[Catalog-sig] OpenID login to PyPI (was: PyPI comments and ratings, *really*?)

[Ben Finney]

Chris Withers <chris at simplistix.co.uk> writes:

> You're forgetting the two working single sign on methods. I'd be
> surprised if a developer didn't have at least one google account or a
> launchpad account.

I'm happy to surprise you: I am a Python developer, a PyPI user, and I
have neither a Google account nor a Launchpad account.


There's been a rather fragmented discussion (with some messages in
‘python-dev’, some in private email) that I'd like to summarise here:

PyPI currently uses OpenID, but defeats much of the point of that system
by skipping important parts of the authentication protocol and
disallowing all but a small subset of identifiers (those that are within
a small set of domains).

Some of us, who have OpenIDs that *aren't* in any big-name domain but
want to use them to authenticate, are discussing this with PyPI
administration (Martin von Löwis) and making great strides in clearing
up misunderstandings.

I have confidence that this is leading in a good direction, but it's
clear this should be happening here on the ‘catalog-sig’ forum. I'll
post some representative messages in this thread, and encourage further
discussion of the issue here.

But first, I need to take this opportunity to publically thank Martin
for being very patient over many messages and honestly working to
understand our requests. It's Martin's demonstrated desire to figure out
how to meet PyPI users's needs that is the basis of my confidence that
this will have a happy ending.

-- 
 \         “Pinky, are you pondering what I'm pondering?” “I think so, |
  `\      Brain, but shouldn't the bat boy be wearing a cape?” —_Pinky |
_o__)                                                   and The Brain_ |
Ben Finney