[Catalog-sig] OpenID login to PyPI

Ben Finney ben+python at benfinney.id.au
Mon Nov 16 21:57:58 CET 2009

"Martin v. Löwis" <martin at v.loewis.de> writes:

> > It seems that it only causes problems for people who want to use
> > OpenID, while not really preventing any opportunities for spammers
> > (who can always just use non-OpenID authentication).
> > 
> > Is the plan to eventually disable non-OpenID authentication?
> To keep the code maintainable, I would indeed like to reduce the
> number of authentication options. The number of cases to consider
> already begins to explode.
> So if OpenID would be successful, it would be good if
> username/password authentication could go away some day. So: yes. From
> my point of view, that would be the primary use of OpenID for me, as a
> relying party.

That's great, because that is exactly what the aim is, and is the common
benefit that both PyPI-like site users and site developers gain.

> I don't care too much that users can login the same way in other
> services as well, as I'm not in charge of these other services. It's
> the promise of simplified procedures that makes me work on this.

It's important to realise, though, that *because* users can log in the
same way on many other sites, their decision to register on PyPI becomes
that much easier.

> Unfortunately, at the same time, I'm skeptical that OpenID can really
> deliver here. For example, I see little chance that distutils could
> provide reasonable access to PyPI using OpenID, as OpenID is fairly
> bound to be run in a web browser only.

This is true. I know there are efforts underway to have OpenID working
in other contexts, but am not aware of their current status.

> So ISTM that package owners will have to set (and remember) a
> password, anyway, unless they always add new releases through the web
> interface.

There are other ways; OpenSSH keys, for example, are used on sites like
alioth.debian.org to handle non-web data transfer; and PyPI could gather
the user's OpenSSH public key through OpenID attribute exchange at the
registration step, similar to gathering their OpenPGP public key as is
done now. That's only one option out of many, of course, and I don't
necessarily say it's a good option for PyPI.

 \     “It is far better to grasp the universe as it really is than to |
  `\    persist in delusion, however satisfying and reassuring.” —Carl |
_o__)                                                            Sagan |
Ben Finney

More information about the Catalog-SIG mailing list