-
Notifications
You must be signed in to change notification settings - Fork 1k
API tokens: Remove @token and pypi: cases #6345
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
I'm in favor of doing this before the end of the beta, so that we can tell beta testers to try the new token usernames and prefixes, so we can find out during the beta whether the new ones cause any glitches. |
would it be too much to just reserve the "token" username? Is it already in use? GitHub does that for things like "issues" etc. |
Looks like the |
I’ve gone ahead and squatted that name. Obviously, I’m cool with just removing that account or let PyPI admins do whatever they deem necessary with that name. |
how about '🎟' as the username? eg "\N{ADMISSION TICKETS}" |
@graingert what does the pypi.org username have to do with devpi? The |
@fschulze devpi would probably want to support this API token authentication scheme too. If an install has a user called "token" it would break that user for them. I'm thinking downstream "twine upload -r devpi" not upstream pypi |
@graingert it would use separate credentials anyway as it already does now. I don't see any reason accounts on pypi would interfere with devpi or the other way around. |
Yes but the "token" username is part of the API tokens Auth protocol |
@graingert yes and it doesn't matter in devpi, because the API is specific to pypi.org. Otherwise all users in devpi would conflict with pypi.org already. If we implement upload tokens in devpi, then we would handle that on the devpi side. It is pretty easy to determine whether a token was used or not. Any |
It's ultimately the maintainers' call, but I'm 👎 on plain
|
Is there a regex of currently valid PyPI usernames so we can be more informed when picking an intentionaly invalid one? |
so some examples:
and my personal favorite: |
|
|
Uh oh!
There was an error while loading. Please reload this page.
At some point in the future (perhaps at the end of the API token beta?), support for
@token
as a token username andpypi:
as a token prefix should end in favor of__token__
andpypi-
, respectively.See #6287, #6342.
cc @brainwane @di @ewdurbin @dstufft
The text was updated successfully, but these errors were encountered: