This idea occurred to me after responding to https://github.com/pypa/packaging-problems/issues/313, and the reporter subsequently suggested something similar.
In my head, this would look something like:
$ twine upload dist/*
Uploading distributions to https://upload.pypi.org/legacy/
Enter your API token:
On the implementation side of things, I wonder if it'd be sufficient to default username to __token__ for PyPI and TestPyPI. But, maybe it would be聽clearer to add an explicit token option.
Very open to opinions on this.
bhrutledge
All 4 comments
I don't think we can reliably always ask for an API token because I strongly suspect some folks haven't gone through the trouble of generating/finding it. Our prompts would need to be far more convoluted by asking first if the user wants to use an API token or user/password auth.
I think this also speaks to the open issues about twine configure and twine accounts.
sigmavirus24
on 23 Jan 2020
I think this also speaks to the open issues about
twine configureandtwine accounts.
For other folks' reference, that's https://github.com/pypa/twine/issues/216 and https://github.com/pypa/twine/issues/324.
It seems like the PyPA guides are guiding newcomers to use API tokens from the start:
https://packaging.python.org/tutorials/packaging-projects/#uploading-the-distribution-archives
https://packaging.python.org/guides/distributing-packages-using-setuptools/#create-an-account
I wonder how convoluted it would be in practice, since I think this would only apply if credentials aren't provided via the command line, environment variables, or .pypirc.
What about something like:
$ twine upload dist/*
The PyPA recommends authenticating with API tokens: https://pypi.org/help/#apitoken
Do you have an API token? [Y/n]
Enter your API token:
Or:
The PyPA recommends authenticating with API tokens: https://pypi.org/help/#apitoken
Enter your API token (or your username):
It seems like the PyPA guides are guiding newcomers to use API tokens from the start:
They'll go further:
In the future, PyPI will set and enforce a policy requiring users with two-factor authentication enabled to use API tokens to upload (rather than just their password, without a second factor). We do not yet know when we will make this policy change. When we do, we'll announce it.
See https://pyfound.blogspot.com/2020/01/start-using-2fa-and-api-tokens-on-pypi.html
sebix
on 25 Jan 2020
Related: https://github.com/pypa/twine/issues/565 - Not obvious how to use multiple project API tokens with keyring
bhrutledge
on 26 Jan 2020
Related issues
InAnimaTe
路
5Comments
monocongo
路
3Comments
edmorley
路
11Comments
jaraco
路
7Comments
gaborbernat
路
6Comments
Most helpful comment
For other folks' reference, that's https://github.com/pypa/twine/issues/216 and https://github.com/pypa/twine/issues/324.
It seems like the PyPA guides are guiding newcomers to use API tokens from the start:
https://packaging.python.org/tutorials/packaging-projects/#uploading-the-distribution-archives
https://packaging.python.org/guides/distributing-packages-using-setuptools/#create-an-account
I wonder how convoluted it would be in practice, since I think this would only apply if credentials aren't provided via the command line, environment variables, or
.pypirc.What about something like:
Or: