[Catalog-sig] OpenID login to PyPI

exarkun at twistedmatrix.com exarkun at twistedmatrix.com
Mon Nov 16 22:40:57 CET 2009


On 06:53 pm, martin at v.loewis.de wrote:
>>Since I can create as many gmail accounts as I want and use them to
>>register as many separate PyPI accounts as I want, what's the point of
>>trying to enforce this restriction on OpenID-based accounts?
>>
>>It seems that it only causes problems for people who want to use 
>>OpenID,
>>while not really preventing any opportunities for spammers (who can
>>always just use non-OpenID authentication).
>>
>>Is the plan to eventually disable non-OpenID authentication?
>
>To keep the code maintainable, I would indeed like to reduce the number
>of authentication options. The number of cases to consider already
>begins to explode.
>
>So if OpenID would be successful, it would be good if username/password
>authentication could go away some day. So: yes. From my point of view,
>that would be the primary use of OpenID for me, as a relying party.
>I don't care too much that users can login the same way in other
>services as well, as I'm not in charge of these other services. It's
>the promise of simplified procedures that makes me work on this.
>
>Unfortunately, at the same time, I'm skeptical that OpenID can really
>deliver here. For example, I see little chance that distutils could
>provide reasonable access to PyPI using OpenID, as OpenID is fairly
>bound to be run in a web browser only. So ISTM that package owners
>will have to set (and remember) a password, anyway, unless they always
>add new releases through the web interface.

If username/password authentication will always need to be allowed on 
PyPI, what is the rational for placing the current limitations on the 
OpenID support?  Or are you still undecided about whether 
username/password authentication will indeed always be supported?

Jean-Paul


More information about the Catalog-SIG mailing list