diff options
author | Richard Jones <richard@mechanicalcat.net> | 2013-02-01 13:40:20 +1100 |
---|---|---|
committer | Richard Jones <richard@mechanicalcat.net> | 2013-02-01 13:40:20 +1100 |
commit | 46e699c031319cabd2d96cef0b562fa7b797b6bd (patch) | |
tree | e6367d5feba0e390abacea03d5f20a75f042321e | |
parent | 1594bf6f0750dd1d05faf9670bbb136091e589ba (diff) | |
download | decorator-46e699c031319cabd2d96cef0b562fa7b797b6bd.tar.gz |
add security page
-rw-r--r-- | templates/security.pt | 30 | ||||
-rw-r--r-- | templates/standard_template.pt | 2 | ||||
-rw-r--r-- | webui.py | 10 |
3 files changed, 40 insertions, 2 deletions
diff --git a/templates/security.pt b/templates/security.pt new file mode 100644 index 0000000..4a64b8d --- /dev/null +++ b/templates/security.pt @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns:tal="http://xml.zope.org/namespaces/tal" + xmlns:metal="http://xml.zope.org/namespaces/metal" + metal:use-macro="standard_template/macros/page"> + <metal:fill fill-slot="body"> + +<h2>Reporting</h2> + +<p>If you have a query or report to make regarding security please contact +Richard Jones and/or Martin von Löwis.</p> + +<p>Richard's GPG key has key id 41C6E930 (full fingerprint 0145 FD2B 52E8 0A8E 329A 16C7 AC68 AC04 41C6 E930)</p> + +<p>Martin's GPG key has key id 7D9DC8D2 (full fingerprint CBC5 4797 8A39 64D1 4B9A B36A 6AF0 53F0 7D9D C8D2)</p> + +<p>You may also report issues in the <a href="https://sourceforge.net/tracker/?func=add&group_id=66150&atid=513503">PyPI bug tracker</a> where reports may be made private.</p> + + +<h2>Your Security</h2> + +<p>You may sign your uploads with GPG using the "--sign" argument to "python setup.py upload".</p> + +<p>Additionally you may avoid using the default HTTP authentication used on the site and instead <a href="http://pypi.python.org/pypi/pypissh">upload using ssh</a>.</p> + +<p>The MD5 hash provided with files on PyPI exists <b>only</b> to provide some download corruption protection. It is <b>not</b> intended to provide any sort of security regarding tampering. Please use GPG signing for that.</p> + + </metal:fill> +</html> + diff --git a/templates/standard_template.pt b/templates/standard_template.pt index 2c9572a..ac83c01 100644 --- a/templates/standard_template.pt +++ b/templates/standard_template.pt @@ -84,7 +84,7 @@ </tal:for-nav> <li><a href="/pypi?:action=browse&c=533&show=all">Python 3 Packages</a></li> <li><a href="http://wiki.python.org/moin/CheeseShopTutorial">PyPI Tutorial</a></li> - <li><a href="http://sourceforge.net/tracker/?func=add&group_id=66150&atid=513503">Report PyPI Security Issue</a></li> + <li><a href="http://pypi.python.org/security">PyPI Security</a></li> <li><a href="http://sourceforge.net/tracker/?group_id=66150&atid=513504">PyPI Support</a></li> <li><a href="http://sourceforge.net/tracker/?group_id=66150&atid=513503">PyPI Bug Reports</a></li> <li><a href="http://www.python.org/sigs/catalog-sig/">PyPI Discussion</a></li> @@ -489,6 +489,8 @@ class WebUI: return self.run_simple_sign() if script_name == '/mirrors': return self.mirrors() + if script_name == '/security': + return self.security() if script_name == '/daytime': return self.daytime() if script_name == '/id': @@ -2807,9 +2809,15 @@ class WebUI: def mirrors(self): ''' display the list of mirrors ''' - options = {'title': 'PyPI mirrors'} + options = {'title': 'PyPI Mirrors'} self.write_template('mirrors.pt', **options) + def security(self): + ''' display the list of mirrors + ''' + options = {'title': 'PyPI Security'} + self.write_template('security.pt', **options) + def daytime(self): # Mirrors are supposed to provide /last-modified, # but it doesn't make sense to do so for the master server |