[Catalog-sig] Fwd: Re: New pythonpackages.com service coming soon

Donald Stufft donald.stufft at gmail.com
Tue Jan 24 02:27:38 CET 2012


The general gist is, that the only way to grant an external service any access to your package is by either giving them your username/password, or by having a general user account for that service (similar to Alex Clark's `python packages`) user. Utilizing OAuth (beyond a basic log into external site with pypi creeds) would give a secure way for an owner to grant authorization for an external service to a resource (in this case a package). Without needing to resort to the hackish fake user accounts.

On Monday, January 23, 2012 at 8:23 PM, Donald Stufft wrote:

> If i'm the owner of package foo, and website bar.com (http://bar.com) wants to modify my PyPI listing, or get private information, or whatever OAuth could be used to securely grant bar.com (http://bar.com) authorization to the foo resource.
>  
> And I wasn't aware of PyPI's OpenID support, but now that I know of it I believe I have some ideas for taking advantage of it yes.  
>  
> On Monday, January 23, 2012 at 7:13 PM, Richard Jones wrote:
>  
> > On 24 January 2012 10:47, Donald Stufft <donald.stufft at gmail.com (mailto:donald.stufft at gmail.com)> wrote:
> > > Well I'm interested in PyPI OpenID ;) (or OAuth, either way… OAuth would be
> > > nice in that people could give authorization to specific packages, and be
> > > more comprehensive then just a Login)
> > >  
> >  
> >  
> > Could you explain what you mean by "people could give authorization to
> > specific packages"? Do you have a specific use-case in mind? Do you
> > have a site that intends to use PyPI's OpenID?
> >  
> >  
> > Richard  
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120123/391326e7/attachment.html>


More information about the Catalog-SIG mailing list