On Wed, Nov 3, 2010 at 3:03 PM, Jim Fulton <[email protected]> wrote: > On Wed, Nov 3, 2010 at 9:58 AM, Jim Fulton <[email protected]> wrote: >> On Wed, Nov 3, 2010 at 7:35 AM, Tarek Ziadé <[email protected]> wrote: >>> On Wed, Nov 3, 2010 at 10:47 AM, anatoly techtonik <[email protected]> >>> wrote: >>>> Hello, >>>> >>>> Does anybody care that PyPI password are stored in a well-known >>>> location in cleartext and developers are forced to store them when >>>> they submit packages for review? >>>> http://bugs.python.org/issue9995 >>>> >>> >>> We have hundreds of bugs to fix for distutils. If you propose a patch >>> + test, things will speed up. >>> There are already tests for various register/upload scenarii, so it >>> should not be hard to copy-paste one to create your test >> >> While that's usually a reasonable response, this isn't a bug. > > I should have looked more carefully at the issue. The refusal to > use a password without storing it *is* a fairly narrow bug.
Yes this is a bug. the password should be reused by upload. There's code for this but it seems to fails >> This is a case where we need to come up with a better way of doing things. >> Someone needs to propose something and folks need to weigh in. > > I would love to see a solution to the broader problem. > > I really don't want to have to enter a password every time I > upload a package. me neither :) > I guess a good solution would be to integrate with existing > password-management tools. This could be prototyped as an > a separate upload tool. I have mentored a project in GSOC last year exactly for this case: keyring (avialable at PyPI) It is already successfully used in Mercurial (mercurial-keyring) that suffers the same problem when doing http/https The next step was to integrate keyring in distutils/upload but was not done yet due to a lack of time. Tarek -- Tarek Ziadé | http://ziade.org _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
