On Feb 11, 2013, at 7:05 AM, Giovanni Bajo <[email protected]> wrote:
> Il giorno 11/feb/2013, alle ore 12:27, Jesse Noller <[email protected]> ha > scritto: > >> Ok, that has to be made clear to the poor guy merging the PR >> >> I'm also fine with Christian's migration path; I share his concerns about >> your approach. > > > This is harder to fix. Christian's main concern is that he doesn't trust me > and my proposed solution because he didn't see it elsewhere. I saw it > mentioned many times around, but I think that, at the end of the day, that's > a red herring: the point is that I'm not in his (and/or your) trust circle, > but that's fine, we can still find a way around it. It's probably useless for > me to keep arguing though. > > I think that a migration path on login from an unsalted SHA1 is completely > wrong, so I have a proposal: I will submit it if we agree on resetting all > the passwords immediately; or within a short timeframe (eg: 2 months), and > notify all the users to login once as soon as possible (so after 2 months we > reset passwords of users who haven't logged in). > > Would that work? Actually I was thinking about this in the shower: the likelihood that pypi users used the same passwords as they did on the wiki is probably much higher than any of us assume. I'm in favor of an immediate reset if possible > -- > Giovanni Bajo :: [email protected] > Develer S.r.l. :: http://www.develer.com > > My Blog: http://giovanni.bajo.it > _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
