[Distutils] Add optional password_command .pypirc value

[Glyph]

On Mar 7, 2013, at 11:40 PM, Matt Behrens <askedrelic at gmail.com> wrote:

> After doing some research tonight on storing/accessing passwords in the OSX Keychain (http://asktherelic.com/2013/03/07/storing-command-line-passwords-in-keychain/), I was curious why the .pypirc doesn't support something like this when asking for the password during 'upload', to not have your pypi password in plaintext on your system.
> 
> As far as I can see from the source, the password is read straight from the .pypirc config:
> 
> https://bitbucket.org/tarek/distribute/src/188dcdb7f0873f1b382e8bde65377c5f43266f9f/setuptools/command/upload.py?at=default#cl-66
> 
> and fails if the password value doesn't exist:
> 
> https://bitbucket.org/tarek/distribute/issue/291/allow-password-to-be-omitted-from-pypirc
> 
> I'm curious about implementing:
> 
> 1. a password_command to support integration with external password  tools (1password, keychain, keyring python lib)
> 
> The implementation from the program I am trying to emulate, pianobar, is here:https://github.com/PromyLOPh/pianobar/blob/master/src/main.c#L135 just a /bin/sh for nix/osx. Could run cmd.exe for windows cross-platform compatibility.
>  
> 2. better notification to the user about trying to upload with an empty password or using get_pass if empty password
> 
> The only other reference to something like this is from several years ago here: http://bugs.python.org/issue4394
> 
> Does this seem like it's worth making a patch for?

Secure password storage is always worth working on :).

Have you heard of the Keyring module? <https://pypi.python.org/pypi/keyring/>  It already supports a cross-platform interface to this sort of thing, including the OS X keychain.

-glyph

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130309/9ec37cbf/attachment.html>