1. PyPA
  2. Python Packaging Authority Projects
  3. pypi
  4. Issues


Issue #126 wontfix

Antiquated security

Guido van Rossum
created an issue

I suppose I'll be directed to the "new PyPI" project, but I would still like to mention that security is pretty bad right now. I have to have a file with my password in plain text in my home directory. If someone gets a hold of that they can impersonate me and upload infected versions of software. This hardly feels like using best practices when it comes to security. The "basic auth" also feels antiquated...

Comments (8)

  1. Donald Stufft

    Yup it's terrible. Unfortunately changing it would break compatibility so we can't just change it. I have a partially written PEP which will detail a deprecation process and a new way of doing all of that. This is something that I'm hoping to change with the new PyPI project (aka Warehouse). Sorry that the state of things is still pretty bad, we're slowly getting it to a better place.

  2. Donald Stufft

    I don't believe there is an option to make it ask for the password every time, however you could use my twine client https://pypi.python.org/pypi/twine/, it's got a few bugs (for some people you have to specify -r to upload) but verison 1.2.3 should allow you to delete the password:<whatever> lines from your ~/.pypirc and upload like twine upload -p <password> dist/wahtever-1.0.tar.gz. Unlike setup.py upload you pass it the files on the command line (it accepts more than one).

  3. Log in to comment