On Wed, Nov 3, 2010 at 3:56 PM, anatoly techtonik <[email protected]> wrote: > On Wed, Nov 3, 2010 at 4:07 PM, Tarek Ziadé <[email protected]> wrote: >>> I should have looked more carefully at the issue. The refusal to >>> use a password without storing it *is* a fairly narrow bug. >> >> Yes this is a bug. the password should be reused by upload. There's >> code for this but it seems to fails > > Fix landed. > http://bugs.python.org/issue9995 > >>>> This is a case where we need to come up with a better way of doing things. >>>> Someone needs to propose something and folks need to weigh in. >>> >>> I would love to see a solution to the broader problem. >>> >>> I really don't want to have to enter a password every time I >>> upload a package. >> >> me neither :) > > Does anybody know where is documentation on supported authentication in PyPI? > >>> I guess a good solution would be to integrate with existing >>> password-management tools. This could be prototyped as an >>> a separate upload tool. >> >> I have mentored a project in GSOC last year exactly for this case: >> keyring (avialable at PyPI) >> >> It is already successfully used in Mercurial (mercurial-keyring) that >> suffers the same problem when doing http/https >> >> The next step was to integrate keyring in distutils/upload but was not >> done yet due to a lack of time. > > Network protection is still weak. The password is sent nearly in cleartext.
Right, we'd want to use https as well. Presumably, that's the easy part. Jim -- Jim Fulton _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
