Bug#745342: ITP: twine -- Collection of utilities for interacting with PyPI
Package: wnpp
Severity: wishlist
Owner: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* Package name : twine
Version : 1.3.1
Upstream Author : Donald Stufft <donald@stufft.io>
* URL : https://github.com/dstufft/twine
* License : Apache 2.0
Programming Lang: Python
Description : Collection of utilities for interacting with PyPI
Twine is a utility for interacting with PyPI.
The biggest reason to use twine is that python setup.py upload uploads
files over plaintext. This means anytime you use it you expose your
username and password to a MITM attack. Twine uses only verified TLS to
upload to PyPI protecting your credentials from theft.
Secondly it allows you to precreate your distribution files. python
setup.py upload only allows you to upload something that you’ve created
in the same command invocation. This means that you cannot test the
exact file you’re going to upload to PyPI to ensure that it works before
uploading it.
Finally it allows you to pre-sign your files and pass the .asc files
into the command line invocation (twine upload twine-1.0.1.tar.gz
twine-1.0.1.tar.gz.asc). This enables you to be assured that you’re
typing your gpg passphrase into gpg itself and not anything else since
you will be the one directly executing gpg --detach-sign -a <filename>.
I'd like to maintain twine inside PAPT
Reply to: