On Fri, Mar 8, 2013 at 6:57 PM, Donald Stufft <don...@stufft.io> wrote:
> If you're uploading via SSH you'll open a SSH tunnel and then POST to PyPI 
> over that tunnel.

You are not required to use HTTP, there are several other protocols
you can use such as SCP of SFTP. Not that I think it matters which
protocol we use.

> Ideally you can sure. Security that only deals in ideal and doesn't pay 
> attention to what people will actually do in the general case is a problem. 
> The general case people will reuse their typical SSH keys, thus placing more 
> reliance on a single secret across multiple services (Github, bitbucket, SSH, 
> PyPI).

Often they will reuse passwords too.

> Encouraging authentication token sharing is a bad practice.

So don't do that. :-)

> HTTP has a token that is functionally similar to SSH keys. Client side SSL 
> certificates. They would function fine and enable similar uses as SSH keys.

Every time I've used that it has been very complicated and usually not
worked well or cross-platform. Perhaps that situation has changed?

//Lennart
_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig

Reply via email to