On 15 June 2014 09:19, John Mark Vandenberg <jayvdb@gmail.com> wrote:

We have four sets of cleartext passwords (http & proxy & db), and secrets such as various API keys and mw cookies and edit tokens.

The passwords are stored in two files in clear text (user-config.py and. passwd). Other secrets are in cached api files, etc.

I would like to introduce an optional dependency on a library to manage (some of?) these secrets. The current secret storage would continue to work correctly.

The keyring package is the obvious candidate. Any objections or improvements on that?

I'm not completely sure how that would work -- I see how it could work as alternative to ~/.pywikibot, but it might be problematic for people with multiple checkouts for different usernames/bots. In addition, I'm afraid this might make the credential storage fairly opaque: you'd need to run some script to set the password, instead of just editing a config file.

What's the major advantage over a file with 600 permissions? Will it prevent local administrators from accessing the password? (they could also just sniff the password from the network traffic...)

One last point: I think cached api files should *not* store passwords. The exception are the tests, which cache everything to make sure tests run reasonably fast.

Merlijn