[issue9995] "setup.py register sdist upload" requires pass to be saved

[Steve Dower]

Steve Dower  added the comment:

Distutils is now deprecated (see PEP 632) and all tagged issues are being 
closed. From now until removal, only release blocking issues will be considered 
for distutils.

If this issue does not relate to distutils, please remove the component and 
reopen it. If you believe it still requires a fix, most likely the issue should 
be re-reported at https://github.com/pypa/setuptools

--
nosy: +steve.dower
resolution:  -> out of date
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9995] setup.py register sdist upload requires pass to be saved

[Florent Xicluna]

Florent Xicluna florent.xicl...@gmail.com added the comment:

If someone else is looking for the PyPI SSH support, it's there.
http://pypi.python.org/pypi/pypissh
(I did not find it mentioned in the tutorial)

Thanks Martin.

--
nosy: +flox

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9995] setup.py register sdist upload requires pass to be saved

[Martin v . Löwis]

Martin v. Löwis mar...@v.loewis.de added the comment:

Instead of using http over TCP and basic auth to upload stuff to PyPI, you can 
also use SSH. In this case, no password is needed at all.

--
nosy: +loewis

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9995] setup.py register sdist upload requires pass to be saved

[Éric Araujo]

Éric Araujo mer...@netwok.org added the comment:

Thanks for the editions.  Further comments on rietveld.

Miscellaneous things:

1) Storing passwords in an hashed form is false security.  An attacker that can 
read a config file with plain text passwords can also just run commands that 
use hashed passwords from the config file, so the security focus should be in 
forbidding access to your files, not worrying about passwords in plain text.

2) http://wiki.python.org/moin/Distutils/FixingBugs has the guidelines you’re 
asking for.

3) I do not need a CVE to evaluate if an issue is a security risk, because 
http://www.python.org/dev/workflow/ tells me that it’s when “somehow someone is 
able to gain escalated privileges when they shouldn't be able to.”

4) Could you remove rep...@bugs.python.org from the issue Cc?  It goes to the 
wrong bug report.


Comment from Tarek (which does not address my specific question about None vs. 
empty string):

Looks good to me:

the upload command will get the credentials from the session instead of using 
the existing config at all.

I remember that we changed the behavior to you'd had to set ONLY the user in 
the rc file, but allowing to pass the user is better since it make the config 
file optional

--
stage:  - patch review
versions: +Python 3.3

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9995] setup.py register sdist upload requires pass to be saved

[anatoly techtonik]

anatoly techtonik techto...@gmail.com added the comment:

Eric, interested parties will not fill CVE or DSA requests. They will just 
steal the pass of PyPI uploaders and use it to inject malicious code into 
popular packages.

If you need a CVE or DSA to evaluate if an issue imposes a security risk, then 
better leave this task to somebody else.

--
type: behavior - security

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9995] setup.py register sdist upload requires pass to be saved

[Tarek Ziadé]

Tarek Ziadé ziade.ta...@gmail.com added the comment:

Please stop changing this flag. If you want to have a more secure PyPI 
transaction, you should first send a feature request on Catalog-SIG so 
pypi.python.org forces https.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9995] setup.py register sdist upload requires pass to be saved

[Brian Curtin]

Changes by Brian Curtin cur...@acm.org:


--
type: security - behavior

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9995] setup.py register sdist upload requires pass to be saved

[Éric Araujo]

Éric Araujo mer...@netwok.org added the comment:

Thanks for the patch.  Review on Rietveld.

What are “other Python distributions”?

--
components: +Distutils2
versions: +3rd party, Python 3.1, Python 3.2 -Python 2.6

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9995] setup.py register sdist upload requires pass to be saved

[anatoly techtonik]

anatoly techtonik techto...@gmail.com added the comment:

This fix is needed for 2.6 releases also to be able to upload packages from 
Linux.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9995] setup.py register sdist upload requires pass to be saved

[Éric Araujo]

Éric Araujo mer...@netwok.org added the comment:

Security issues are for example buffer overflows that can be used to cause 
rights escalation or system corruption.  They’re typically discovered by third 
parties who publish notices like CVE or DSA.  What your patch is addressing is 
a behavior bug, not a security issue.

--
type: security - behavior

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9995] setup.py register sdist upload requires pass to be saved

[anatoly techtonik]

anatoly techtonik techto...@gmail.com added the comment:

 python setup.py build sdist register upload
...
Save your login (y/N)?n
running upload
Submitting dist\review-r585.zip to http://pypi.python.org/pypi
Upload failed (401): You must be identified to edit package information

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9995] setup.py register sdist upload requires pass to be saved

[anatoly techtonik]

anatoly techtonik techto...@gmail.com added the comment:

Do you have a list of more important tasks than this one. I'd like to 
elaborate, because for me alone it could take a lot of time. What I need now is 
SVN URL to checkout distutils code and some advice where to start. No 
guarantees though - if the code is too complicated, I won't be able to dedicate 
much time for exploration.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9995] setup.py register sdist upload requires pass to be saved

[anatoly techtonik]

anatoly techtonik techto...@gmail.com added the comment:

Fix attached. Also on Rietveld - http://codereview.appspot.com/2874041

Could you also backport it to other Python distributions to avoid questions 
like these:

http://stackoverflow.com/questions/3773613/pypi-issues-upload-failed-401-you-must-be-identified-to-edit-package-informa
http://stackoverflow.com/questions/1750186/weird-pypi-authentication-behavior

--
keywords: +patch
Added file: 
http://bugs.python.org/file19479/issue9995.distutils-forces-developers-to-store-password-in-cleartext.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9995] setup.py register sdist upload requires pass to be saved

[anatoly techtonik]

New submission from anatoly techtonik techto...@gmail.com:

That's very annoying that distutils asks to save your pass when uploading to 
PyPI, but refuses to upload if you refuse. So you end up with storing your 
password in cleartext.

Try the next command to see what I mean:

setup.py register sdist upload

--
assignee: tarek
components: Distutils
messages: 117713
nosy: eric.araujo, tarek, techtonik
priority: normal
severity: normal
status: open
title: setup.py register sdist upload requires pass to be saved
type: security
versions: Python 2.6, Python 2.7

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9995
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com