In its current implementation, a user is required to provide their cleartext PyPi password in their .pypirc configuration file for authenticated interactions with PyPi servers to succeed. For hopefully obvious reasons, this is sub-optimal from a security standpoint. In some popular utilities (e.g. msmtp), the ability to provide a `passwordeval` field is made optional to the user. The value to this field is executed by the OS-dependent shell, and the return value is then used as the password. For example, instead of this: ``` index-servers= pypi [pypi] username=jperras password=mygreatpassword ``` we can instead have this: ``` index-servers= pypi [pypi] username=jperras passwordeval="gpg --quiet --for-your-eyes-only --no-tty --decrypt ~/.pypipwd.gpg" ```
I think there might be a need for a new function in the getpass module that fetch it from the operating system secure enclave, like KeyChain on OSX. Currently there is no facility for storing secrets securely, the documentation of secrets says: > Applications should not store passwords in a recoverable format, whether plain text or encrypted. but as far as I know there is no facility to save a secret when you actually need to get it back in plaintext.
Distutils is now deprecated (see PEP 632) and all tagged issues are being closed. From now until removal, only release blocking issues will be considered for distutils. If this issue does not relate to distutils, please remove the component and reopen it. If you believe it still requires a fix, most likely the issue should be re-reported at https://github.com/pypa/setuptools
History
Date
User
Action
Args
2022-04-11 14:59:01
admin
set
github: 78056
2021-02-03 18:16:20
steve.dower
set
status: open -> closednosy: + steve.dowermessages: + resolution: out of datestage: patch review -> resolved
