> Since I can create as many gmail accounts as I want and use them to > register as many separate PyPI accounts as I want, what's the point of > trying to enforce this restriction on OpenID-based accounts? > > It seems that it only causes problems for people who want to use OpenID, > while not really preventing any opportunities for spammers (who can > always just use non-OpenID authentication). > > Is the plan to eventually disable non-OpenID authentication?
To keep the code maintainable, I would indeed like to reduce the number of authentication options. The number of cases to consider already begins to explode. So if OpenID would be successful, it would be good if username/password authentication could go away some day. So: yes. From my point of view, that would be the primary use of OpenID for me, as a relying party. I don't care too much that users can login the same way in other services as well, as I'm not in charge of these other services. It's the promise of simplified procedures that makes me work on this. Unfortunately, at the same time, I'm skeptical that OpenID can really deliver here. For example, I see little chance that distutils could provide reasonable access to PyPI using OpenID, as OpenID is fairly bound to be run in a web browser only. So ISTM that package owners will have to set (and remember) a password, anyway, unless they always add new releases through the web interface. Regards, Martin _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
