[Distutils] Add optional password_command .pypirc value

Lennart Regebro regebro at gmail.com
Sat Mar 9 07:25:28 CET 2013

On Fri, Mar 8, 2013 at 6:57 PM, Donald Stufft <donald at stufft.io> wrote:
> If you're uploading via SSH you'll open a SSH tunnel and then POST to PyPI over that tunnel.

You are not required to use HTTP, there are several other protocols
you can use such as SCP of SFTP. Not that I think it matters which
protocol we use.

> Ideally you can sure. Security that only deals in ideal and doesn't pay attention to what people will actually do in the general case is a problem. The general case people will reuse their typical SSH keys, thus placing more reliance on a single secret across multiple services (Github, bitbucket, SSH, PyPI).

Often they will reuse passwords too.

> Encouraging authentication token sharing is a bad practice.

So don't do that. :-)

> HTTP has a token that is functionally similar to SSH keys. Client side SSL certificates. They would function fine and enable similar uses as SSH keys.

Every time I've used that it has been very complicated and usually not
worked well or cross-platform. Perhaps that situation has changed?


More information about the Distutils-SIG mailing list