Steve Dower added the comment:
Distutils is now deprecated (see PEP 632) and all tagged issues are being
closed. From now until removal, only release blocking issues will be considered
for distutils.
If this issue does not relate to distutils, please remove the component and
reopen it. If
Florent Xicluna florent.xicl...@gmail.com added the comment:
If someone else is looking for the PyPI SSH support, it's there.
http://pypi.python.org/pypi/pypissh
(I did not find it mentioned in the tutorial)
Thanks Martin.
--
nosy: +flox
___
Python
Martin v. Löwis mar...@v.loewis.de added the comment:
Instead of using http over TCP and basic auth to upload stuff to PyPI, you can
also use SSH. In this case, no password is needed at all.
--
nosy: +loewis
___
Python tracker rep...@bugs.python.org
Éric Araujo mer...@netwok.org added the comment:
Thanks for the editions. Further comments on rietveld.
Miscellaneous things:
1) Storing passwords in an hashed form is false security. An attacker that can
read a config file with plain text passwords can also just run commands that
use
anatoly techtonik techto...@gmail.com added the comment:
Eric, interested parties will not fill CVE or DSA requests. They will just
steal the pass of PyPI uploaders and use it to inject malicious code into
popular packages.
If you need a CVE or DSA to evaluate if an issue imposes a security
Tarek Ziadé ziade.ta...@gmail.com added the comment:
Please stop changing this flag. If you want to have a more secure PyPI
transaction, you should first send a feature request on Catalog-SIG so
pypi.python.org forces https.
--
___
Python tracker
Changes by Brian Curtin cur...@acm.org:
--
type: security - behavior
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
___
___
Python-bugs-list
Éric Araujo mer...@netwok.org added the comment:
Thanks for the patch. Review on Rietveld.
What are “other Python distributions”?
--
components: +Distutils2
versions: +3rd party, Python 3.1, Python 3.2 -Python 2.6
___
Python tracker
anatoly techtonik techto...@gmail.com added the comment:
This fix is needed for 2.6 releases also to be able to upload packages from
Linux.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
Éric Araujo mer...@netwok.org added the comment:
Security issues are for example buffer overflows that can be used to cause
rights escalation or system corruption. They’re typically discovered by third
parties who publish notices like CVE or DSA. What your patch is addressing is
a behavior
anatoly techtonik techto...@gmail.com added the comment:
python setup.py build sdist register upload
...
Save your login (y/N)?n
running upload
Submitting dist\review-r585.zip to http://pypi.python.org/pypi
Upload failed (401): You must be identified to edit package information
--
anatoly techtonik techto...@gmail.com added the comment:
Do you have a list of more important tasks than this one. I'd like to
elaborate, because for me alone it could take a lot of time. What I need now is
SVN URL to checkout distutils code and some advice where to start. No
guarantees
anatoly techtonik techto...@gmail.com added the comment:
Fix attached. Also on Rietveld - http://codereview.appspot.com/2874041
Could you also backport it to other Python distributions to avoid questions
like these:
New submission from anatoly techtonik techto...@gmail.com:
That's very annoying that distutils asks to save your pass when uploading to
PyPI, but refuses to upload if you refuse. So you end up with storing your
password in cleartext.
Try the next command to see what I mean:
setup.py register
14 matches
Mail list logo