classification
Title: the system keyring should be used instead of ~/.pypirc
Type: security Stage:
Components: Distutils Versions: Python 3.4
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: eric.araujo Nosy List: alexis, christian.heimes, eric.araujo, graingert, tarek
Priority: normal Keywords:

Created on 2013-02-01 01:45 by graingert, last changed 2016-09-08 23:48 by christian.heimes. This issue is now closed.

Messages (5)
msg181052 - (view) Author: Thomas Grainger (graingert) * Date: 2013-02-01 01:45
Having the password stored in a plain-text configuration file is not great security.

A better choice would be to try to use the OS keyring and then fall back to a plaintext file

An example implementation of a generic keyring python interface is available at: http://pypi.python.org/pypi/keyring/
msg181332 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2013-02-04 15:26
The general idea is absolutely right: using proper keyrings (or ssh) is an excellent thing for security and ease of use.  A big obstacle however is the rules for stdlib inclusion: a module such as keyring which is tied to specific applications/libs/file formats and may need a short release cycle to adapt for changes in the programs.  So while I think keyring is a great library, I fear it does not fit the criteria for stdlib inclusion.

The workaround is to enter your password each time you upload and never store it.  This isn’t great.

What if there was an option specifying a program to call to get the password?  That way one could use clvault (command-line interface to python-keyring), maybe ssh-askpass, keepass, etc., but we wouldn’t have code subject to obsolescence in the stdlib.  It would not be as nice as seamless password retrieval, and it would not be 100% secure (password is still in memory), but it would solve the storage problem.  What do you think?

[FYI the distutils2 project is stopped.  I don’t have the time right now to go into details again, and there isn’t a single link I can give that explains things well.]
msg275213 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-08 23:43
Please take this idea to https://www.pypa.io/
msg275214 - (view) Author: Thomas Grainger (graingert) * Date: 2016-09-08 23:46
But distutils is a core Python module...

On 9 Sep 2016 00:43, "Christian Heimes" <report@bugs.python.org> wrote:

>
> Christian Heimes added the comment:
>
> Please take this idea to https://www.pypa.io/
>
> ----------
> nosy: +christian.heimes
> resolution:  -> out of date
> status: open -> closed
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <http://bugs.python.org/issue17096>
> _______________________________________
>
msg275216 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-08 23:48
PyPA is now maintaining packaging and developing software for packaging. They develop new tooling to upload packages, too.
History
Date User Action Args
2016-09-08 23:48:36christian.heimessetmessages: + msg275216
2016-09-08 23:46:20graingertsetmessages: + msg275214
2016-09-08 23:43:48christian.heimessetstatus: open -> closed

nosy: + christian.heimes
messages: + msg275213

resolution: out of date
2013-02-04 15:26:18eric.araujosetmessages: + msg181332
components: + Distutils, - Distutils2
versions: + Python 3.4
2013-02-01 01:45:25graingertcreate