[Distutils] Add optional password_command .pypirc value

Nick Coghlan ncoghlan at gmail.com
Sat Mar 9 08:18:12 CET 2013

On Sat, Mar 9, 2013 at 4:25 PM, Lennart Regebro <regebro at gmail.com> wrote:
> On Fri, Mar 8, 2013 at 6:57 PM, Donald Stufft <donald at stufft.io> wrote:
>> HTTP has a token that is functionally similar to SSH keys. Client side SSL certificates. They would function fine and enable similar uses as SSH keys.
> Every time I've used that it has been very complicated and usually not
> worked well or cross-platform. Perhaps that situation has changed?

Pulp (http://pulpproject.org) handles it fairly well IMO - the CLI
includes a "pulp-admin auth login" command which just uses Basic Auth
over HTTPS. This returns a server-generated cert that is saved to disk
and is valid for a week. After a week, you have to log in again to
refresh your cert (this is to mitigate the problem Toshio noted: the
cert is stored unencrypted on disk. Without the expiry date, this
approach would be just as bad as storing the password itself in the

There's a bit of fiddling client side to use the cached cert, and
server side to check it, but the user experience is pretty smooth.

(Pulp is GPL, while PyPI is now BSD, so if we do go down this path,
someone that hasn't read the Pulp code will need to implement it, or
else I can talk to the Pulp team about getting those parts relicensed
under a more permissive license)


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list