TL;DR PyPI has OAuth1 support; pythonpackages.com uses it to send your GitHub repos to PyPI.
Thanks in very large part to Richard Jones, the Python Package Index now has support for registering and uploading packages via OAuth1. And using his sample code I was able to take advantage of it on pythonpackages.com. The result is a fairly elegant approach to releasing packages sans dirty hacks (I had been asking users for their username and password, then storing them in an encrypted session cookies so I could send them to PyPI.) Here’s how it works now.
GitHub provides an easy way to let folks sign in to pythonpackages.com with their APIv3. I was able to code the OAuth dance using only the requests library (HT Kenneth Reitz). This was working as of late 2011.
Once you are signed in, you can select a package. Selected packages can perform various actions, one of which is Tag and Release. As soon as you select Tag and Release, you are required to authenticate with PyPI.
In order to get the beta out the door, a dirty hack was added to allow users to enter their PyPI credentials. Credentials were saved in an encrypted session cookie, then written out to .pypirc before calling `python setup.py upload`. Really terrible. This was shipped in early July 2012 and is thankfully no longer necessary (though it is still necessary to push the initial commit to GitHub.)