[issue33875] Allow dynamic password evaluation in pypirc configuration file.
Joel Perras
report at bugs.python.org
Fri Jun 15 22:54:38 EDT 2018
New submission from Joel Perras <joel at nerderati.com>:
In its current implementation, a user is required to provide their cleartext PyPi password in their .pypirc configuration file for authenticated interactions with PyPi servers to succeed. For hopefully obvious reasons, this is sub-optimal from a security standpoint.
In some popular utilities (e.g. msmtp), the ability to provide a `passwordeval` field is made optional to the user. The value to this field is executed by the OS-dependent shell, and the return value is then used as the password.
For example, instead of this:
```
index-servers=
pypi
[pypi]
username=jperras
password=mygreatpassword
```
we can instead have this:
```
index-servers=
pypi
[pypi]
username=jperras
passwordeval="gpg --quiet --for-your-eyes-only --no-tty --decrypt ~/.pypipwd.gpg"
```
----------
components: Distutils
messages: 319699
nosy: dstufft, eric.araujo, jperras
priority: normal
severity: normal
status: open
title: Allow dynamic password evaluation in pypirc configuration file.
type: enhancement
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue33875>
_______________________________________
More information about the Python-bugs-list
mailing list