On Fri, Mar 8, 2013 at 6:57 PM, Donald Stufft <don...@stufft.io> wrote: > If you're uploading via SSH you'll open a SSH tunnel and then POST to PyPI > over that tunnel.
You are not required to use HTTP, there are several other protocols you can use such as SCP of SFTP. Not that I think it matters which protocol we use. > Ideally you can sure. Security that only deals in ideal and doesn't pay > attention to what people will actually do in the general case is a problem. > The general case people will reuse their typical SSH keys, thus placing more > reliance on a single secret across multiple services (Github, bitbucket, SSH, > PyPI). Often they will reuse passwords too. > Encouraging authentication token sharing is a bad practice. So don't do that. :-) > HTTP has a token that is functionally similar to SSH keys. Client side SSL > certificates. They would function fine and enable similar uses as SSH keys. Every time I've used that it has been very complicated and usually not worked well or cross-platform. Perhaps that situation has changed? //Lennart _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig