twine
twine copied to clipboard
pypa
Use API tokens by default for PyPI
This idea occurred to me after responding to https://github.com/pypa/packaging-problems/issues/313, and the reporter subsequently suggested something similar.
In my head, this would look something like:
$ twine upload dist/*
Uploading distributions to https://upload.pypi.org/legacy/
Enter your API token:
On the implementation side of things, I wonder if it'd be sufficient to default username to __token__ for PyPI and TestPyPI. But, maybe it would be clearer to add an explicit token option.
Very open to opinions on this.
I don't think we can reliably always ask for an API token because I strongly suspect some folks haven't gone through the trouble of generating/finding it. Our prompts would need to be far more convoluted by asking first if the user wants to use an API token or user/password auth.
I think this also speaks to the open issues about twine configure and twine accounts.
I think this also speaks to the open issues about
twine configureandtwine accounts.
For other folks' reference, that's https://github.com/pypa/twine/issues/216 and https://github.com/pypa/twine/issues/324.
It seems like the PyPA guides are guiding newcomers to use API tokens from the start:
https://packaging.python.org/tutorials/packaging-projects/#uploading-the-distribution-archives https://packaging.python.org/guides/distributing-packages-using-setuptools/#create-an-account
I wonder how convoluted it would be in practice, since I think this would only apply if credentials aren't provided via the command line, environment variables, or .pypirc.
What about something like:
$ twine upload dist/*
The PyPA recommends authenticating with API tokens: https://pypi.org/help/#apitoken
Do you have an API token? [Y/n]
Enter your API token:
Or:
The PyPA recommends authenticating with API tokens: https://pypi.org/help/#apitoken
Enter your API token (or your username):
It seems like the PyPA guides are guiding newcomers to use API tokens from the start:
They'll go further:
In the future, PyPI will set and enforce a policy requiring users with two-factor authentication enabled to use API tokens to upload (rather than just their password, without a second factor). We do not yet know when we will make this policy change. When we do, we'll announce it.
See https://pyfound.blogspot.com/2020/01/start-using-2fa-and-api-tokens-on-pypi.html
Related: https://github.com/pypa/twine/issues/565 - Not obvious how to use multiple project API tokens with keyring
This idea occurred to me after responding to pypa/packaging-problems#313, and the reporter subsequently suggested something similar.
In my head, this would look something like:
- /***
Uploading distributions to https:/ Enter your API token:
On the implementation side of things, I wonder if it'd be sufficient to default `username` to `__token__` for PyPI and TestPyPI. But, maybe it would be clearer to add an explicit `token` option. Very open to opinions on this.
CCing @miketheman as well 🙂
(Context: dpo discussion: https://discuss.python.org/t/announcement-2fa-now-required-for-pypi/42251)
I agree. It's reasonable now to start prompting (in the case of repository_url == upload.pypi.org) for tokens only instead of username + password. Regardless, we can't drop basic auth altogether because of non-PyPI destinations
I've opened #1040 for this. The actual change is relatively small, but I've left a comment describing potential improvements/current shortcomings.