Comments (23)
It just occurred to me that I can convert (some of the) Appveyor files to use tokens without waiting for the password change, and then they won't be affected by the password change.
I've created a tracking issue for this: zopefoundation/meta#109
from extensionclass.
If you're looking for the Pypi password for zope.wheelbuilder
, I have that.
from extensionclass.
Probably not we seem to use an auth token here:
from extensionclass.
I wonder where this __token__
for the username is coming from. I grepped all code in zope.interface
and searched the GitHub docs.
from extensionclass.
Each repository now has to have a token created on PyPI with upload rights to the PyPI project.
from extensionclass.
@dataflake See https://pypi.org/help/#apitoken for details about __token__
from extensionclass.
@jamadden I created an API-Token for the project extensionclass
and added it as TWINE_PASSWORD
to the secrets section of this repository. I'll try to rerun the GHA job which should create and upload the wheels to see if this helps.
from extensionclass.
Ah, thank you for the link. So __token__
isn't a variable - it's a fixed string instructing PyPI to match on the password/API token. Learned something new.
from extensionclass.
It seems to work, MacOS and ManyLinux wheels are starting to fill up https://pypi.org/project/ExtensionClass/4.5.1/#files
from extensionclass.
That's a whole lot of eggs now...
from extensionclass.
It seems to work, I was able to download one of the wheels and import Base
from it.
Closing this issue here. Thank you for the help.
I have a follow-up at zopefoundation/meta#107
from extensionclass.
(FWIW I also have the PyPI password for the zope.wheelbuilder account, but, as you can see, I'm not responding to GH tickets very fast these days. You need that password to log in into PyPI and generate an API token with permissions to upload a particular project. PyPI token auth is documented here.)
from extensionclass.
I just created a token password from my account – I think this should make no difference, as it is only used for the wheel upload from GHA.
Or do you think, it is better to have a list of the generated tokens in one place aka listed on the zope.wheelbuilder
PyPI account?
from extensionclass.
I am STRONGLY in favor of keeping these in one common place. That way we can keep track and revoke where needed.
from extensionclass.
@mgedmin I just provided the zope.wheelbuilder
PyPI account password for Michael so he can create the token. The password is short and not secure. I would like to change it. Do you know who all uses it actively, or in what scripting contexts it is in active use?
from extensionclass.
The password is used in some appveyor.yml
files, see https://github.com/search?q=org%3Azopefoundation+zope.wheelbuilder&type=code – interestingly it is used with different encrypted values. Probably we should switch those usages to __token__
, too.
from extensionclass.
I updated the TWINE_PASSWORD
GHA secret to the token generated from zope.wheelbuilder
and removed the one from my PyPI account.
from extensionclass.
Only two people used to know the password -- you and me. Only a few Travis and Appveyor files have the password in an encrypted form. (Thank you @icemac, I've forgotten about all Appveyor!)
These repositories have an encrypted password in appveyor.yml:
mg@blynas: ~/src/zopefoundation $ grep secure: */appveyor.yml
AccessControl/appveyor.yml: secure: y/k8TP312tLRATkXU5dq+g==
Acquisition/appveyor.yml: secure: y/k8TP312tLRATkXU5dq+g==
BTrees/appveyor.yml: secure: UcdTh6W78cRLVGfKRFoa5A==
ExtensionClass/appveyor.yml: secure: y/k8TP312tLRATkXU5dq+g==
Persistence/appveyor.yml: secure: y/k8TP312tLRATkXU5dq+g==
persistent/appveyor.yml: secure: UcdTh6W78cRLVGfKRFoa5A==
zodbpickle/appveyor.yml: secure: UcdTh6W78cRLVGfKRFoa5A==
zope.container/appveyor.yml: secure: UcdTh6W78cRLVGfKRFoa5A==
zope.hookable/appveyor.yml: secure: UcdTh6W78cRLVGfKRFoa5A==
zope.i18nmessageid/appveyor.yml: secure: UcdTh6W78cRLVGfKRFoa5A==
zope.index/appveyor.yml: secure: UcdTh6W78cRLVGfKRFoa5A==
zope.interface/appveyor.yml: secure: UcdTh6W78cRLVGfKRFoa5A==
zope.proxy/appveyor.yml: secure: UcdTh6W78cRLVGfKRFoa5A==
zope.security/appveyor.yml: secure: UcdTh6W78cRLVGfKRFoa5A==
Appveyor encryption is per-account. We don't have a shared zopefoundation account on Appveyor; a few (two, I think) people have set up Appveyor builds for various projects using their personal Appveyor accounts. I'm the one who set up persistent
, zope.interface
and all the others with "UcdTh..." in the encrypted password field. I don't remember who set up AccessControl, Acquisition, ExtensionClass, and Persistence.
Travis encryption is per-repo, but we no longer care about Travis.
GHA uses secrets managed via the GitHub UI, and not encrypted blobs in committed files. I think only three four GH repos do twine uploads from GHA, and I believe they use tokens instead of the shared password:
mg@blynas: ~/src/zopefoundation $ grep -l 'twine.*upload' */.github/workflows/*
BTrees/.github/workflows/tests.yml
ExtensionClass/.github/workflows/tests.yml
persistent/.github/workflows/tests.yml
zope.interface/.github/workflows/tests.yml
This information should maybe live in some zopefoundation developer document somewhere instead of my brain/random github issue I will never be able to find again...
The password was already changed once, although we had fewer repos then. If you need a secure method of sharing the password with me, I still use GPG (with an outdated not-very-secure 1024-bit DSA key 8121AD32F00A8094748A6CD09157445DE7A6D78F), or https://pypi.org/project/magic-wormhole/.
from extensionclass.
The password was already changed once, although we had fewer repos then. If you need a secure method of sharing the password with me, I still use GPG (with an outdated not-very-secure 1024-bit DSA key 8121AD32F00A8094748A6CD09157445DE7A6D78F), or https://pypi.org/project/magic-wormhole/.
I just sent you the new password and TOTP seed. Let me know if it works.
from extensionclass.
I've received them and managed to construct a QR code for Google Authenticator with
$ virtualenv /tmp/sandbox
$ /tmp/sandbox/bin/pip install pyqrcode
$ /tmp/sandbox/bin/python
>>> import pyqrcode, subprocess
>>> secret = input("TOTP seed: ")
>>> url = f'otpauth://totp/zope.wheelbuilder?secret={secret}&issuer=PyPI'
>>> svgfile = '/run/user/1000/pypi-totp.svg' # a tmpfs so the secret won't hit disk
>>> pyqrcode.create(url).svg(svgfile, background='#fff', scale=8)
>>> subprocess.run(['xdg-open', svgfile])
If there's an easier way, I'd love to hear it!
(To clarify: I was able to log in.)
from extensionclass.
You're not telling me that you don't know about "normal" OTP apps, right? All password managers I know have them included so all you need to do is save that seed value.
from extensionclass.
I'm not typing the seed value into my phone's Google Authenticator by hand, even if that option is allowed!
The only password manager I use on my laptop is pwsafe, which is an (unmaintained, removed from Ubuntu, kept on life support in a PPA) terminal application that can handle PasswordSafe databases and doesn't know anything about OTP or QR codes. My previous searches of usable GUI password managers ended up in tears and failure.
from extensionclass.
Have you tried Enpass (https://www.enpass.io/)? I moved to Enpass from 1Password when it was clear they wanted to force everyone onto subscriptions and onto using their own cloud. Enpass (still) has a 1-time payment option to unlock everything and they allow syncing over whetever cloud option you can think of, I use my own Nextcloud instance with it.
from extensionclass.
Related Issues (13)
- Review Base_getattro implementation for Python 3.7 compatibility HOT 3
- Py_TPFLAGS_HAVE_CLASS in ExtensionClass.h HOT 3
- 4.2.0 fails C compilation on windows on py27 HOT 3
- Build / publish wheels on Appveyor HOT 1
- Release 4.1? HOT 4
- C/Python discrepancy: __parent__ as a class attribute fails in Python, works in C HOT 1
- warning when installing
- Pure-Python ExtensionClass wraps __parent__ but C does not HOT 1
- PURE_PYTHON: empty docstring not respected
- PURE_PYTHON: Name check for setting attributes is applied to all classes, not just C classes HOT 3
- Does not build on Python 3.11.0a2 HOT 1
- Port the C extension to Python 3? HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from extensionclass.