Poetry: Use .pypirc for authentication

References:

• Python documentation, section 6.2.4
• “Using .pypirc“, Flit documentation

Counter-arguments:

• it’s a plain-text (unencrypted) file in the home directory
• not always created with permissions that only allow user to read it
• multiple config files (.pydistutils.cfg and .pypirc) are confusing for users

The argument is compatibility vs. clean break.

I wonder what PyPA folks would recommend for this (@ncoghlan @dstufft).

Adding something like the following to poetry/poetry/masonry/publishing/publisher.py should do the trick:

# at the top
import os
from configparser import ConfigParser

# inside Publisher.publish:
cfg = configparser.ConfigParser()
try:
    cfg.read(os.path.expanduser('~/.pypirc'))
    username = username or cfg.get('pypi', 'username', fallback=None)
    password = password or cfg.get('pypi', 'password', fallback=None)
except FileNotFoundError:
    pass

I'll come back and assign this to myself if I ever get around to setting up a Poetry development environment and trying to make this work. Otherwise, it's unclaimed.

It would also be cool to save the username either to .pypirc or to the Poetry config store, and/or to read the password from and save it to Keyring, like Flit does.

@osteele currently it is possible to save the credentials with these two files:

• ~/.config/pypoetry/config.toml

[repositories]
pypi = {url = "https://upload.pypi.org/legacy/"}
testpypi = {url = "https://test.pypi.org/legacy/"}

• ~/.config/pypoetry/auth.toml

[http-basic]
pypi = {username = "myuser", password = "topsecret"}
testpypi = {username = "myuser", password = "topsecret"}

It can be done through the CLI, but i don't remember how…

I didn't know it was possible when i opened this issue. So now i can do without it. But i leave the issue open because it could be nice to have compatibility accross the different tools.

Counter-arguments:

Yeah, maybe asking users to put plaintext passwords in a file should be considered a legacy behavior that shouldn't be pushed forwards.

I like what Flit does: read and write the username to and from .pypirc; read the password from .pypirc if it's there, but otherwise read and write it to Keyring.

I'll open another issue for the use of Keyring for storing the password. It's related to this one, but requires different implementation steps (that could supplement this one), and may raise a different set of concerns.

Here's a code sketch that only uses the password from .pypirc if that file is protected . This matches the behavior of ssh with regards to the private key files in ~/.ssh.

PYPIRC_PERMISSIONS_WARNING = r"""Warning: unprotected PyPI configuration file!
Permissions 0{:o} for {!r} are too open.
It is required that your password is NOT accessible by others.
The password will be ignored.
"""

pyprc_path = os.path.expanduser('~/.pypirc')
if os.path.exists(pyprc_path):
    cfg.read(pyprc_path)
    cfg = configparser.ConfigParser()
    username = username or cfg.get('pypi', 'username', fallback=None)
    if not password:
        password = cfg.get('pypi', 'password', fallback=None)
        permissions = os.stat(pyprc_path).st_mode & (stat.S_IRWXU | stat.S_IRWXG | stat.S_IROTH)
        if permissions & ~stat.S_IRWXU:
            sys.stderr.write(PYPIRC_PERMISSIONS_WARNING.format(permissions, pyprc_path))
            password = None

It can be done through the CLI, but i don't remember how…

It's documented in Repositories > Configuring Credentials on the web site:

poetry config http-basic.pypi username password

(It actually took me a while to find it, because I didn't realize the website had additional information about poetry config that wasn't in the README. I'm hesitant to submit an issue or PR, since I don't know if that's an issue with the README or just with me…)

Since poetry already reads and stores credentials in a plaintext file, can we get .pypirc support? Or is it considered redundant?

(It actually took me a while to find it, because I didn't realize the website had additional information about poetry config that wasn't in the README. I'm hesitant to submit an issue or PR, since I don't know if that's an issue with the README or just with me…)

I only found this now. In fact I missed the link at the top of the GitHub repository. It would nice to add a big "Documentation" link in the README because it's what I always and immediately search in a README.

This is not something that is planned. I prefer Poetry to be self sufficient and not to depend on other configuration files than its own.

Using this file feels even more helpful, as it now seems that Poetry cannot cache the password in a file anymore. The default keyring usage is not helpful, as it brings the user out of the terminal, and often into a program they don't understand.