[Distutils] Add optional password_command .pypirc value

Donald Stufft donald at stufft.io
Fri Mar 8 18:57:54 CET 2013

On Mar 8, 2013, at 12:47 PM, Lennart Regebro <regebro at gmail.com> wrote:

> On Fri, Mar 8, 2013 at 6:01 PM, Donald Stufft <donald at stufft.io> wrote:
>> I dislike hijacking SSH to tunnel a HTTP protocol over
> I'm not sure we have to hijack or tunnel anything. :-)

If you're uploading via SSH you'll open a SSH tunnel and then POST to PyPI over that tunnel.

>> and adding more reliance on SSH keys means a lost SSH key becomes _even_ worse than it already is.
> I don't follow that argument. You can have separate keys in separate
> places if you like.

Ideally you can sure. Security that only deals in ideal and doesn't pay attention to what people will actually do in the general case is a problem. The general case people will reuse their typical SSH keys, thus placing more reliance on a single secret across multiple services (Github, bitbucket, SSH, PyPI). Encouraging authentication token sharing is a bad practice.

HTTP has a token that is functionally similar to SSH keys. Client side SSL certificates. They would function fine and enable similar uses as SSH keys.

> //Lennart

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130308/a8f58d22/attachment-0001.pgp>

More information about the Distutils-SIG mailing list