Issue #126 new

Antiquated security

created an issue

I suppose I'll be directed to the "new PyPI" project, but I would still like to mention that security is pretty bad right now. I have to have a file with my password in plain text in my home directory. If someone gets a hold of that they can impersonate me and upload infected versions of software. This hardly feels like using best practices when it comes to security. The "basic auth" also feels antiquated...

Comments (5)

  1. Donald Stufft

    Yup it's terrible. Unfortunately changing it would break compatibility so we can't just change it. I have a partially written PEP which will detail a deprecation process and a new way of doing all of that. This is something that I'm hoping to change with the new PyPI project (aka Warehouse). Sorry that the state of things is still pretty bad, we're slowly getting it to a better place.

  2. gvanrossum reporter

    Well, you could distribute a new client that stores the password in a keychain or something. Is there at least an option to make it ask for the password every time?

  3. Donald Stufft

    I don't believe there is an option to make it ask for the password every time, however you could use my twine client, it's got a few bugs (for some people you have to specify -r to upload) but verison 1.2.3 should allow you to delete the password:<whatever> lines from your ~/.pypirc and upload like twine upload -p <password> dist/wahtever-1.0.tar.gz. Unlike upload you pass it the files on the command line (it accepts more than one).

  4. Log in to comment