Warehouse needs a register page #322
Comments
|
A few thoughts:
|
|
Sounds good on looking at PyPi to ensure we cover a similar area of security. I also like itsdangerous. Effectively we would just have a secret key that we store on the production warehouse box that handles signing and unsigning of keys? The only Issue I could see there is if the key is exposed somehow we have to throw out all current pending validations, but since I assume we'll set like a 1-day expiry it probably doesn't matter anyway. |
|
Probably more like 3-5 day expiry but yea not a big deal. That would only be used in the case of a compromise anyways. |
|
Is the concern that someone could register without email verification if If the repo is hacked, I think they can either add entries directly to the On Tue, May 20, 2014 at 7:02 PM, Donald Stufft [email protected]:
|
|
It's not a massive big deal, it just means they'd be able to generate verification tokens for emails for us. |
|
So I've done some investigation of the existing code on Pypi, and here's some things to consider: gpg_keysI don't remember where this discussion was, but there was an argument as to whether we should keep gpg keys at all. We only keep a shortened version, and we use it as a mechanism to validate the actual source of a package. I think any package uploaded by the user is automatically associated with this pgp key. I also feel like it's not a particularly useful mechanism. Please let me know if I'm wrong though. Pypi as an openid providerCurrently pypi says it has the capabilities to be an OpenID provider. Do we really want this? Managing OpenID is just adding complexity, and I've never thought of using mt pypi account to log into anything. Logging in with OpenIDsRight now you can log into pypi with the following OpenID providers:
Clearly we have to support these for backward compat reasons. Would we like to support more? usage agreementThe pypi code mentions a user agreement. I'm not sure what this is about, I don't see one on the register page. For now I'm going to build a simple page that doesn't support oauth and shoots an e-mail with itsdangerous to validate registration. Just thought I'd throw these out for discussion as I'm working on other pieces. |
|
|
Yep, the gpg key sig is only used for display. It's a not-fully-thought-out feature to accompany the signatures paired with packages. OpenID is dead, but people are still using it. No idea whether people are using the PyPI OpenID facility though. |
|
Tiny suggestion, "Sign Up with Github" / "Sign In with Github" would be good. Its becoming quite a common option on programming centric websites using OpenID |
|
+1 to "Sign Up with Github". |
|
FWIW, having the ability to register an arbitrary authentication policy would be super helpful for those planning to adopt warehouse behind a corporate firewall and similar environments. In these cases, it might be helpful to be able to strip /all/ auth mechanisms other than some custom method. |
|
This should actually be completed now. |
This is a proposal to add a register page to warehouse. The base functionality would mirror what's provided on the current pypi register page:
https://pypi.python.org/pypi?%3Aaction=register_form
The text was updated successfully, but these errors were encountered: