[Catalog-sig] pythonpackages.com beta security

[Alex Clark]

Hi,

On 7/20/12 2:38 AM, Richard Jones wrote:
> On 20 July 2012 15:43, Donald Stufft <donald.stufft at gmail.com> wrote:
>> On Friday, July 20, 2012 at 1:07 AM, Richard Jones wrote:
>>
>> That's OAuth2, which is quite unlike the OAuth1(a) that we
>> implemented. You cannot do OAuth1 with just requests, as far as I'm
>> aware. There's no documentation for PyPI OAuth as we're still waiting
>> for it to be used by someone to prove its usefulness.
>>
>> I havn't had a chance yet (doing a major refactor first), but there's
>> experimental
>> OAuth 1a support in the most recent versions of requests.
>
> Oh, nice! I'll see if I can find some time over the weekend to write
> up how to use that against the PyPI implementation.


Nice indeed! I'll take a look, too. Assuming I can get oauth1 going, 
will that allow me to make releases on behalf of users? I'm not sure if 
this is an oauth1 or 2 thing, but on GitHub you can choose which "scope" 
you want your application to ask the user to grant to it:


- http://developer.github.com/v3/oauth/#scopes


So at the very least, I'd like my application to enable users to do the 
equivalent of distutils' register and upload commands. The workflow 
looks something like this:


- Create package via PasteScript-powered web form: 
https://pythonpackages.com/manage/package/new

- Clone, develop code locally, and push

- Test the package release on pythonpackages.com via web form 
submissions that execute the following:

   $ python setup.py install
   $ python setup.py sdist upload -r http://index.pythonpackages.com

- Manually test the release locally via:

   $ pip install PACKAGE -i http://index.pythonpackages.com

- Release the package to PyPI via

   $ python setup.py register sdist upload




Alex





>
>
>      Richard
>


-- 
Alex Clark · http://pythonpackages.com/ONE_CLICK_RELEASE