Changes between Initial Version and Version 1 of PasswordsAndPyPI


Ignore:
Timestamp:
May 16, 2016, 3:42:57 PM (4 years ago)
Author:
flip
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • PasswordsAndPyPI

    v1 v1  
     1= Passwords, PyPI Uploads, `twine`, and `.pypirc` =
     2
     3This document describes some pitfalls of interacting with PyPI.
     4
     5== Caveat ==
     6
     7`setuptools` is a 3rd party enhancement of the Python standard library's
     8`distutils`. It's hard for me to tell where on begins and the other ends,
     9especially because `setuptools` often operates by subclassing `distutils`
     10features. Some of the blame below aimed at `setuptools` might more
     11properly be directed at `distutils`.
     12
     13== Uploading with `setuptools` ==
     14
     15Uploading wheels to PyPI is a little awkward. The obvious way to
     16do it is with this `setuptools` command --
     17{{{
     18python setup.py bdist_wheel upload
     19}}}
     20
     21There's already a shortcoming there, which is that one must create
     22the wheel and upload it in the same step. There's no way to
     23create the wheel, test it, and ''then'' upload it. That's just a
     24quibble, though, since one can just create the wheel, test it, and
     25then re-create it for the upload step. It's annoying if your wheel
     26takes a long time to build. Fortunately, none of ours do.
     27
     28== `setuptools`, Uploads and Passwords ==
     29
     30Another annoyance is that `setuptools` relies on `~/.pypirc`
     31for authentication information, and
     32it's a bit stupid about it.
     33
     34If there's no authentication info present, it
     35tries to upload your wheel without authentication, resulting in this:
     36{{{
     37Upload failed (401): You must be identified to edit package information
     38}}}
     39
     40If there's partial authentication info present (say, a username without a
     41password, which would be ideal), rather than prompting you for a password,
     42`setuptools` just passes the password `None` to `distutils` which then fails
     43with this --
     44
     45{{{
     46  File "/Users/vespa/miniconda2/lib/python2.7/distutils/command/upload.py", line 135, in upload_file
     47    self.password)
     48TypeError: cannot concatenate 'str' and 'NoneType' objects
     49}}}
     50
     51This is an easy problem to fix -- just add the username and password
     52to `~/.pypirc`. Now you have a much bigger problem, which is that your password
     53is stored in cleartext on your hard drive.
     54
     55== `setuptools`, Package Registration and Passwords ==
     56
     57For some reason, `setuptools` is smarter when running this command --
     58{{{
     59python setup.py register
     60}}}
     61
     62If your password isn't in `.pypirc`, it prompts you for it. Go figger.
     63
     64== Real Solution #1 - `keyring` ==
     65
     66[https://pypi.python.org/pypi/keyring KeyRing] is a Python package that
     67interacts with the OS keychain (Windows Credential Vault, Mac Keychain, etc.).
     68This allows you to store your passwords securely and still access them with
     69Python.
     70
     71`setuptools` can use `keyring` if it's available. I haven't figured out
     72how to set it up yet, though.
     73
     74== Real Solution #2 - `twine` ==
     75
     76[https://pypi.python.org/pypi/twine Twine] is a Python package that does
     77one thing -- upload stuff to PyPI. It allows you to upload your wheels
     78independently of creating them, which is nice.
     79
     80More importantly, it is smart enough to prompt you for a username/password
     81if there isn't one present in `.pypirc`.
     82
     83Unfortunately, `twine` doesn't use `keyring`, so you have to manually
     84enter your username/password when prompted.
     85
     86
     87