PMXBOT Log file Viewer

Help | Karma | Search:

#pypa-dev logs for Wednesday the 19th of November, 2014

(Back to #pypa-dev overview) (Back to channel listing) (Animate logs)
[04:08:56] <r1chardj0n3s> PyPI blocks registrations of "requirements.txt" and "rrequirements.txt" *NOW*
[04:08:59] <r1chardj0n3s> thanks brandon
[04:19:50] <r1chardj0n3s> wow, I suck at salt
[04:19:59] <r1chardj0n3s> well, no, I suck at pypi infra
[04:23:31] <r1chardj0n3s> seems to be some delay between "salt-call state.highstate" finishing and the website actually behaving according to the new code
[08:51:25] <jezdez> r1chardj0n3s: odd I remember having registered requirements.txt a while ago
[18:28:21] <dstufft> jaraco: ping
[18:29:07] <jaraco> pong dstufft
[18:30:05] <dstufft> jaraco: I'm working on setuptools, but I think I'm doing something wrong, even on the master branch when I run ``setup.py egg_info`` it tells me that egg_info isn't a command
[18:30:29] <jaraco> You need to run bootstrap.py if you don't already have setuptools installed.
[18:30:54] <jaraco> That's a recent change.
[18:31:11] <jaraco> It used to be that the egg-info was stored in the repo, but that caused a lot of confusion.
[18:32:30] <dstufft> hm
[18:32:37] <dstufft> well I do have setuptools installed already
[18:32:39] <dstufft> though it's 3.6
[18:33:24] <jaraco> That's surprising to me then. I would expect setuptools to find the egg-info command from there, then.
[18:33:48] <dstufft> ah
[18:34:03] <dstufft> looks like deleting setuptools.egg-info from the current dir fixed it
[18:34:13] <jaraco> aah. That makes sense.
[18:34:49] <jaraco> The presence of that egg-info in . was superseding the installed one, but because the entry points was deleted, there were no entry points (including egg_info command).
[18:37:26] <dstufft> ah
[18:37:27] <dstufft> makes sense
[19:03:59] <jezdez> dstufft: hey, just to sanity check, did you or r1chardj0n3s_afk delete the requirements.txt package I registered on pypi?
[19:04:46] <dstufft> jezdez: I haven't deleted anything
[19:04:53] <jezdez> r1chardj0n3s_afk apparently put that name on blocklist, but it just occurred to me that if you actually deleted the package I would like to have been informed about it
[19:04:58] <dstufft> dunno about r1chardj0n3s_afk
[19:05:02] <jezdez> meh
[19:05:06] <jezdez> not cool
[19:05:52] <dstufft> I didn't even know we had a block list
[19:06:00] <dstufft> is that new?
[19:06:39] <dstufft> oh hey
[19:06:45] <dstufft> it apparently is new
[19:08:18] <dstufft> I assume r1chardj0n3s_afk deleted it, and for the same likely reason that he added a block list, that having the new registered is somewhat of a security risk (although I'm not sure how effective a block list is, it'll stop pip install requirements.txt, but not pip install dev-requirements.txt, etc)
[19:09:18] <jezdez> for the record, it’s the fact that one of my legitimately registered packages was deleted or modified without my prior or post knowledge
[19:09:34] <jezdez> I agree with r1chardj0n3s_afk’s intent, I registered it exactly for that purpose
[19:10:44] <jezdez> how’s warehouse going?
[19:10:50] <jezdez> dstufft: ^
[19:11:58] <dstufft> jezdez: back burnered until pip 6.0
[19:12:05] <dstufft> which I'm hoping to do soon
[19:12:08] <jezdez> cool
[19:12:19] <jezdez> wish I could help
[19:12:19] <dstufft> I want to get PEP 440 into setuptools/pip before 6.0, trying to finish up the setuptools and pip PRs for those
[19:12:30] <jezdez> makes sense to me
[19:13:27] <jezdez> fwiw, I’m *stoked* to see ensurepip in 2.x
[19:13:31] <jezdez> couldn’t be happier actually
[19:14:21] <dstufft> yea I'm real happy about that too
[19:14:56] <dstufft> I think it's all done now, I did the moduleitself, and I think Steve and ned got the Windows Installer, OSX Installer, and Makefile support done
[19:22:25] <dstufft> No distributions matching the version for python-dateutil<2.0,>=1.0,>=2.1 (from freezegun)
[19:22:27] <dstufft> >:|
[20:01:39] <dstufft> jaraco: side effect of the bootstrap.py step is you can't pip install a dev setuptools from git anymore
[20:28:15] <r1chardj0n3s> jezdez: hi, I checked and there was no requirements.txt on pypi, but there was one on testpypi (EWDurbin's)
[20:28:40] <EWDurbin> hello
[20:28:48] <EWDurbin> what’s up r1chardj0n3s ?
[20:29:02] <r1chardj0n3s> not me, I am clearly still in bed
[20:32:13] <r1chardj0n3s> jezdez: or at least I *thought* I did, I hit the URL and got a 404... I'm sure I did. Regardless, I would have let you know if I had noticed you'd registered it, sorry for my incompetence.
[20:48:01] <r1chardj0n3s> jezdez: I'm just scouring the audit log now to see wtf is going on
[20:50:17] <r1chardj0n3s> dammit, the remove_package code nukes the journal, so that's not going to help
[20:50:36] <r1chardj0n3s> in hindsight, it shouldn't nuke the journal :(
[20:58:54] <r1chardj0n3s> jezdez: I'm curious as to why you registered the other requirements.* packages
[21:00:10] <jezdez> r1chardj0n3s: I registered them at the time when we first discussed other formats
[21:00:34] <jezdez> I think I got the .json first and then the .txt since I realized that this may be a problem if someone registered it
[21:00:41] <r1chardj0n3s> ah, fair enough
[21:01:01] <jezdez> not sure where it went
[21:01:03] <r1chardj0n3s> so yesterday I went into panic mode when brandon announced the potential badness on Twitter :(
[21:01:09] <jezdez> pretty sure I didn’t delete it myself fwiw :)
[21:01:29] <r1chardj0n3s> I have no freaking idea what might have happened to your requirements.txt package, and now I'm panicking about that
[21:01:38] <jezdez> right, I really agree with there being a blocklist for stuff like this
[21:01:40] <jezdez> no worries
[21:02:00] <jezdez> yeah, I wish I’d knew
[21:02:09] <jezdez> is there a way to get that info from some other mirror?
[21:02:15] <r1chardj0n3s> so the sequence of events as far as I can tell was:
[21:02:24] <r1chardj0n3s> 1. I hit the URL, 404
[21:02:33] <r1chardj0n3s> 2. I hand-crafted a package of my own
[21:02:36] <dstufft> PyPI 404's if a package is registered but there are no releases
[21:02:40] <r1chardj0n3s> 3. I wrote the blocker and installed it
[21:03:01] <r1chardj0n3s> 4. I attempted to register my package, and it worked because salt updates aren't immediate :(
[21:03:12] <r1chardj0n3s> 5. I nuked my package, waited a while and re-tried and was blocked
[21:03:21] <dstufft> sounds like step 5 is where jezdez lost it
[21:03:22] <r1chardj0n3s> at the nuke step, all journal information was lost
[21:03:34] <dstufft> because IIRC r1chardj0n3s runs as admin which lets him steal people's packages accidently
[21:03:44] <r1chardj0n3s> yeah, so if there was no release, I would have auto-taken over the entry, and yep
[21:03:46] <dstufft> (i drop my admin bit when i'm not using it b/c I did that by accident once)
[21:04:17] <r1chardj0n3s> yeah, it's a flaw I'm careful to not use
[21:04:23] <jezdez> http://www.red-dove.com/pypi/projects/R/requirements.txt/project.json exists
[21:04:50] <r1chardj0n3s> yeah, with no releases - does that sound right?
[21:05:13] <r1chardj0n3s> so if it had no releases, what dstufft says matches my own interpretation of how it might have happened
[21:05:15] <jezdez> yeah
[21:05:18] <jezdez> I just squatted it
[21:05:22] <jezdez> as I do often ;D
[21:05:40] <r1chardj0n3s> ok, so it's probably not an actual break-in :/
[21:05:45] <jezdez> just wanted to make sure nobody releases a package under that name
[21:07:32] <r1chardj0n3s> jezdez: indeed, thanks for being so proactive in the first place!
[21:07:55] <jezdez> meh, just me trying to save my own ass :D
[21:08:09] <r1chardj0n3s> I figure it's better to have actual blocking in pypi rather than rely on people to do stuff like register nasty packages
[21:08:14] <jezdez> totally
[21:08:15] <r1chardj0n3s> :)
[21:08:23] <jezdez> I’d have used a blocklist if there would have been one
[21:08:40] <r1chardj0n3s> ok, panic mode subsiding, I'm gonna get my breakfast
[21:08:54] <jezdez> :)
[21:08:59] <jezdez> +1 for having a coffee now
[21:09:06] <jezdez> in case you drink it :)
[21:09:13] <r1chardj0n3s> I do and I will :)
[21:09:20] <jezdez> enjoy!
[21:09:25] <jezdez> and thanks for figuring that out with me
[21:09:28] <r1chardj0n3s> sorry for inducing worry in you
[21:09:34] <jezdez> no problem
[21:09:53] <jezdez> I won’t take that thing about incompetence from you, btw
[21:10:23] <r1chardj0n3s> it seems I exist to instill worry in django core developers :/
[21:10:32] <r1chardj0n3s> thanks :)
[21:39:16] <dstufft> r1chardj0n3s: don't worry, I'm pretty sure there are more people worried about me breaking things then there are worried about you doing something nefarious :D
[21:39:49] <r1chardj0n3s> dstufft: I'll worry enough for everyone then :)
[21:40:15] <dstufft> (also, warehouse is totally going to have a sudo built into it to do things that a normal user can't do for us)
[21:40:41] <r1chardj0n3s> oh, yeah, the permission model needs to be totally fixed!
[21:41:13] <dstufft> because dropping admin privs via SQL is a pain in the ass