[Catalog-sig] OpenID login to PyPI

"Martin v. Löwis" martin at v.loewis.de
Mon Nov 16 19:53:17 CET 2009

> Since I can create as many gmail accounts as I want and use them to
> register as many separate PyPI accounts as I want, what's the point of
> trying to enforce this restriction on OpenID-based accounts?
> It seems that it only causes problems for people who want to use OpenID,
> while not really preventing any opportunities for spammers (who can
> always just use non-OpenID authentication).
> Is the plan to eventually disable non-OpenID authentication?

To keep the code maintainable, I would indeed like to reduce the number
of authentication options. The number of cases to consider already
begins to explode.

So if OpenID would be successful, it would be good if username/password
authentication could go away some day. So: yes. From my point of view,
that would be the primary use of OpenID for me, as a relying party.
I don't care too much that users can login the same way in other
services as well, as I'm not in charge of these other services. It's
the promise of simplified procedures that makes me work on this.

Unfortunately, at the same time, I'm skeptical that OpenID can really
deliver here. For example, I see little chance that distutils could
provide reasonable access to PyPI using OpenID, as OpenID is fairly
bound to be run in a web browser only. So ISTM that package owners
will have to set (and remember) a password, anyway, unless they always
add new releases through the web interface.


More information about the Catalog-SIG mailing list