New submission from Joel Perras :
In its current implementation, a user is required to provide their cleartext
PyPi password in their .pypirc configuration file for authenticated
interactions with PyPi servers to succeed. For hopefully obvious reasons, this
is sub-optimal from a security standpoint.
In some popular utilities (e.g. msmtp), the ability to provide a `passwordeval`
field is made optional to the user. The value to this field is executed by the
OS-dependent shell, and the return value is then used as the password.
For example, instead of this:
```
index-servers=
pypi
[pypi]
username=jperras
password=mygreatpassword
```
we can instead have this:
```
index-servers=
pypi
[pypi]
username=jperras
passwordeval="gpg --quiet --for-your-eyes-only --no-tty --decrypt
~/.pypipwd.gpg"
```
--
components: Distutils
messages: 319699
nosy: dstufft, eric.araujo, jperras
priority: normal
severity: normal
status: open
title: Allow dynamic password evaluation in pypirc configuration file.
type: enhancement
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8
___
Python tracker
<https://bugs.python.org/issue33875>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
