Home Original page

Message 319699 - Python tracker

Message319699

Author jperras
Recipients dstufft, eric.araujo, jperras
Date 2018-06-16.02:54:37
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1529117678.87.0.56676864532.issue33875@psf.upfronthosting.co.za>
In-reply-to
Content 
In its current implementation, a user is required to provide their cleartext PyPi password in their .pypirc configuration file for authenticated interactions with PyPi servers to succeed. For hopefully obvious reasons, this is sub-optimal from a security standpoint.

In some popular utilities (e.g. msmtp), the ability to provide a `passwordeval` field is made optional to the user. The value to this field is executed by the OS-dependent shell, and the return value is then used as the password.

For example, instead of this:

```
index-servers=
    pypi

[pypi]
username=jperras
password=mygreatpassword

```

we can instead have this:

```
index-servers=
    pypi

[pypi]
username=jperras
passwordeval="gpg --quiet --for-your-eyes-only --no-tty --decrypt ~/.pypipwd.gpg"
```
History
Date User Action Args
2018-06-16 02:54:38jperrassetrecipients: + jperras, eric.araujo, dstufft
2018-06-16 02:54:38jperrassetmessageid: <1529117678.87.0.56676864532.issue33875@psf.upfronthosting.co.za>
2018-06-16 02:54:38jperraslinkissue33875 messages
2018-06-16 02:54:37jperrascreate