On Fri, Jan 12, 2018 at 9:51 PM, Donald Stufft <don...@stufft.io> wrote:

> As folks are likely aware, legacy PyPI currently supports logging in using
> OpenID and Google Auth while Warehouse does not. After much deliberation,
> I’ve decided that Warehouse will not be implementing OpenID or Google
> logins, and once we shutdown legacy PyPI, OpenID/ and Google logins to PyPI
> will no longer be possible.
>
> This decision was made for a few reasons:
>
> * Very few people actually are using OpenID or Google logins as it is. In
> one month we had ~15k logins using the web form, ~5k using basic auth, and
> 62 using Google and 7 using OpenID. This is a several orders of magnitude
> difference.
>

For reference: OpenID has never worked for me and I think content blockers
rip out the Google option for me.

* Regardless of how you log into PyPI (Password or Google/OpenID) you’re
> required to have a password added to your account to actually upload
> anything to PyPI. This negates much of the benefit of a federated
> authentication for PyPI as it stands.
>

OAuth app tokens are a possible way to achieve this as well and might suite
various release pipelines better.

* Keeping these requires ongoing maintenance to deal with any changes in
> the specification or to update as Google deprecates/changes things.
> * Adding support for them to Warehouse requires additional work that could
> better be used elsewhere, where it would have a higher impact.
>

All that said, +1 for not bothering with it.

If it ever is tackled, I'm sure this day and age will bring more, more
visible and more direct feedback on it working or not working for users
than the previous iteration.

-- 
Joni Orponen
_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Reply via email to