Flit and 2FA

Robert Crowther Dec 2024

Genius from Python’s ‘flit’ package, it enables publishing an app, your work, to a package index in one stroke. Well, to get going you need a PyPI account. And to add a plain text ‘toml’ file to the project, but ‘flit’ can generate basic config in one line, like this,

flit init

Then it’s,

flit publish

And that will send your package to the PyPI (by default) online package repository.

Some people would say this is the idiot way—have you never encountered Autotools and/or Debian packaging? Me, I say it’s what’s needed and nothing more (the truth is somewhere between—‘flit’ can’t cover some use cases, but is a genius interface with enough ability for most scenarios).

Ah, but an issue has risen. Can’t function nowadays without 2FA (‘Two‐factor authentication’)

Flit and 2FA

Two‐factor authentication means any mods to online material need a second check to make sure you are who you say. Passwords are not enough.

You’ll see mention of CI (‘Continuous Integration’) and Trusted Publishers. Ignore them. They are for people who have the time and need to work continuously, with volume. We’re talking auto‐propagation from GitHub, configured via. Actions. That kind of activity.

You’ll also see mention of using USB authentication, which holds some ground in corporate‐level computer development.

But you are not these things. You, like me, are a mediocre developer. You will, for the second factor of authentication, use Tokens.

You’ll need two‐step authentication on the account itself (groan). Which is easiest, on PyPI, with a smartphone and an authentication app (need to save recovery codes etc.). If you don’t have a smartphone, you know what the world thinks of you, don’t you (a twenty‐three‐zillion character password entry code)?

Instructions

For Linux,

  1. Log in to PyPI

  2. Click on your username in the top right corner > ”Account settings” (confirm password if necessary)

  3. Find ‘API tokens’, click ”Add API token”

  4. Enter a description, make it generic (eg. ”PyPI token for package uploads”), Scope: ‘Entire account (all projects)’ (we are mediocre) > click ”Create”

  5. A token will display. Copy it and store it in a secure place. No second chances here

  6. Find or create a file ‘~/.pypirc’ (it may exist, for example if you’ve used Flit before)

Add the following lines to ‘~/.pypirc’,

[distutils]
 index-servers =
     pypi

 [pypi]
 username = __token__
 password = TOKEN_HERE

Now you should be able to use

flit publish

References

Instructions, and when you get to them, good,

https://nikhilakki.in/how-to-bundle-your-python-app-as-a-pip-package-upload-to-pypi

Pypi on Trusted Publishing,

https://docs.pypi.org/trusted-publishers/

Using Flit, article on packaging an app in Django,

/article/packaging-an-app