Éric Araujo <mer...@netwok.org> added the comment:

Thanks for the editions.  Further comments on rietveld.

Miscellaneous things:

1) Storing passwords in an hashed form is false security.  An attacker that can 
read a config file with plain text passwords can also just run commands that 
use hashed passwords from the config file, so the security focus should be in 
forbidding access to your files, not worrying about passwords in plain text.

2) http://wiki.python.org/moin/Distutils/FixingBugs has the guidelines you’re 
asking for.

3) I do not need a CVE to evaluate if an issue is a security risk, because 
http://www.python.org/dev/workflow/ tells me that it’s when “somehow someone is 
able to gain escalated privileges when they shouldn't be able to.”

4) Could you remove rep...@bugs.python.org from the issue Cc?  It goes to the 
wrong bug report.


Comment from Tarek (which does not address my specific question about None vs. 
empty string):

Looks good to me:

the upload command will get the credentials from the session instead of using 
the existing config at all.

I remember that we changed the behavior to you'd had to set ONLY the user in 
the rc file, but allowing to pass the user is better since it make the config 
file optional

----------
stage:  -> patch review
versions: +Python 3.3

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue9995>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to