[Distutils] Google Auth is broken for PyPI

Donald Stufft donald at stufft.io
Tue Feb 10 19:54:00 CET 2015

> On Feb 10, 2015, at 1:06 PM, Martin v. Löwis <martin at v.loewis.de> wrote:
> Am 10.02.15 um 18:33 schrieb Donald Stufft:
>>> Can you please elaborate on that position? Why is it useful to have
>>> separate accounts on separate systems?
>> Sure.
> Thanks! Just one comment - without the desire to get into a long-winded
> discussion.
>> 1. I feel like the goal of federated auth has failed in general and is unlikely
>>   to ever succeed. As a user of websites I have over 400 different entries in
>>   my password manager, even if 50% of them implement federated auth (which I
>>   feel like is a high number but that's not backed by math, just gut feeling)
>>   that's still over 200 entries I need to maintain in my password manager. In
>>   this case federated auth has not meaningfully reduced the burden of
>>   maintaining password for me since maintaining 200 isn't any easier than 400
>>   and instead it just complicates my login flow 
> I think this is your personal usage primarily. A lot of user just avoid
> having to use a password manager, and use the same password on many
> systems. (Of course, many people also *do* use different passwords, and
> some also use passwords managers)

Sure! Lots of people do absolutely just re-use passwords. Though I don’t think
many of those same users are likely to be (knowingly at least) using OpenID.
They’re more likely to use the “Sign in With X” buttons where X is something
like Google, Facebook, Twitter, etc. Which I dislike (except in cases where
you need to optimize for low impact user accounts like blog comments) because
they are an explicit relationship with another entity without any power to
influence what they do with the trust you grant them by letting them control
log ins to your site.

Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Distutils-SIG mailing list