Log file Viewer

[19:16:40] <dstufft> Does buildout support any hashing function besides md5?

[19:16:48] <dstufft> From an index

[19:17:16] <dstufft> e.g. if I use buildout with Crate (https://simple.crate.io/Django/) which exposes sha256 instead of md5 will it use that?

[19:18:39] <J1m> dstufft, buildout relies on distribute for checking hashes.

[19:19:09] <dstufft> J1m: Ok, sorry I'm not familar with buildout :) I added other hashes to pip so wasn't sure how buildout handled it

[19:19:11] <dstufft> thanks!

[19:19:48] <J1m> buildout bothered really hard not to reimplement if it didn't have to.

[19:20:25] <J1m> but that means it's dependent on distribute, which isn't the greatest position to be in. :(

[19:33:35] <dstufft> J1m: :) One other quesiton, is buildout itself on PyPI? I only see extensions?

[19:34:14] <J1m> zc.buildout

[19:34:25] <dstufft> ah

[19:34:26] <dstufft> oops

[19:34:28] <dstufft> my bad :)

[19:35:33] <J1m> np

[19:47:20] <J1m> dstufft, do you know if anyone's working on a urllib2 plugin that adds ssl certifivate verification?

[19:47:42] <J1m> I've only seen a pip patch, which does that for pip.

[19:47:45] <dstufft> J1m: It's not a plugin but pip has backported SSL verification to urllib2

[19:48:01] <dstufft> It uses an opener or w/e

[19:48:07] <J1m> But not in a form that anyone else can use afaict.

[19:48:27] <dstufft> hrm

[19:48:29] <dstufft> moment

[19:48:41] <J1m> I think it is a plugin in that it registers throuh urllib2's plugin system, iirc.

[19:49:39] <dstufft> J1m: just looking, pip's stuff uses a generic urllib2 opener

[19:49:55] <dstufft> I can see if I have it in a form without the pip stuff included in the same PR tho

[19:49:56] <dstufft> sec

[19:50:07] <J1m> I'm not an expert in this stuff, so I'm really hoping that someone packages up a fix in a form I can use.

[19:50:58] <J1m> If not, I'll probably change buildout to use requests, which may be the right answer anyway.

[19:51:11] <dstufft> J1m: I don't know buildout's code at all, is buildout directly using urllib?

[19:51:52] <dstufft> J1m: I don't know what versions buildout needs to support, if it matches what requests supports that's a very good option fwiw

[19:51:52] <J1m> no, buildout uses distribute/setuptools, which uses urllib2, but it would be easy enough for buildout to register a better opener w urllib2.

[19:53:07] <J1m> wellm buildout2 uses python 2.6 and later. Some people probably rely on using buildout 1 with earlier versions.

[19:53:57] <dstufft> J1m: https://github.com/pypa/pip/pull/791/files#L15R72 the VerifiedHTTPSConnection and VerifiedHTPSOpener should work with just plain urllib2 (once you remove the line that has the PIP_CERT env var)

[19:54:03] <J1m> buildout 1 actually has the ability to build for other versions of Python, so someone could use buildout with Python 2.6 to build Python 2.4 applications.

[19:54:12] <dstufft> requests is 2.6+

[19:54:48] <J1m> yup

[19:55:18] <J1m> Yeah, that's the PR I looked at the other day.

[19:55:27] <dstufft> J1m: FWIW pip is probably dropping support for 2.5 in the next release. If so i'll probably try to get them off of urllib2 and into requests. I'd really like to not need to have monkeypatches for SSL laying around. much nicer to keep security related stuff in one location (requests / ssl)

[19:55:46] <J1m> exactly.

[19:56:14] <J1m> If I copy the code from the pip changes, then I'll have to maintain my copy.

[19:56:46] <J1m> I'd rather there be a maintained suecure urllib2 opener that pip, me, and other used.

[19:57:03] <J1m> But you're probably right that we should all switch to requests.

[19:57:08] <dstufft> J1m: btw Crate.io uses #sha256=<…> instead of #md5=, and i'm going to be pushing for PyPI to do the same

[19:57:56] <dstufft> http://www.openwall.com/lists/oss-security/2013/03/11/4 <- request for a CVE for setuptools/distribute (and ancillarly buildout) because using MD5 is a bad bad thing (I can't request a CVE for PyPI because it's a service not a piece of software)

[19:57:58] <J1m> Yeah. I haven't had time to keep up with all the discussions, but I think I saw that go by.

[19:59:06] <dstufft> J1m: fwiw if buildout ever needs security related help feel free to ping me. I desperately want packaging to be secure :)

[20:00:00] <J1m> Much thanks. I'd love to not have to ping you because what I'm using takes care of it. :)

[20:00:54] <dstufft> :)

[20:00:57] <dstufft> -> afk