On Wed, Nov 3, 2010 at 4:07 PM, Tarek Ziadé <[email protected]> wrote: >> I should have looked more carefully at the issue. The refusal to >> use a password without storing it *is* a fairly narrow bug. > > Yes this is a bug. the password should be reused by upload. There's > code for this but it seems to fails
Fix landed. http://bugs.python.org/issue9995 >>> This is a case where we need to come up with a better way of doing things. >>> Someone needs to propose something and folks need to weigh in. >> >> I would love to see a solution to the broader problem. >> >> I really don't want to have to enter a password every time I >> upload a package. > > me neither :) Does anybody know where is documentation on supported authentication in PyPI? >> I guess a good solution would be to integrate with existing >> password-management tools. This could be prototyped as an >> a separate upload tool. > > I have mentored a project in GSOC last year exactly for this case: > keyring (avialable at PyPI) > > It is already successfully used in Mercurial (mercurial-keyring) that > suffers the same problem when doing http/https > > The next step was to integrate keyring in distutils/upload but was not > done yet due to a lack of time. Network protection is still weak. The password is sent nearly in cleartext. -- anatoly t. _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
