>> That is much less secure than the current >> setup, in the sense that this program can probably tricked much easier >> than Apache can. So it opens a door for people hacking into the system; >> all they have to do is to create a fake PyPI account and upload an SSH >> key... > > Zope has been using the 'command=' bit to do SSH-protected CVS / SVN > access since 2000 with a lot of success; 370+ committers have keys on > the system. The command being executed is actually a small shell > script, which barfs if the program being run is not one of 'svn', 'cvs', > or 'scp' (for uploading tarballs).
Well, then good luck that nobody has tried to hack your script. E.g. might it work that I somehow manage to upload a svn binary onto your system (e.g. by first checking it in, and relying on an automated checkout process that runs somewhere), then invoke this binary through the shell account? > Not only are PyPI passwords stored in the clear on user's hard drives, > they are sent in the clear on every authenticated request to the web > interface (basic auth over unencrypted HTTP): it seems to me we ought > to worry about both those issues more. Perhaps. Contributions are welcome. Regards, Martin _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
