
I've also added a section Future scenarios at the end of the document.
I hope they complete what you were feeling was missing
Yes, that is what I meant. Sorry for any confusion about this.
Thanks,
Justin
On Tue, Feb 12, 2013 at 3:40 AM, Giovanni Bajo ra...@develer.com wrote:
Il giorno 11/feb/2013, alle ore 20:33, Justin Cappos jcap...@poly.edu
ha scritto:
Once again, apologies for being mostly out of this
Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan ncogh...@gmail.com ha
scritto:
On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo ra...@develer.com wrote:
Hello Nick,
I've added the initial Requirements and Thread Model section to my document.
I've also added a section Future scenarios
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/02/13 14:38, Donald Stufft wrote:
What were they hashed with? Even with a salt a fast hash is trivial
to bruteforce for a large number of passwords in practically no
time with trivial hardware.
Not if your salt has 256 bits of entropy.
On Tuesday, February 12, 2013 at 11:41 AM, Jesus Cea wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/02/13 14:38, Donald Stufft wrote:
What were they hashed with? Even with a salt a fast hash is trivial
to bruteforce for a large number of passwords in practically no
time
Il giorno 12/feb/2013, alle ore 17:41, Jesus Cea j...@jcea.es ha scritto:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/02/13 14:38, Donald Stufft wrote:
What were they hashed with? Even with a salt a fast hash is trivial
to bruteforce for a large number of passwords in practically
Donald Stufft donald.stufft at gmail.com writes:
However I think a better approach would be to not automatically upgrade and
instead
have the upgrade occur when a user changes their password. Then we should set
a date (A month from now? 2?) where any user who has not reset/changed their
On Tue, Feb 12, 2013 at 12:31 PM, Donald Stufft donald.stu...@gmail.com wrote:
Since the wiki.python.org database was likely compromised and it was using a
weak
hash we should probably assume that all passwords in there have been leaked.
Because
of this I want to formally propose that PyPI
On Tuesday, February 12, 2013 at 12:15 PM, Antoine Pitrou wrote:
Donald Stufft donald.stufft at gmail.com (http://gmail.com) writes:
However I think a better approach would be to not automatically upgrade and
instead
have the upgrade occur when a user changes their password. Then we
On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo ra...@develer.com wrote:
Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan ncogh...@gmail.com
ha scritto:
On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo ra...@develer.com
wrote:
Hello Nick,
I've added the initial Requirements and
On Tue, Feb 12, 2013 at 6:31 AM, Donald Stufft donald.stu...@gmail.com wrote:
Since the wiki.python.org database was likely compromised and it was using a
weak
hash we should probably assume that all passwords in there have been leaked.
Because
of this I want to formally propose that PyPI
Il giorno 12/feb/2013, alle ore 18:44, Daniel Holth dho...@gmail.com ha
scritto:
On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo ra...@develer.com wrote:
Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan ncogh...@gmail.com ha
scritto:
On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo
On Tuesday, February 12, 2013 at 12:44 PM, Daniel Holth wrote:
On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo ra...@develer.com
(mailto:ra...@develer.com) wrote:
Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan ncogh...@gmail.com
(mailto:ncogh...@gmail.com) ha scritto:
On Tue,
On Sat, Feb 9, 2013 at 6:43 PM, M.-A. Lemburg m...@egenix.com wrote:
* distutils config files:
http://docs.python.org/2/install/index.html#inst-config-files
* setuptools:
http://peak.telecommunity.com/DevCenter/EasyInstall#configuration-files
On Tue, Feb 12, 2013 at 1:39 PM, Jesse Noller jnol...@gmail.com wrote:
On Tuesday, February 12, 2013 at 1:36 PM, Donald Stufft wrote:
On Tuesday, February 12, 2013 at 1:22 PM, Jesse Noller wrote:
On Tuesday, February 12, 2013 at 12:44 PM, Daniel Holth wrote:
On Tue, Feb 12,
On Mon, Feb 11, 2013 at 2:55 AM, Marcus Smith qwc...@gmail.com wrote:
As for then making Distribute the default in virtualenv's (or the only
option), there is a virtualenv issue for that.
https://github.com/pypa/virtualenv/issues/217
apparently there's an issue with UAC elevation on windows.
On Tuesday, February 12, 2013 at 1:50 PM, Daniel Holth wrote:
On Tue, Feb 12, 2013 at 1:39 PM, Jesse Noller jnol...@gmail.com
(mailto:jnol...@gmail.com) wrote:
On Tuesday, February 12, 2013 at 1:36 PM, Donald Stufft wrote:
On Tuesday, February 12, 2013 at 1:22 PM, Jesse Noller
Il giorno 12/feb/2013, alle ore 19:36, PJ Eby p...@telecommunity.com ha
scritto:
On Sat, Feb 9, 2013 at 7:54 PM, Giovanni Bajo ra...@develer.com wrote:
The problem with this approach is that Python standard library does not
validate SSL certificates. So even if you force a urllib-based tool
On Tue, Feb 12, 2013 at 12:44 -0500, Daniel Holth wrote:
On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo ra...@develer.com wrote:
Your Task #6/#7 (related to PyPI generating the trust file, and pip
verifying it) are the ones where I think the input of the TUF team
will be most
On 02/12/2013 02:07 PM, Donald Stufft wrote:
Additionally their mailing for discussing this
is rubygems-develop...@rubyforge.org
mailto:rubygems-develop...@rubyforge.org for anyone who want to get
some cross language collab going on :)
Here is another way to subscribe to that mailing list:
On Tue, Feb 12, 2013 at 2:20 PM, holger krekel hol...@merlinux.eu wrote:
On Tue, Feb 12, 2013 at 12:44 -0500, Daniel Holth wrote:
On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo ra...@develer.com
wrote:
Your Task #6/#7 (related to PyPI generating the trust file, and pip
verifying
On Feb 12, 2013, at 2:20 PM, holger krekel wrote:
On Tue, Feb 12, 2013 at 12:44 -0500, Daniel Holth wrote:
On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo ra...@develer.com wrote:
Your Task #6/#7 (related to PyPI generating the trust file, and pip
verifying it) are the ones where I think
On Tuesday, February 12, 2013 at 3:34 PM, Konstantin Andrianov wrote:
On Feb 12, 2013, at 2:20 PM, holger krekel wrote:
On Tue, Feb 12, 2013 at 12:44 -0500, Daniel Holth wrote:
On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo ra...@develer.com
(mailto:ra...@develer.com) wrote:
If this is going to be system wide we should check against and/or reset roundup
and any local passwords and dinsdale and albatross.
Jacob Kaplan-Moss ja...@jacobian.org wrote:
On Tue, Feb 12, 2013 at 6:31 AM, Donald Stufft
donald.stu...@gmail.com wrote:
Since the wiki.python.org database was
This is an option:
https://gist.github.com/zed/1347055
btw, this is similar to what pip is doing in it's pull
https://github.com/pypa/pip/pull/791
although, the example given at the top of the gist just *adds* this handler
using urllib2.build_opener.
the pip pull is going a little further
On Tue, Feb 12, 2013 at 2:11 PM, Giovanni Bajo ra...@develer.com wrote:
Il giorno 12/feb/2013, alle ore 19:36, PJ Eby p...@telecommunity.com ha
scritto:
On Sat, Feb 9, 2013 at 7:54 PM, Giovanni Bajo ra...@develer.com wrote:
The problem with this approach is that Python standard library does
The best thing you can do for the short term is ensure that you use https by
default and do full cert validation
On Feb 12, 2013, at 6:43 PM, PJ Eby p...@telecommunity.com wrote:
On Tue, Feb 12, 2013 at 2:11 PM, Giovanni Bajo ra...@develer.com wrote:
Il giorno 12/feb/2013, alle ore 19:36, PJ
Il giorno 13/feb/2013, alle ore 00:43, PJ Eby p...@telecommunity.com ha
scritto:
On Tue, Feb 12, 2013 at 2:11 PM, Giovanni Bajo ra...@develer.com wrote:
Il giorno 12/feb/2013, alle ore 19:36, PJ Eby p...@telecommunity.com ha
scritto:
On Sat, Feb 9, 2013 at 7:54 PM, Giovanni Bajo
Il giorno 12/feb/2013, alle ore 21:07, Daniel Holth dho...@gmail.com ha
scritto:
On Tue, Feb 12, 2013 at 2:20 PM, holger krekel hol...@merlinux.eu wrote:
On Tue, Feb 12, 2013 at 12:44 -0500, Daniel Holth wrote:
On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo ra...@develer.com wrote:
On Wed, Feb 13, 2013 at 2:27 AM, Giovanni Bajo ra...@develer.com wrote:
Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan ncogh...@gmail.com ha
scritto:
On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo ra...@develer.com wrote:
Hello Nick,
I've added the initial Requirements and Thread
35 matches
Mail list logo