Log file Viewer

[01:51:12] <dstufft> as I find more niggly corners, my regexes grow larger

[01:51:18] <dstufft> yay regexes

[07:10:41] <Ivoz> dstufft: NFA ftw

[20:58:36] <toumorokoshi> dstufft: I was thinking about tackling the legacy user apis, but I wanted to talk to you a little bit first

[20:58:47] <toumorokoshi> (this is yusuket btw, just standardizing my naming to my github)

[20:58:49] <dstufft> tomprince: hi!

[20:58:53] <dstufft> er

[20:58:54] <dstufft> toumorokoshi:

[20:59:01] <dstufft> damn tab complete

[20:59:01] <toumorokoshi> haha close enough :)

[20:59:40] <toumorokoshi> anyway it seems like I should add the routes to this file, and maybe add in a warehouse.legacy.user?

[20:59:41] <toumorokoshi> https://github.com/pypa/warehouse/blob/master/warehouse/legacy/urls.py

[21:00:01] <toumorokoshi> or do you have other thoughts on user registration?

[21:00:12] <dstufft> which are these for

[21:00:21] <dstufft> not sure which legacy user apis you mean

[21:00:44] <toumorokoshi> I’m reading this PEP: http://legacy.python.org/dev/peps/pep-0301/#web-interface

[21:01:01] <toumorokoshi> way back at PyCon Richard Jones said it’s something worth working on

[21:01:18] <dstufft> heh

[21:01:18] <dstufft> wow

[21:01:25] <dstufft> I don't think i'v ever read this PEP

[21:01:35] <toumorokoshi> hahaha

[21:01:52] <agronholm> I've never heard of this either

[21:02:18] <toumorokoshi> ok, I figured this is the endpoint that ‘python setup.py register’ calls

[21:02:32] <toumorokoshi> but we’re moving away from that pattern anyway right?

[21:03:11] <dstufft> hm

[21:03:19] <dstufft> yea I think I need to talk to richard about this

[21:03:29] <toumorokoshi> ok, sounds good

[21:03:48] <dstufft> because the problem is, basically all forms of setup.py register is vulnerable either to passive or active MITM

[21:04:14] <dstufft> and that's not something we can easily fix

[21:04:17] <toumorokoshi> really? why is that?

[21:04:39] <toumorokoshi> no ssl?

[21:04:41] <dstufft> yea

[21:04:48] <toumorokoshi> I see

[21:04:58] <dstufft> 2.x has basically zero support for handling it, and 3.x I think i's still off by default

[21:05:29] <toumorokoshi> ok, for setuptools right?

[21:05:40] <toumorokoshi> but it sounds like it still has the functionality to actually securely register a user

[21:06:11] <toumorokoshi> so maybe we only allow registration over ssl? Or would that be too much?

[21:07:04] <dstufft> the problem is that you have literally every Python install out there that doesn't do that

[21:07:13] <dstufft> PyPI already forces everyone over to SSL

[21:07:25] <dstufft> however, that doesn't stop the fact that Python doesn't validate the SSL connection

[21:07:34] <toumorokoshi> ah I see

[21:07:42] <dstufft> so someone can MITM PyPI and use an invalid cert, and setup.py will never notice

[21:08:10] <dstufft> This is something i've been thinking about, because I'm mildly convinced the one way to fix that is to just break setup.py's ability to contact pypi

[21:08:16] <dstufft> the only way*

[21:08:50] <dstufft> but that's going to be a PEP and I need to talk to richard and stuff

[21:08:51] <toumorokoshi> yeah, and force people to upgrade setuptools to one that has the correct url and also validates certs?

[21:09:11] <dstufft> that, or use twine, which may eventually be pip upload or something

[21:09:26] <toumorokoshi> ohh I like that idea

[21:09:30] <toumorokoshi> twine -> pip upload

[21:09:50] <dstufft> i'm thinking about making a PR for that for pip 1.6

[21:10:09] <toumorokoshi> +1 for that!

[21:10:30] <toumorokoshi> ok, so I definitely see your dilemma with register

[21:10:59] <dstufft> the most convienant way to break setup.py <thing-that-talks-to-pypi> is just not implement those legacy APIs in warehouse and create a new API

[21:11:17] <toumorokoshi> right

[21:11:40] <dstufft> when warehouse goes live, then setup.py register|upload|etc stop working and people are forced to switch to <whatever new method> and hopefully they'll switch to a client that validates TLS

[21:11:54] <toumorokoshi> I personally think it’s ok to break the register methodology

[21:12:09] <toumorokoshi> most people (myself included) read it once, register, and then never think about it again

[21:12:24] <dstufft> well it'll also involve breaking setup.py upload too

[21:12:30] <dstufft> and doc_upload

[21:12:45] <dstufft> those all send the users password in plaintext

[21:12:51] <toumorokoshi> ohhh ok

[21:13:00] <toumorokoshi> yeah that’s a lot bigger then

[21:13:28] <dstufft> you can imagine how bad it would be for say, my password to get leaked, I have access to pip there which is a fairly popular thing for people to install :/

[21:13:41] <dstufft> sometimes I have access to everything whenever I sudo my account heh

[21:13:51] <toumorokoshi> yeah, the lack of security is really dangerous there

[21:14:18] <toumorokoshi> so it sounds like we should hold back on implementing any legacy write apis until this is figured out eh?

[21:18:41] <dstufft> well we can yea, I mean we can also implement them, and if we decide to kill the write APIs just delete tem from warehouse then... it's kind of crappy to have to implement and then delete later on but it also means that we can move warehouse into production sooner and not be blocked on solving that long standing issue

[21:19:07] <dstufft> so if you *want* to wok on them, that's OK with me and I'm cetainly not against merging them if they are implemented, I'm personally not sure which avenue is the best way atm

[21:20:25] <toumorokoshi> haha actually I just found this comment from Richard a while ago saying not to implement those apis

[21:20:26] <toumorokoshi> https://github.com/pypa/warehouse/issues/57

[21:20:38] <dstufft> yea

[21:20:52] <toumorokoshi> I’m happy to work on whatever though

[21:21:04] <dstufft> the user registration i'm meh on, I don't think we need to do that on the command line and having people do it via the web interface is perfectly fine

[21:21:27] <toumorokoshi> ok, I think a gui reg option is a good idea either way

[21:21:30] <dstufft> yes

[21:21:38] <toumorokoshi> can I give that a shot?

[21:21:40] <dstufft> we don't have that implemented yet if that's something you're implemented in

[21:21:44] <dstufft> we have login and log ou

[21:21:46] <dstufft> out*

[21:21:56] <dstufft> you're interested in*

[21:22:08] <toumorokoshi> yeah, that sounds good to me :)

[21:22:23] <dstufft> that might be nicer to deal with than legacy apis :D

[21:22:45] <toumorokoshi> I’m not complaining ;)

[21:23:04] <toumorokoshi> I’ll make a ticket then, announce it’s being worked on

[23:33:03] <agronholm> if I install a wheel, is pip supposed to uninstall the old version of the distribution?

[23:33:53] <agronholm> hm I supposed this question should go to the other channel

[23:33:55] <agronholm> -d