classification
Title: "setup.py register sdist upload" requires pass to be saved
Type: behavior Stage: resolved
Components: Distutils, Distutils2 Versions: Python 3.1, Python 3.2, Python 3.3, Python 2.7, 3rd party
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: tarek Nosy List: eric.araujo, flox, loewis, steve.dower, tarek, techtonik
Priority: normal Keywords: patch

Created on 2010-09-30 09:27 by techtonik, last changed 2021-02-03 18:37 by steve.dower. This issue is now closed.

Files
File name Uploaded Description Edit
issue9995.distutils-forces-developers-to-store-password-in-cleartext.diff techtonik, 2010-11-03 19:38 review
Messages (13)
msg117713 - (view) Author: anatoly techtonik (techtonik) Date: 2010-09-30 09:27
That's very annoying that distutils asks to save your pass when uploading to PyPI, but refuses to upload if you refuse. So you end up with storing your password in cleartext.

Try the next command to see what I mean:

setup.py register sdist upload
msg120316 - (view) Author: anatoly techtonik (techtonik) Date: 2010-11-03 11:44
> python setup.py build sdist register upload
...
Save your login (y/N)?n
running upload
Submitting dist\review-r585.zip to http://pypi.python.org/pypi
Upload failed (401): You must be identified to edit package information
msg120329 - (view) Author: anatoly techtonik (techtonik) Date: 2010-11-03 16:59
Do you have a list of more important tasks than this one. I'd like to elaborate, because for me alone it could take a lot of time. What I need now is SVN URL to checkout distutils code and some advice where to start. No guarantees though - if the code is too complicated, I won't be able to dedicate much time for exploration.
msg120342 - (view) Author: anatoly techtonik (techtonik) Date: 2010-11-03 19:38
Fix attached. Also on Rietveld - http://codereview.appspot.com/2874041

Could you also backport it to other Python distributions to avoid questions like these:

http://stackoverflow.com/questions/3773613/pypi-issues-upload-failed-401-you-must-be-identified-to-edit-package-informa
http://stackoverflow.com/questions/1750186/weird-pypi-authentication-behavior
msg120777 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2010-11-08 17:18
Thanks for the patch.  Review on Rietveld.

What are “other Python distributions”?
msg120790 - (view) Author: anatoly techtonik (techtonik) Date: 2010-11-08 18:44
This fix is needed for 2.6 releases also to be able to upload packages from Linux.
msg120800 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2010-11-08 19:59
Security issues are for example buffer overflows that can be used to cause rights escalation or system corruption.  They’re typically discovered by third parties who publish notices like CVE or DSA.  What your patch is addressing is a behavior bug, not a security issue.
msg120875 - (view) Author: anatoly techtonik (techtonik) Date: 2010-11-09 16:14
Eric, interested parties will not fill CVE or DSA requests. They will just steal the pass of PyPI uploaders and use it to inject malicious code into popular packages.

If you need a CVE or DSA to evaluate if an issue imposes a security risk, then better leave this task to somebody else.
msg120876 - (view) Author: Tarek Ziadé (tarek) * (Python committer) Date: 2010-11-09 16:19
Please stop changing this flag. If you want to have a more secure PyPI transaction, you should first send a feature request on Catalog-SIG so pypi.python.org forces https.
msg128247 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2011-02-09 22:49
Thanks for the editions.  Further comments on rietveld.

Miscellaneous things:

1) Storing passwords in an hashed form is false security.  An attacker that can read a config file with plain text passwords can also just run commands that use hashed passwords from the config file, so the security focus should be in forbidding access to your files, not worrying about passwords in plain text.

2) http://wiki.python.org/moin/Distutils/FixingBugs has the guidelines you’re asking for.

3) I do not need a CVE to evaluate if an issue is a security risk, because http://www.python.org/dev/workflow/ tells me that it’s when “somehow someone is able to gain escalated privileges when they shouldn't be able to.”

4) Could you remove report@bugs.python.org from the issue Cc?  It goes to the wrong bug report.


Comment from Tarek (which does not address my specific question about None vs. empty string):

Looks good to me:

the upload command will get the credentials from the session instead of using the existing config at all.

I remember that we changed the behavior to you'd had to set ONLY the user in the rc file, but allowing to pass the user is better since it make the config file optional
msg128924 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2011-02-20 23:00
Instead of using http over TCP and basic auth to upload stuff to PyPI, you can also use SSH. In this case, no password is needed at all.
msg156697 - (view) Author: Florent Xicluna (flox) * (Python committer) Date: 2012-03-24 15:52
If someone else is looking for the PyPI SSH support, it's there.
http://pypi.python.org/pypi/pypissh
(I did not find it mentioned in the tutorial)

Thanks Martin.
msg386446 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-02-03 18:37
Distutils is now deprecated (see PEP 632) and all tagged issues are being closed. From now until removal, only release blocking issues will be considered for distutils.

If this issue does not relate to distutils, please remove the component and reopen it. If you believe it still requires a fix, most likely the issue should be re-reported at https://github.com/pypa/setuptools
History
Date User Action Args
2021-02-03 18:37:42steve.dowersetstatus: open -> closed

nosy: + steve.dower
messages: + msg386446

resolution: out of date
stage: patch review -> resolved
2012-03-24 15:52:02floxsetnosy: + flox
messages: + msg156697
2011-02-20 23:00:37loewissetnosy: + loewis
messages: + msg128924
2011-02-09 22:49:22eric.araujosetnosy: techtonik, tarek, eric.araujo
versions: + Python 3.3
messages: + msg128247
stage: patch review
2010-11-09 16:19:07tareksetmessages: + msg120876
2010-11-09 16:17:56brian.curtinsettype: security -> behavior
2010-11-09 16:14:47techtoniksettype: behavior -> security
messages: + msg120875
2010-11-08 19:59:06eric.araujosettype: security -> behavior
messages: + msg120800
2010-11-08 18:44:07techtoniksetmessages: + msg120790
2010-11-08 17:18:40eric.araujosetnosy: techtonik, tarek, eric.araujo
messages: + msg120777
components: + Distutils2
versions: + 3rd party, Python 3.1, Python 3.2, - Python 2.6
2010-11-03 19:38:27techtoniksetfiles: + issue9995.distutils-forces-developers-to-store-password-in-cleartext.diff
keywords: + patch
messages: + msg120342
2010-11-03 16:59:34techtoniksetmessages: + msg120329
2010-11-03 11:44:16techtoniksetmessages: + msg120316
2010-09-30 09:27:21techtonikcreate