From 8bcef6e6aa251d84dc892db7a52c322bcb72caf8 Mon Sep 17 00:00:00 2001 From: HacKan Date: Tue, 6 Feb 2018 23:52:59 -0300 Subject: [PATCH] Change name to hc-passphrase just for PyPI Fix Makefile: move mktemp sentence down into the install-common step to avoid the creation of a tempdir each time make is executed. Fix MANIFEST: the name was wrong! Add pip instructions in README, plus some bagdes. Add a Dockerfile example in DEVELOPERS. Bump version to rc2. --- DEVELOPERS.md | 33 +++++++++++++++++++++++++++++++-- MANIFEST.rst => MANIFEST.in | 2 +- Makefile | 4 ++-- README.md | 10 ++++++++++ README.rst | 21 ++++++++++++++++++++- passphrase/__main__.py | 2 +- setup.cfg | 6 +++++- setup.py | 4 ++-- 8 files changed, 72 insertions(+), 10 deletions(-) rename MANIFEST.rst => MANIFEST.in (57%) diff --git a/DEVELOPERS.md b/DEVELOPERS.md index bfc38ab..02aba93 100644 --- a/DEVELOPERS.md +++ b/DEVELOPERS.md @@ -10,6 +10,14 @@ If you want to develope or contribute to this project, you can quickly start by Every contribution must be acompanied by it's tests. As a general guideline, follow PEP8 (flake8 must run without warnings) and prefer Exceptions over assumptions. Try hard on not to add dependencies: I'm going to reject PRs with external dependencies that are not entirely justified (and for this project in particular, having 0 dependencies is very important). +Not sure on what to contribute with? Here you go: + +* Solve opened issues. +* Review PRs. +* Add support for unsupported OSes. +* Improve code quality or provide code reviews. +* Improve current tests or add new ones. + ## About the package **Passphrase** modules were written with usability and security in mind. Most, if not all, methods and functions will severily restrict the data type it can process; this is to avoid unexpected issues. The library always prefers to fail (raise exception) instead of doing something wrong, so when in doubt during implementation, i.e. when using parameters from the user, use a `try-except` block. @@ -53,8 +61,8 @@ Run `make test` or `nosetests -v`. Remove the `-v` if you don't want a verbose o ## How to use it as a package Download the files, preferrably fom the [latest release](https://github.com/HacKanCuBa/passphrase-py/releases/latest) - releases are always signed -. Once downloaded and verified, use `setup.py` to install (I let you decide whether to use virtualenv or not): `./setup.py install`. You can also do `make package-install` with the same outcome. Run it with `sudo` or elevated privileges to install it system-wide. -Using *pip* for installation is not recommended given that it's very insecure. -To uninstall, run `make package-uninstall` or `pip uninstall passphrase`. +Using *pip* for installation is not recommended given that it's very insecure. But if you insist, just do `pip install hc-passphrase`. +To uninstall, run `make package-uninstall` or `pip uninstall hc-passphrase`. Please let me know if you use this in your app, I would love that :) @@ -129,6 +137,27 @@ def generate_password() -> str: return proposedPassword ``` +#### Docker + +To securely use it in a Dockerfile, do: + +``` +ENV PASSPHRASE_VERSION 1.0.0 + +RUN gpg --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys 0x35710D312FDE468B +RUN wget -O /tmp/passphrase-v${PASSPHRASE_VERSION}.tar.gz https://github.com/HacKanCuBa/passphrase-py/archive/v${PASSPHRASE_VERSION}.tar.gz +RUN wget -O /tmp/passphrase-v${PASSPHRASE_VERSION}.tar.gz.sig https://github.com/HacKanCuBa/passphrase-py/releases/download/v1.0.0rc1/passphrase-v${PASSPHRASE_VERSION}.tar.gz.sig +RUN gpg --trust-model always --verify /tmp/passphrase-v${PASSPHRASE_VERSION}.tar.gz.sig /tmp/passphrase-v${PASSPHRASE_VERSION}.tar.gz \ + && cd /tmp \ + && tar -xf passphrase-v${PASSPHRASE_VERSION}.tar.gz \ + && cd passphrase-py-${PASSPHRASE_VERSION} \ + && make package-install +``` + +It doesn't matter which OS is the base, as long as it has GnuPG package installed (either versions 1.4+ or 2+). + +You can also just `pip install hc-passphrase` but, again, it's insecure. Yeah, I know: it's a single line vs. all that... If only *pip* used some crypto... + ## License **Passphrase** is made by [HacKan](https://hackan.net) under GNU GPL v3.0+. You are free to use, share, modify and share modifications under the terms of that [license](LICENSE). diff --git a/MANIFEST.rst b/MANIFEST.in similarity index 57% rename from MANIFEST.rst rename to MANIFEST.in index 7b74127..b8cec66 100644 --- a/MANIFEST.rst +++ b/MANIFEST.in @@ -1,3 +1,3 @@ include LICENSE include README.md -include requirements.txt +include DEVELOPERS.md diff --git a/Makefile b/Makefile index 4d28481..a2d665f 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,6 @@ ALTPREFIX ?= $(HOME)/.local DESTDIR ?= BINDIR ?= /bin MANDIR ?= /share/man -TMPDIR := $(shell mktemp -d --tmpdir "passphrase.XXXXXXXXXX") all: @echo "Passphrase by HacKan (https://hackan.net)" @@ -28,9 +27,10 @@ package-install: python3 setup.py install package-uninstall: - pip uninstall passphrase + pip uninstall hc-passphrase install-common: + $(eval TMPDIR := $(shell mktemp -d --tmpdir "passphrase.XXXXXXXXXX")) mkdir $(TMPDIR)/src/ cp -f passphrase/*.py $(TMPDIR)/src/ @sed -i "s/from .passphrase/from passphrase/g; s/from .settings/from settings/g; s/from .aux/from aux/g" "$(TMPDIR)/src/__main__.py" diff --git a/README.md b/README.md index bcd24b6..584733d 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ [![GitHub license](https://img.shields.io/github/license/hackancuba/passphrase-py.svg)](https://github.com/HacKanCuBa/passphrase-py/blob/master/LICENSE) +[![PyPI pyversions](https://img.shields.io/pypi/pyversions/hc-passphrase.svg)](https://pypi.python.org/pypi/hc-passphrase/) +[![PyPI version](https://badge.fury.io/py/hc-passphrase.svg)](https://badge.fury.io/py/hc-passphrase) [![GitHub release](https://img.shields.io/github/release/hackancuba/passphrase-py.svg)](https://github.com/hackancuba/passphrase-py/releases/) [![GitHub version](https://badge.fury.io/gh/hackancuba%2Fpassphrase-py.svg)](https://badge.fury.io/gh/hackancuba%2Fpassphrase-py) [![Build Status](https://travis-ci.org/HacKanCuBa/passphrase-py.svg?branch=master)](https://travis-ci.org/HacKanCuBa/passphrase-py) @@ -9,6 +11,8 @@ Its security is based on Python's [os.urandom](https://docs.python.org/3/library/os.html#os.urandom) to get cryptographically secure random bits to make an integer number. It also makes use of the [EFF's Large Wordlist](https://www.eff.org/es/document/passphrase-wordlists) as words reference for passphrases. +**Who is this tool for**: **Passphrase** is a library and a CLI tool, thus its intended audience are developers and advanced users that love to use the terminal :) + A secure passphrase must be of at least 6 words, but 7 is better, and maybe you can add a random number to the list. If you need a password, make it bigger than 8 characters ([NIST's latest recommendation](https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/)), and prefer more than 12 (I recommend 16 or more). Passwords are comprised of digits, upper and lowercase letters and punctuation symbols - more specifically: `ascii_lowercase`, `ascii_uppercase`, `digits` and `punctuation` from [Lib/string](https://docs.python.org/3.6/library/string.html#string-constants) -. Those settings mentioned are specifically for the EFF's Large Wordlist. If you specify a different wordlist, the minimum amount of words for a passphrase to be secure changes: for shorter lists, the amount increases. The minimum secure amount of words (for a passphrase) or characters (for a password) are calculated by **Passphrase** and a warning is shown if the chosen number is too low (when used as a script), by calculating the list's entropy. @@ -31,6 +35,8 @@ It might work with Python 3.2+, but I won't give support to old Python versions. **Passphrase** can be used as a *package* in other apps, or as a *stand-alone script*. Start by downloading the files, preferrably fom the [latest release](https://github.com/HacKanCuBa/passphrase-py/releases/latest) - releases are always signed -. +You can also use *[pip](https://pypi.python.org/pypi/hc-passphrase)* but I discourage it, given that there's no cryptographic verification of signatures nor hashes at all. + ### As a package Check the [developers guide](https://github.com/HacKanCuBa/passphrase-py/blob/master/DEVELOPERS.md). @@ -41,6 +47,8 @@ Once downloaded and verified, you can install it with `setup.py install` or `mak To uninstall, run respectively `make package-uninstall`, `make uninstall` or `make altuninstall`. +Another option is to run `pip install --user hc-passphrase` (for user-wide installation) or `pip install hc-passphrase` (for system-wide installation), but I advise against this way given that pip doesn't do any cryptographic verification of signatures nor hashes at all. + #### Examples of use Check the [man page](https://github.com/HacKanCuBa/passphrase-py/blob/master/man/passphrase.md) for more information. @@ -194,6 +202,8 @@ v0.4.8 | 35.6 | 0.83 | +16% v0.5.0 | 35.6 | 0.83 | +0% v0.5.1 | 37.5 | 0.87 | +5% v1.0.0rc0 | 37.3 | 0.87 | -0% +v1.0.0rc1 | 37.3 | 0.87 | +0% +v1.0.0rc2 | 37.3 | 0.87 | +0% You can try it yourself: download each release, unpack it and time it. The command to run, depending on the release version, is: diff --git a/README.rst b/README.rst index a696ea3..1ecd1d0 100644 --- a/README.rst +++ b/README.rst @@ -1,4 +1,5 @@ -|GitHub license| |GitHub release| |GitHub version| |Build Status| +|GitHub license| |PyPI pyversions| |PyPI version| |GitHub release| +|GitHub version| |Build Status| Passphrase ========== @@ -16,6 +17,10 @@ also makes use of the `EFF's Large Wordlist `__ as words reference for passphrases. +**Who is this tool for**: **Passphrase** is a library and a CLI tool, +thus its intended audience are developers and advanced users that love +to use the terminal :) + A secure passphrase must be of at least 6 words, but 7 is better, and maybe you can add a random number to the list. If you need a password, make it bigger than 8 characters (`NIST's latest @@ -64,6 +69,10 @@ How to use it release `__ - releases are always signed -. +You can also use *`pip `__* +but I discourage it, given that there's no cryptographic verification of +signatures nor hashes at all. + As a package ~~~~~~~~~~~~ @@ -82,6 +91,12 @@ plus install the man page. To uninstall, run respectively ``make package-uninstall``, ``make uninstall`` or ``make altuninstall``. +Another option is to run ``pip install --user hc-passphrase`` (for +user-wide installation) or ``pip install hc-passphrase`` (for +system-wide installation), but I advise against this way given that pip +doesn't do any cryptographic verification of signatures nor hashes at +all. + Examples of use ^^^^^^^^^^^^^^^ @@ -348,6 +363,10 @@ the terms of that .. |GitHub license| image:: https://img.shields.io/github/license/hackancuba/passphrase-py.svg :target: https://github.com/HacKanCuBa/passphrase-py/blob/master/LICENSE +.. |PyPI pyversions| image:: https://img.shields.io/pypi/pyversions/hc-passphrase.svg + :target: https://pypi.python.org/pypi/hc-passphrase/ +.. |PyPI version| image:: https://badge.fury.io/py/hc-passphrase.svg + :target: https://badge.fury.io/py/hc-passphrase .. |GitHub release| image:: https://img.shields.io/github/release/hackancuba/passphrase-py.svg :target: https://github.com/hackancuba/passphrase-py/releases/ .. |GitHub version| image:: https://badge.fury.io/gh/hackancuba%2Fpassphrase-py.svg diff --git a/passphrase/__main__.py b/passphrase/__main__.py index cc5c560..0b709cb 100644 --- a/passphrase/__main__.py +++ b/passphrase/__main__.py @@ -34,7 +34,7 @@ __author__ = 'HacKan' __license__ = 'GNU GPL 3.0+' -__version__ = '1.0.0rc1' +__version__ = '1.0.0rc2' __version_string__ = ( 'Passphrase v{}\nby HacKan (https://hackan.net) FOSS ' 'under GNU GPL v3.0 or newer'.format(__version__) diff --git a/setup.cfg b/setup.cfg index b941b77..c585c8d 100644 --- a/setup.cfg +++ b/setup.cfg @@ -1,2 +1,6 @@ [nosetests] -verbose=1 +verbose = 1 + +[upload] +sign = true +identity = hackan@gmail.com diff --git a/setup.py b/setup.py index 6a45be2..0ec6794 100755 --- a/setup.py +++ b/setup.py @@ -9,7 +9,7 @@ def readme(): setup( - name='passphrase', + name='hc-passphrase', version=passphrase_version, description='Generates cryptographically secure passphrases and ' 'passwords', @@ -33,7 +33,7 @@ def readme(): ], keywords='cryptography passphrase password security', url='http://github.com/hackancuba/passphrase-py', - download_url='https://github.com/HacKanCuBa/passphrase-py/archive/v1.0.0rc1.tar.gz', + download_url='https://github.com/HacKanCuBa/passphrase-py/archive/v{}.tar.gz'.format(passphrase_version), author='HacKan', author_email='hackan@gmail.com', license='GNU GPL 3.0+',