When updating an existing project on PyPI via distutils using the upload command, I observe erroneous behavior regarding the credentials when I do not want to store my password in clear text in the pypirc file:

(1) When running

    python setup.py sdist upload
    
without having the pypirc file in place, I get the error

    Upload failed (401): You must be identified to edit package information
    
(2) When running the same command as above with the pypirc file in place but without having the 'password' option in the 'pypi' section defined, I get a TypeError exception.

In both cases and at least in the second case I expect to be prompted for my credentials. This is what the 2.7.5 docs are saying about the contents of the pypirc file  (http://docs.python.org/2.7/distutils/packageindex.html#the-pypirc-file):

    "password, that will be used to authenticate. If omitted the user will be prompt to type it when needed."
    
I have seen http://bugs.python.org/issue5187 saying "distutils is feature frozen" but the current situation is buggy. Either there is a documentation mistake (it clearly says that the user is prompted for the password) or there is an error in the code (*, see below), or both.

* Regarding the TypeError mentioned above:

In distutils/command/upload.py, finalize_options(), the configuration dictionary is retrieved from _read_pypirc() (distutils/config.py). There, the value for the password key in the config dictionary is set to None if not defined in the pypirc configuration file. The password value is not modified/updated in finalize_options() if self.distribution.password is not set. I think the latter is only set when the 'register' command is used. Hence, when the user for example simply runs

    python setup.py sdist upload
    
and did not set the password in the pypirc file, the password value stays None.

Nevertheless, in distutils/command/upload.py, upload_file(), password is treated as string:

    auth = "Basic " + standard_b64encode(self.username + ":" + self.password)

This obviously leads to

    TypeError: cannot concatenate 'str' and 'NoneType' objects

I would be happy to work on a patch if we agree on what the proper behavior should be. Me, as a user of PyPI, would vote for being prompted in both cases outlined above. I do not like to store my PyPI password in clear text in the file system.

And after specifying how distutils should behave in case (2) I think we all agree that distutils/tests/test_upload.py should provide a test for this case. An example configuration file with username but without password is already defined via PYPIRC_NOPASSWORD. Currently, this config is only tested within an edge-case in test_saved_password() with dist.password = 'xxx', simulating the simultaneous usage of 'register' with 'upload' if I understood correctly. Register probably is used less frequently than upload alone.

Looking forward to your input,

Jan-Philip