Message 128247 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	eric.araujo
Recipients	eric.araujo, tarek, techtonik
Date	2011-02-09.22:49:21
SpamBayes Score	1.8896256e-09
Marked as misclassified	No
Message-id	<1297291762.74.0.925219638991.issue9995@psf.upfronthosting.co.za>
In-reply-to

Content
Thanks for the editions. Further comments on rietveld. Miscellaneous things: 1) Storing passwords in an hashed form is false security. An attacker that can read a config file with plain text passwords can also just run commands that use hashed passwords from the config file, so the security focus should be in forbidding access to your files, not worrying about passwords in plain text. 2) http://wiki.python.org/moin/Distutils/FixingBugs has the guidelines you’re asking for. 3) I do not need a CVE to evaluate if an issue is a security risk, because http://www.python.org/dev/workflow/ tells me that it’s when “somehow someone is able to gain escalated privileges when they shouldn't be able to.” 4) Could you remove report@bugs.python.org from the issue Cc? It goes to the wrong bug report. Comment from Tarek (which does not address my specific question about None vs. empty string): Looks good to me: the upload command will get the credentials from the session instead of using the existing config at all. I remember that we changed the behavior to you'd had to set ONLY the user in the rc file, but allowing to pass the user is better since it make the config file optional

Thanks for the editions.  Further comments on rietveld.

Miscellaneous things:

1) Storing passwords in an hashed form is false security.  An attacker that can read a config file with plain text passwords can also just run commands that use hashed passwords from the config file, so the security focus should be in forbidding access to your files, not worrying about passwords in plain text.

2) http://wiki.python.org/moin/Distutils/FixingBugs has the guidelines you’re asking for.

3) I do not need a CVE to evaluate if an issue is a security risk, because http://www.python.org/dev/workflow/ tells me that it’s when “somehow someone is able to gain escalated privileges when they shouldn't be able to.”

4) Could you remove report@bugs.python.org from the issue Cc?  It goes to the wrong bug report.


Comment from Tarek (which does not address my specific question about None vs. empty string):

Looks good to me:

the upload command will get the credentials from the session instead of using the existing config at all.

I remember that we changed the behavior to you'd had to set ONLY the user in the rc file, but allowing to pass the user is better since it make the config file optional

History
Date	User	Action	Args
2011-02-09 22:49:22	eric.araujo	set	recipients: + eric.araujo, techtonik, tarek
2011-02-09 22:49:22	eric.araujo	set	messageid: <1297291762.74.0.925219638991.issue9995@psf.upfronthosting.co.za>
2011-02-09 22:49:22	eric.araujo	link	issue9995 messages
2011-02-09 22:49:22	eric.araujo	create