classification
Title: Allow dynamic password evaluation in pypirc configuration file.
Type: enhancement Stage: resolved
Components: Distutils Versions: Python 3.8, Python 3.7, Python 3.6, Python 3.4, Python 3.5, Python 2.7
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: dstufft, eric.araujo, jperras, jwilk, ncoghlan, remi.lapeyre, steve.dower
Priority: normal Keywords: patch

Created on 2018-06-16 02:54 by jperras, last changed 2021-02-03 18:16 by steve.dower. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 7740 closed jperras, 2018-06-16 03:03
Messages (3)
msg319699 - (view) Author: Joel Perras (jperras) * Date: 2018-06-16 02:54
In its current implementation, a user is required to provide their cleartext PyPi password in their .pypirc configuration file for authenticated interactions with PyPi servers to succeed. For hopefully obvious reasons, this is sub-optimal from a security standpoint.

In some popular utilities (e.g. msmtp), the ability to provide a `passwordeval` field is made optional to the user. The value to this field is executed by the OS-dependent shell, and the return value is then used as the password.

For example, instead of this:

```
index-servers=
    pypi

[pypi]
username=jperras
password=mygreatpassword

```

we can instead have this:

```
index-servers=
    pypi

[pypi]
username=jperras
passwordeval="gpg --quiet --for-your-eyes-only --no-tty --decrypt ~/.pypipwd.gpg"
```
msg338212 - (view) Author: RĂ©mi Lapeyre (remi.lapeyre) * Date: 2019-03-18 12:28
I think there might be a need for a new function in the getpass module that fetch it from the operating system secure enclave, like KeyChain on OSX.

Currently there is no facility for storing secrets securely, the documentation of secrets says:

> Applications should not store passwords in a recoverable format, whether plain text or encrypted.

but as far as I know there is no facility to save a secret when you actually need to get it back in plaintext.
msg386302 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-02-03 18:16
Distutils is now deprecated (see PEP 632) and all tagged issues are being closed. From now until removal, only release blocking issues will be considered for distutils.

If this issue does not relate to distutils, please remove the component and reopen it. If you believe it still requires a fix, most likely the issue should be re-reported at https://github.com/pypa/setuptools
History
Date User Action Args
2021-02-03 18:16:20steve.dowersetstatus: open -> closed

nosy: + steve.dower
messages: + msg386302

resolution: out of date
stage: patch review -> resolved
2019-03-18 12:28:59remi.lapeyresetnosy: + remi.lapeyre
messages: + msg338212
2018-06-22 16:20:15jwilksetnosy: + jwilk
2018-06-20 20:18:54ned.deilysetnosy: + ncoghlan
2018-06-16 03:03:10jperrassetkeywords: + patch
stage: patch review
pull_requests: + pull_request7348
2018-06-16 02:54:38jperrascreate