[Distutils] Add optional password_command .pypirc value
donald at stufft.io
Fri Mar 8 18:57:54 CET 2013
On Mar 8, 2013, at 12:47 PM, Lennart Regebro <regebro at gmail.com> wrote:
> On Fri, Mar 8, 2013 at 6:01 PM, Donald Stufft <donald at stufft.io> wrote:
>> I dislike hijacking SSH to tunnel a HTTP protocol over
> I'm not sure we have to hijack or tunnel anything. :-)
If you're uploading via SSH you'll open a SSH tunnel and then POST to PyPI over that tunnel.
>> and adding more reliance on SSH keys means a lost SSH key becomes _even_ worse than it already is.
> I don't follow that argument. You can have separate keys in separate
> places if you like.
Ideally you can sure. Security that only deals in ideal and doesn't pay attention to what people will actually do in the general case is a problem. The general case people will reuse their typical SSH keys, thus placing more reliance on a single secret across multiple services (Github, bitbucket, SSH, PyPI). Encouraging authentication token sharing is a bad practice.
HTTP has a token that is functionally similar to SSH keys. Client side SSL certificates. They would function fine and enable similar uses as SSH keys.
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Distutils-SIG