New submission from Jan-Philip Gehrcke:
When updating an existing project on PyPI via distutils using the upload
command, I observe erroneous behavior regarding the credentials when I do not
want to store my password in clear text in the pypirc file:
(1) When running
python setup.py sdist upload
without having the pypirc file in place, I get the error
Upload failed (401): You must be identified to edit package information
(2) When running the same command as above with the pypirc file in place but
without having the 'password' option in the 'pypi' section defined, I get a
TypeError exception.
In both cases and at least in the second case I expect to be prompted for my
credentials. This is what the 2.7.5 docs are saying about the contents of the
pypirc file
(http://docs.python.org/2.7/distutils/packageindex.html#the-pypirc-file):
"password, that will be used to authenticate. If omitted the user will be
prompt to type it when needed."
I have seen http://bugs.python.org/issue5187 saying "distutils is feature
frozen" but the current situation is buggy. Either there is a documentation
mistake (it clearly says that the user is prompted for the password) or there
is an error in the code (*, see below), or both.
* Regarding the TypeError mentioned above:
In distutils/command/upload.py, finalize_options(), the configuration
dictionary is retrieved from _read_pypirc() (distutils/config.py). There, the
value for the password key in the config dictionary is set to None if not
defined in the pypirc configuration file. The password value is not
modified/updated in finalize_options() if self.distribution.password is not
set. I think the latter is only set when the 'register' command is used. Hence,
when the user for example simply runs
python setup.py sdist upload
and did not set the password in the pypirc file, the password value stays None.
Nevertheless, in distutils/command/upload.py, upload_file(), password is
treated as string:
auth = "Basic " + standard_b64encode(self.username + ":" + self.password)
This obviously leads to
TypeError: cannot concatenate 'str' and 'NoneType' objects
I would be happy to work on a patch if we agree on what the proper behavior
should be. Me, as a user of PyPI, would vote for being prompted in both cases
outlined above. I do not like to store my PyPI password in clear text in the
file system.
And after specifying how distutils should behave in case (2) I think we all
agree that distutils/tests/test_upload.py should provide a test for this case.
An example configuration file with username but without password is already
defined via PYPIRC_NOPASSWORD. Currently, this config is only tested within an
edge-case in test_saved_password() with dist.password = 'xxx', simulating the
simultaneous usage of 'register' with 'upload' if I understood correctly.
Register probably is used less frequently than upload alone.
Looking forward to your input,
Jan-Philip
----------
assignee: eric.araujo
components: Distutils
messages: 193062
nosy: eric.araujo, jason.coombs, jgehrcke, loewis, tarek, techtonik
priority: normal
severity: normal
status: open
title: distutils crashes when uploading to PyPI having only the username (no
pw) defined
type: crash
versions: Python 2.7
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue18454>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
