disable keyring per default

docs/configuration.md

@@ -532,10 +532,12 @@ for more information.
 
 **Type**: `boolean`
 
-**Default**: `true`
+**Default**: `false`
 
 **Environment Variable**: `POETRY_KEYRING_ENABLED`
 
+*Changed default to `false` in 2.0.0*
+
 Enable the system keyring for storing credentials.
 See [Repositories - Configuring credentials]({{< relref "repositories#configuring-credentials" >}})
 for more information.

docs/repositories.md

@@ -472,16 +472,19 @@ poetry config http-basic.pypi <username> <password>
 You can also specify the username and password when using the `publish` command
 with the `--username` and `--password` options.
 
-If a system keyring is available and supported, the password is stored to and retrieved from the keyring. In the above example, the credential will be stored using the name `poetry-repository-pypi`. If access to keyring fails or is unsupported, this will fall back to writing the password to the `auth.toml` file along with the username.
-
-Keyring support is enabled using the [keyring library](https://pypi.org/project/keyring/). For more information on supported backends refer to the [library documentation](https://keyring.readthedocs.io/en/latest/?badge=latest).
-
-If you do not want to use the keyring, you can tell Poetry to disable it and store the credentials in plaintext config files:
+If a system keyring is available and supported, the password is stored to and retrieved from the keyring.
+Otherwise, credentials are stored in plaintext config files.
+In order to use keyring, you have to enable keyring support:
 
 ```bash
-poetry config keyring.enabled false
+poetry config keyring.enabled true
 ```
 
+In the above example, the credential will be stored using the name `poetry-repository-pypi`.
+If access to keyring is disabled, fails or is unsupported, this will fall back to writing the password to the `auth.toml` file along with the username.
+
+Keyring support is enabled using the [keyring library](https://pypi.org/project/keyring/). For more information on supported backends refer to the [library documentation](https://keyring.readthedocs.io/en/latest/?badge=latest).
+
 {{% note %}}
 
 Poetry will fall back to Pip style use of keyring so that backends like

src/poetry/config/config.py

@@ -134,7 +134,7 @@ class Config:
         },
         "system-git-client": False,
         "keyring": {
-            "enabled": True,
+            "enabled": False,
         },
     }
 

src/poetry/utils/password_manager.py

@@ -154,7 +154,11 @@ def keyring(self) -> PoetryKeyring:
 
     @staticmethod
     def warn_plaintext_credentials_stored() -> None:
-        logger.warning("Using a plaintext file to store credentials")
+        logger.warning(
+            "Using a plaintext file to store credentials.\n"
+            "Enable keyring support (`poetry config keyring.enabled true`)"
+            " to store credentials securely."
+        )
 
     def set_pypi_token(self, repo_name: str, token: str) -> None:
         if not self.use_keyring:

tests/config/test_config.py

@@ -111,6 +111,10 @@ def test_config_expands_tilde_for_virtualenvs_path(
 def test_disabled_keyring_is_unavailable(
     config: Config, with_simple_keyring: None, dummy_keyring: DummyBackend
 ) -> None:
+    manager = PasswordManager(config)
+    assert not manager.use_keyring
+
+    config.config["keyring"]["enabled"] = True
     manager = PasswordManager(config)
     assert manager.use_keyring
 

tests/console/commands/test_config.py

@@ -60,7 +60,7 @@ def test_list_displays_default_value_if_not_set(
 installer.only-binary = null
 installer.parallel = true
 installer.re-resolve = true
-keyring.enabled = true
+keyring.enabled = false
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
@@ -92,7 +92,7 @@ def test_list_displays_set_get_setting(
 installer.only-binary = null
 installer.parallel = true
 installer.re-resolve = true
-keyring.enabled = true
+keyring.enabled = false
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
@@ -145,7 +145,7 @@ def test_unset_setting(
 installer.only-binary = null
 installer.parallel = true
 installer.re-resolve = true
-keyring.enabled = true
+keyring.enabled = false
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
@@ -176,7 +176,7 @@ def test_unset_repo_setting(
 installer.only-binary = null
 installer.parallel = true
 installer.re-resolve = true
-keyring.enabled = true
+keyring.enabled = false
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
@@ -305,7 +305,7 @@ def test_list_displays_set_get_local_setting(
 installer.only-binary = null
 installer.parallel = true
 installer.re-resolve = true
-keyring.enabled = true
+keyring.enabled = false
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
@@ -344,7 +344,7 @@ def test_list_must_not_display_sources_from_pyproject_toml(
 installer.only-binary = null
 installer.parallel = true
 installer.re-resolve = true
-keyring.enabled = true
+keyring.enabled = false
 repositories.foo.url = "https://foo.bar/simple/"
 requests.max-retries = 0
 solver.lazy-wheel = true

tests/utils/test_authenticator.py

@@ -42,6 +42,12 @@ def repo() -> dict[str, dict[str, str]]:
     return {"foo": {"url": "https://foo.bar/simple/"}}
 
 
+@pytest.fixture
+def config(config: Config) -> Config:
+    config.config["keyring"]["enabled"] = True
+    return config
+
+
 @pytest.fixture
 def mock_config(config: Config, repo: dict[str, dict[str, str]]) -> Config:
     config.merge(

tests/utils/test_password_manager.py

@@ -22,6 +22,12 @@
     from tests.conftest import DummyBackend
 
 
+@pytest.fixture
+def config(config: Config) -> Config:
+    config.config["keyring"]["enabled"] = True
+    return config
+
+
 def test_set_http_password(
     config: Config, with_simple_keyring: None, dummy_keyring: DummyBackend
 ) -> None: