PMXBOT Log file Viewer

Help | Karma | Search:

#pypa-dev logs for Friday the 2nd of January, 2015

(Back to #pypa-dev overview) (Back to channel listing) (Animate logs)
[04:18:11] <r1chardj0n3s> anyone aboot? dstufft?
[04:18:26] <dstufft> r1chardj0n3s: sup?
[04:18:41] <r1chardj0n3s> just poking into the dark corners of my talk and hit this...
[04:19:02] <r1chardj0n3s> (both installed with pip --user)
[04:19:03] <r1chardj0n3s> $ python -me e
[04:19:03] <r1chardj0n3s> /Users/richard/Library/Python/2.7/lib/python/site-packages/e.py
[04:19:08] <r1chardj0n3s> $ python3 -me e
[04:19:08] <r1chardj0n3s> /Users/richard/.local/lib/python3.4/site-packages/e.py
[04:19:21] <r1chardj0n3s> is that expected or have I got something odd in my environment?
[04:19:37] <r1chardj0n3s> ie the location of the "local"
[04:20:04] <r1chardj0n3s> no biggie if it's not an easy answer
[04:20:18] <dstufft> that's not expected, pip install --user on 2.7 should give ~/.local/lib/python2.7/site-packages/e.py
[04:20:29] <r1chardj0n3s> ok
[04:20:37] <Alex_Gaynor> FWIW, I'm pretty sure I've seen the same thing as r1chardj0n3s
[04:20:38] <dstufft> what does uh
[04:20:53] <r1chardj0n3s> had to do this thing first as well :/ http://stackoverflow.com/questions/4495120/combine-user-with-prefix-error-with-setup-py-install
[04:21:02] <dstufft> python2 -m sysconfig | grep userbase give you
[04:21:06] <r1chardj0n3s> (and the error from pip isn't helpful, which is a shame, but tricky to fix)
[04:21:19] <dstufft> what do you have a --prefix
[04:21:21] <r1chardj0n3s> $ python2 -m sysconfig | grep userbase
[04:21:21] <r1chardj0n3s> userbase = "/Users/richard/Library/Python/2.7"
[04:21:22] <dstufft> why*
[04:21:38] <Alex_Gaynor> I assume r1chardj0n3s is using the OS X system python
[04:21:44] <dstufft> ok, so the problem is with your python
[04:21:55] <dstufft> oh wait
[04:22:03] <r1chardj0n3s> hm, I *thought* I was using brew python
[04:22:03] <dstufft> that might be expected with system Python
[04:22:17] <r1chardj0n3s> $ which python2.7
[04:22:17] <r1chardj0n3s> /usr/local/bin/python2.7
[04:22:24] <dstufft> I use pyenv
[04:22:25] <r1chardj0n3s> $ ls -la /usr/local/bin/python2.7
[04:22:25] <r1chardj0n3s> lrwxr-xr-x 1 richard staff 38 2 Jan 15:13 /usr/local/bin/python2.7 -> ../Cellar/python/2.7.8_1/bin/python2.7
[04:22:35] <dstufft> where does your python3.4 come from?
[04:22:44] <r1chardj0n3s> brew
[04:22:49] <r1chardj0n3s> er
[04:22:51] <r1chardj0n3s> I think
[04:23:04] <dstufft> that might actually be correct
[04:23:07] <r1chardj0n3s> haha, no, I compiled from source
[04:23:10] <r1chardj0n3s> 3.4 that is
[04:23:15] <dstufft> sec
[04:23:30] <r1chardj0n3s> ok, so it *is* "something in my environment"
[04:23:32] <r1chardj0n3s> ignore me :)
[04:23:36] <r1chardj0n3s> (please)
[04:23:37] <r1chardj0n3s> ;)
[04:24:04] <r1chardj0n3s> Imma try to track down the --prefix thing tho
[04:24:44] <dstufft> the --prefix thing comes from homebrew I think
[04:24:55] <dstufft> and those paths might be correct
[04:25:00] <r1chardj0n3s> yah
[04:25:17] <r1chardj0n3s> can't find it, but that's my gut feeeling as well
[04:25:24] <dstufft> since /Users/richard/Library/Python/2.7/lib/python/site-packages/e.py is certainly a user directory, it's not one I've noticed before but I compile python via pyenv
[04:25:42] <dstufft> maybe it's the difference between a framework build and a not framework build
[04:25:52] <dstufft> or something
[04:26:12] <r1chardj0n3s> *shrug*
[04:26:44] <dstufft> --prefix is definently from homebrew
[04:26:53] <dstufft> https://github.com/Homebrew/homebrew/blob/master/Library/Formula/python.rb#L191-L200
[04:26:55] <r1chardj0n3s> \o/ I found my image for the "and then CI systems became popular" slide http://4.bp.blogspot.com/-QgVBW4nCvcg/Uyvn0QBZQRI/AAAAAAAAAOI/TDsFOTER9Z0/s1600/End+of+the+World.jpg
[04:28:23] <dstufft> r1chardj0n3s: lol
[04:28:55] <dstufft> r1chardj0n3s: pip 6 should mean we get less traffic \o/ (except from travis and other emphereal build systems *womp whomp*)
[04:29:09] <r1chardj0n3s> yep, nice work there :)
[04:29:30] <r1chardj0n3s> I was meaning to ask... what's the aging policy for that http cache?
[04:30:33] <dstufft> r1chardj0n3s: it follows the CacheControl/expires headers with the caveat that the /simple/ page patches have a hardcoded max age of 10 minutes just to prevent a bad cachecontrol/expires header from breaking things
[04:30:44] <r1chardj0n3s> nice!
[04:30:57] <dstufft> since we expect the /simple/ pages to change periodically but we don't really expect the package files to change
[04:31:02] <dstufft> it also does support conditional gets
[04:31:31] <dstufft> so if we have a cached response, but it's expired and it has an Etag it'll do a conditional get so we don't have to re-download the body response
[04:31:42] <r1chardj0n3s> yup
[04:31:45] <dstufft> (and the conditional get will refresh the cache timeout)
[04:32:31] <dstufft> which we should actually increase that on PyPI
[04:32:39] <dstufft> I think we're set to 1 day on the files right now
[04:33:09] <dstufft> I believe I didn't set it higher because of the file delete loophole
[04:33:16] <dstufft> but I don't think I really care
[04:35:04] <dstufft> r1chardj0n3s: I forget, is there a PEP needed for disabling upload -> delete -> re-upload dance?
[04:35:41] <r1chardj0n3s> I'm not sure what you're referring to there
[04:37:09] <dstufft> r1chardj0n3s: you know how you can delete a file, change the contents, and upload a new file with the same name?
[04:37:14] <r1chardj0n3s> yep
[04:37:23] <r1chardj0n3s> oh, sorry, disabling that. I misread
[04:37:25] <r1chardj0n3s> hm
[04:37:35] <r1chardj0n3s> there's gonna be outrage
[04:37:44] <dstufft> there was a thread awhile ago about it, and I forget what the outcome was
[04:37:57] <r1chardj0n3s> yeah, that'd be a good idea :)
[04:38:17] <Alex_Gaynor> the outcome was in favor of it
[04:39:42] <dstufft> found it !
[04:39:43] <dstufft> https://mail.python.org/pipermail/distutils-sig/2014-September/024890.html
[04:40:53] <r1chardj0n3s> ooh, only recent
[04:41:16] <dstufft> https://mail.python.org/pipermail/distutils-sig/2014-September/024896.html a +1
[04:41:28] <r1chardj0n3s> PEP 458 and 480 would probably affect the editing of metadata post-release
[04:41:42] <dstufft> https://mail.python.org/pipermail/distutils-sig/2014-September/024897.html -1 from MAL
[04:42:07] <dstufft> r1chardj0n3s: not really, either the author would need to upload new signed metadata or PyPI would just sign the new metadata
[04:42:12] <r1chardj0n3s> (in fact, one of my huge red flags with PEP 458 / TUF is the requirement that EVERYTHING for a release is released at the same time)
[04:42:34] <r1chardj0n3s> ... at least, that's the wording in the PEP / TUF as I understood it
[04:43:14] <dstufft> gonna call this a an implicit +1 https://mail.python.org/pipermail/distutils-sig/2014-September/024903.html
[04:43:34] <dstufft> r1chardj0n3s: I don't think it needs that, just the signed metadata has to contain everything, but you can upload new signed metadata
[04:43:53] <r1chardj0n3s> I'm trying to find where in the PEP it said that ... so many words
[04:44:18] <dstufft> https://mail.python.org/pipermail/distutils-sig/2014-September/024901.html another +1
[04:44:27] <dstufft> https://mail.python.org/pipermail/distutils-sig/2014-September/024910.html another
[04:44:36] <dstufft> https://mail.python.org/pipermail/distutils-sig/2014-September/024911.html another
[04:45:34] <r1chardj0n3s> ok, so assume that we *do* allow re-upload of a file with the same name, what's preventing it?
[04:45:52] <r1chardj0n3s> (sorry, we *currently* allow it, what's stopping us from doing so down the track?)
[04:46:45] <r1chardj0n3s> "When a project uploads a new transaction, the project transaction process MUST add all new targets and relevant delegated bins metadata. "
[04:47:02] <r1chardj0n3s> "Every project MUST upload its release in a single transaction."
[04:47:24] <r1chardj0n3s> there's no prevaricating around the bush there...
[04:47:37] <dstufft> r1chardj0n3s: I'm crossing the streams here, is the first two lines there about the delete loophole?
[04:47:38] <r1chardj0n3s> but it's a *big* deviation from the current workflow
[04:47:45] <r1chardj0n3s> sorry, I'm back on TUF :)
[04:47:54] <dstufft> on TUF I may be wrong
[04:47:56] <r1chardj0n3s> which, oddly, is probably related
[04:48:12] <dstufft> but I also think that PyPI should just sign for the metadata files
[04:48:22] <dstufft> and the authors should sign for the files themselves
[04:48:28] <dstufft> which probably resolves this issue too
[04:48:58] <dstufft> becasue if authors are signing for like /simple/<foo>/, it removes the ability of PyPI to ever really evolve that API
[04:49:30] <r1chardj0n3s> that's what TUF ca;lls the "snapshot" isn't it? that is supposed to be signed by PyPI in their design
[04:49:45] <dstufft> r1chardj0n3s: so it's a bit complicated because there are two kinds of metadata at play
[04:50:11] <dstufft> there is the TUF metadata, the TUF metadata is essentially a signed document asserting the contents of some other file
[04:50:43] <dstufft> and in the current PEP, their TUF metadata is responsible for verifying /simple/<foo>/ and /packages/.../foo.tar.gz
[04:50:53] <dstufft> and in PEP 480, the author is signing for both of those files
[04:50:54] <r1chardj0n3s> actually, there is no signing of /simple/ is there?
[04:50:58] <dstufft> yes there is
[04:51:00] <dstufft> currently
[04:51:01] <r1chardj0n3s> there's signing of the file names
[04:51:07] <r1chardj0n3s> sure, but TUF doesn't need it
[04:51:18] <dstufft> well something needs to sign /simple/
[04:51:27] <r1chardj0n3s> I've missed somethign in PEP 480 then
[04:51:31] <r1chardj0n3s> hang on, I'll re-look
[04:51:59] <r1chardj0n3s> I'm not seeing where 480 says *anyone* signs /simple/
[04:52:02] <dstufft> r1chardj0n3s: the way the current PEPs are written is that TUF more or less takes the place of requests.get(), except it verifies using TUF the thing that gets downloaded
[04:52:08] <r1chardj0n3s> (/simple/whatever that is)
[04:52:11] <dstufft> sec
[04:52:50] <dstufft> A claimed or recently-claimed project will need to upload in its transaction to PyPI not just targets (a simple index as well as distributions) but also TUF metadata. The project MAY do so by uploading a ZIP file containing two directories, /metadata/ (containing delegated targets metadata files) and /targets/ (containing targets such as the project simple index and distributions that are signed by the delegated targets metadata).
[04:52:58] <dstufft> the simple index is one of the targets
[04:53:16] <r1chardj0n3s> wtf
[04:53:21] <r1chardj0n3s> that's ... odd
[04:53:29] <r1chardj0n3s> that's duplicating the signing already in targets though
[04:53:46] <r1chardj0n3s> well, except that the signature is generated by the project
[04:54:26] <dstufft> r1chardj0n3s: the way they designed the PEPs is that TUF more or less takes the place of TLS
[04:54:40] <dstufft> IOW anything that pip fetches from PyPI is verified using TUF instead of TLS
[04:54:48] <r1chardj0n3s> hm
[04:54:52] <dstufft> which is the right way to do that
[04:55:01] <Alex_Gaynor> (it should still use TLS< whever possible, IMO, for confidentiality)
[04:55:02] <dstufft> we need to verify everything using TUF
[04:55:05] <dstufft> Alex_Gaynor: it will
[04:55:11] <r1chardj0n3s> ambiguous - which is the "right way"?
[04:55:27] <dstufft> r1chardj0n3s: that we should use TUF to verify everything we downloading, which includes the installer API
[04:55:30] <r1chardj0n3s> ok
[04:55:56] <dstufft> currently in PEP 480 the author is responsible for signing the installer API files that pertain to their project
[04:56:01] <dstufft> but I think that's not going to work for us
[04:56:05] <r1chardj0n3s> I don't see why /simple/ needs to *exist* let alone be signed by the project
[04:56:15] <r1chardj0n3s> given that TUF provides targets.json
[04:56:54] <dstufft> r1chardj0n3s: well it doesn't need to exist, you can use the TUF API itself to do that, they just choose this way becasue it represents the minimal amount of change in pip, since they can essentially just replace the requests.get() calls with a call to a TUF verifying thing
[04:57:13] <dstufft> I told them in my last email I don't think we need to optimize for minimal code changes in pip
[04:57:20] <r1chardj0n3s> yup
[04:57:33] <dstufft> so that will probably change in the long run
[04:57:58] <dstufft> and if we have another file like /simple/, even if we're not relying directly on TUF for the installer metadata like "what versions are available", I tihnk that should be signed by PyPI not by the author
[04:58:08] <dstufft> because otherwise we can't evolve the API really
[04:58:38] <dstufft> and the attacks that makes possible are not much worse than the attacks that are possible if someone gets the snapshot or timestamp key
[04:59:45] <dstufft> but anyways, as far as is related to deleting files, I think the worst case scenario in a post TUF PEP 480 world is that you can't delete files from the web UI and you have to use a tool to generate metadata that you upload which triggers the delete
[05:00:08] <dstufft> which i don't think is particularly onerous
[05:01:35] <r1chardj0n3s> yup
[05:03:26] <r1chardj0n3s> http://www.abc.net.au/news/specials/heatwave-tracker/ right at the end, that's why my aricon is now on
[05:03:46] <r1chardj0n3s> predicted to hit 40º today, 42º tomorrow and then back to 24º on Sunday :)
[05:05:03] <r1chardj0n3s> (I live in the larger Australia-shaped blob just above the smaller Tasmania-shaped blob ;)
[05:12:16] <dstufft> aricon?
[05:12:30] <dstufft> r1chardj0n3s: so I just re-read the entire immutable files thread
[05:12:40] <dstufft> a bunch of +1, holger was +0, and MAL was -1
[05:12:41] <r1chardj0n3s> er, aircon
[05:12:50] <dstufft> oh air conditioning
[05:12:54] <r1chardj0n3s> :)
[05:12:55] <dstufft> dur I'm slow sometimes
[05:13:01] <r1chardj0n3s> also typos don't help ;)
[05:13:23] <dstufft> given that we had a bunch of +1, one +0, and one -1 do we need a PEP for it or is that enough of a consensus to just change it?
[05:13:44] <r1chardj0n3s> one of the other Rackers here lives right under where the hot, red blob is at the end of the timescale. he was going to be golfing today.
[05:13:50] <pmxbot> jaraco pushed 11 commits to setuptools (https://bitbucket.org/pypa/setuptools/) :
[05:13:50] <pmxbot> Convert test_develop to use pytest
[05:13:50] <pmxbot> Remove consideration for older Pythons
[05:13:50] <pmxbot> Remove apparently unused method.
[05:13:50] <pmxbot> Move fixture to a fixtures module and make that fixture available globally.
[05:13:50] <pmxbot> Convert select tests to pytest model.
[05:13:50] <pmxbot> Also save the ENABLE_USER_SITE setting in the user_override.
[05:13:50] <pmxbot> Replace some setup/teardown code with the fixture.
[05:13:50] <pmxbot> Normalize whitespace
[05:13:50] <pmxbot> Replace much of setup/teardown with another fixture.
[05:13:50] <pmxbot> Replace remaining setup/teardown with a simple mock.
[05:13:50] <pmxbot> Remove unused entries in manifest, fixing spurious warnings.
[05:13:59] <r1chardj0n3s> hmmm
[05:14:40] <dstufft> (I'm not sure what exactly i'd write in a PEP tbh, other than "Don't allow delete + repload if the filename matches a previously uploaded file)
[05:14:42] <r1chardj0n3s> I know a few prominent folk have expressed their desire to continue to be able to replace files
[05:14:45] <r1chardj0n3s> hmm
[05:16:32] <dstufft> I mean, I'm happy to write a 2 line PEP ;) jsut seems kind of silly to me
[05:17:33] <r1chardj0n3s> it needs to be more broadly announced I think
[05:17:40] <r1chardj0n3s> but yeah, a PEP is overkill
[05:17:50] <r1chardj0n3s> it's a *loophole*
[05:17:55] <r1chardj0n3s> but people have come to rely on it
[05:18:35] <r1chardj0n3s> I think I'm going to twit it, see what the general reaction is. Will be more muted than otherwise could be, given the time of day and time of year
[05:18:49] <dstufft> r1chardj0n3s: I can RT it as well
[05:19:37] <dstufft> (FTR MAL is the only person i've ever met who was against it who I couldn't pretty quickly convince that it's a bad idea)
[05:19:52] <r1chardj0n3s> yeah
[05:20:34] <dstufft> I'm at least 25% convinced that half the reason I couldn't convince him is because it came from me
[05:21:12] <dstufft> for better or worse I've spearheaded some things that made things worse for his particular workflow
[05:21:18] <r1chardj0n3s> twitted
[05:21:21] <dstufft> and I think it's caused some resentment
[05:21:28] <r1chardj0n3s> MAL's a freedom-loving kinda guy
[05:21:48] <r1chardj0n3s> and the US and people from the US tend to give him pains in that regard
[05:22:06] <dstufft> I thought the US had a monoploy on freedom!
[05:22:25] <dstufft> (Also FTR, npmjs.org a few months ago removed the ability to republish files for the same reason)
[05:22:33] <r1chardj0n3s> yes, it does have a mono ploy regarding freedom ;)
[05:23:13] <r1chardj0n3s> I agree that the loophole is bad; my intention was to never allow people to do what they're doing, but I was lax in enforcing it once the loophole was discovered
[05:24:12] <dstufft> http://blog.npmjs.org/post/77758351673/no-more-npm-publish-f
[05:24:21] <dstufft> r1chardj0n3s: yea I feel ya
[05:24:51] <dstufft> I don't think it's any secret that I'm far less convervative about breaking things I don't like than some people would like :D
[05:25:06] <dstufft> so I don't mind waiting a bit ;P just trying to close the gap on my PyPI TODO's now!
[05:25:14] <dstufft> since pip 6 is out now
[05:27:05] <r1chardj0n3s> :)
[05:27:14] <r1chardj0n3s> and with that, I go to buy beer
[05:28:29] <dstufft> see ya!
[05:29:21] <r1chardj0n3s> I'm just exporting my talk slides before I finish - will email 'em to you, thanks for agreeing to give 'em a read. the presenter notes are my usual ramblings, hope there's enough to make sense....
[05:30:59] <dstufft> r1chardj0n3s: will take a look shortly!
[05:31:05] <r1chardj0n3s> cheers!!
[09:40:44] <dstufft> man
[09:41:01] <dstufft> PyPI loved sticking references to the local FS all over the place
[12:54:19] <dstufft> pf_moore: ping
[12:56:45] <pf_moore> dstufft: pong
[12:57:21] <dstufft> pf_moore: ftr, I think the PEPs themselves (not what they are proposing, but the PEPs themselves) are pretty poor :(
[12:58:04] <dstufft> I'm writing up an email where I suggest focusing just on PEP 458 (which is more or less transparent to everyone but people writing tooling and people managing PyPI) and where I offer to help them write these things
[12:58:22] <pf_moore> dstufft: Yeah, clearly written by specialists who know their stuff but don't know how to put it in terms "normal people" can follow :-)
[12:59:13] <dstufft> I don't think it's really reasonable to require reading an academic whitepaper and the documentation/specification for the TUF project to get a high level overview of what the PEP proposes
[12:59:24] <dstufft> (I mostly know what I know about TUF because I've read those things, multiple times)
[12:59:37] <pf_moore> The only reason I'm banging on is that I don't want the PEPs (which are good ideas) getting lost in a huge debate over people thinking it'll make their life difficult
[13:00:04] <dstufft> yea
[13:00:12] <dstufft> PEP 480 is one I'm still not sure it's worth it
[13:00:23] <pf_moore> Agreed. I feel guilty that I'm commenting after barely skimming the proposals, but I think that's what most people will actually do...
[13:00:36] <pf_moore> Yep, the UX side is the big issue
[13:01:22] <dstufft> we have the problem where we have to handle everything from really serious projects that have people who care deeply about these issues to really fun hobby projects where it's just one guy who releases things once in a blue moon
[13:01:34] <dstufft> and wanting to be able to handle both sets
[13:01:42] <pf_moore> Yep.
[13:02:10] <pf_moore> And without branding the hobby stuff as "toy" or the serious stuff as "too big for PyPI"...
[13:03:56] <dstufft> and the sad fact is, that unless we get something that's good enough that we can either mandate, or provide warnings for or something, then PEP 480 isn't very useful
[13:04:18] <pf_moore> We're getting very, very close to a curated index here. Maybe that's a viable option. Have a second subset-index of PyPI that only contains things that meet a certain security standard. You get added by asking, but it's not the default, and people needing a level of security can switch to that index.
[13:04:18] <dstufft> because if I install 100 things, and 99 are signed by the end author, and 1 isn't, then someone with contorl over PyPI will just attack me with that 1 thing
[13:04:39] <dstufft> so neither PEP 458 nor PEP 480 makes PyPI a curated index
[13:04:59] <pf_moore> Sorry - curated was a bad word.
[13:05:19] <dstufft> it's just instead of relying on PyPI to provide ACLs for who can upload a file, we rely on cryptography to do it
[13:06:04] <dstufft> I should probably have read the entire statement before responding heh
[13:06:29] <dstufft> (curated vs non curated has other connotions, like Linux repos are curated, PyPI is not and I sort of jumped the gun)
[13:06:30] <pf_moore> Thtat's what always happens with these loaded words :-)
[13:06:30] <dstufft> sorry!
[13:06:35] <pf_moore> BTW, do you have any realistic idea of what the likelihood is of an attack that compromises PyPI in the way the PEP describes?
[13:06:46] <pf_moore> np
[13:06:49] <dstufft> PEP 480 you mean?
[13:07:10] <pf_moore> Yep, I guess - still not 100% clear on the implications of the difference
[13:07:39] <dstufft> PEP 458 == we protect against Fastly being compromised and people can use a mirror of PyPI without trusting that the mirror operator is a good person
[13:08:07] <dstufft> PEP 480 == we protect against the servers that Myself, Richard, EWDurbin etc run on Rackspace being compromised
[13:08:19] <dstufft> if that makes sense?
[13:08:35] <dstufft> (there are caveats to both of those, but that's the general gist)
[13:08:48] <pf_moore> Yes, ta. Say PEP 458 then (in the first instance). What's the odds of fastly being compromised for long enough to do real harm?
[13:10:19] <pf_moore> I've never even *heard* of a case where a library was maliciously compromised. As opposed to the many things you do hear of (bugs, DDOS on application systems, ...)
[13:10:30] <dstufft> Hopefully not very likely :) I do not know the details of Fastly's security but I honestly do not worry about them being a weak link, for me PEP 458 is primarily good about allowing people to use mirrors without trusting the mirror operators
[13:10:55] <dstufft> However
[13:10:59] <dstufft> what is more worrisome
[13:11:10] <dstufft> is right now we're essentially relying on TLS
[13:11:18] <dstufft> and TLS has a vast number of problems
[13:11:45] <dstufft> so PEP 458 is also good for me, about moving away from relying just on TLS
[13:12:52] <dstufft> (I mean, right now China can create certificates that are valid for pypi.python.org and can serve packages to people trying to access pypi and pip would be none the wiser)
[13:13:18] <dstufft> (not to pick on China, it's just a place I wouldn't trust)
[13:13:29] <pf_moore> OK. But doesn't 99.99% of the world rely on TLS? Gmail, facebook, dropbox, skydrive...? Do they have something else as well? From the idiot's POV, those are better targets than PyPI...
[13:14:25] <pf_moore> Not to say we shouldn't solve the problem, but this is what makes it hard to keep the UX debate in perspective...
[13:14:53] <dstufft> yes the vast bulk of the world relies on TLS, and there are things that we (pip) can do that a lot of browsers are starting to implement to help close the gap on a lot of those things
[13:15:19] <dstufft> however PEP 458 has basically zero UX implications for anyone
[13:15:31] <dstufft> authors do not sign anything with PEP 458
[13:15:48] <dstufft> when the authors upload something to PyPI, the PyPI servers sign it
[13:15:53] <dstufft> in PEP 458
[13:16:26] <dstufft> similarly to how most people don't need to care about the fact we're using TLS right now
[13:17:09] <dstufft> in PEP 458, authors continue to upload things how they do now, PyPI gets modified to sign things and serve the new TUF metadata, and pip gets modified to verify that and it ships the keys
[13:17:19] <dstufft> the TUF keys as part of pip to be able to do verification*
[13:19:36] <pf_moore> Yeah, I think PEP 458 needs to be presented as a zero-impact infrastructure change that just improves things at no cost to anyone outside the PyPI admins.
[13:19:52] <pf_moore> If that's really the truth, then it's an obvious thing to do.
[13:20:20] <pf_moore> I suspect there'll be issues for projects like devpi to look at, but that's the extent of the impact
[13:20:22] <dstufft> I mean it also imposes cost on people like holger who writes devpi and bandersnatch and them
[13:20:43] <dstufft> but for people who are installing things and people who are uploading hings, it's basically transparent except maybe error messages change
[13:21:13] <pf_moore> Does it affect external hosting at all? That's the other group who tend to get forgotten...
[13:21:19] <pf_moore> I doubt it does
[13:22:39] <dstufft> pf_moore: yes and no! how we verify externals on PyPI is an open question. PEP 470 answers that question by saying "it's not our problem, the external hosting people need to setup a repo", there are other options where we keep the externally scraped links stuff
[13:23:40] <dstufft> beyond what PyPI presents about external links, it's mostly up to pip about what we want to mandate a repository looks like
[13:24:13] <pf_moore> Yeah, but that's 470, not 458. Let's keep things separate - "there's no impact on external hosting from 458" is the message.
[13:24:20] <dstufft> (e.g. do we want to mandate that a repository uses TUF? or are we happy to allow people to continue using TLS only repositories)
[13:24:42] <dstufft> pf_moore: as PEP 458 is currently implemented there i no impact to external hosting yea
[13:26:18] <dstufft> pf_moore: sorry I have a tendency to be a little wandery
[13:26:28] <pf_moore> Personally, I don't think pip should mandate anything more than the bare minimum if the users are opting into a repo, but that's a whole other debate...
[13:26:55] <dstufft> deciding what the bare minimum is, is always the problem ;)
[13:26:58] <dstufft> but yes another debate!
[13:27:01] <pf_moore> dstufft: lol these debates tend to go everywhere, that's half the problem.
[13:27:44] <dstufft> pf_moore: yea, that's why my draft email suggests focusing just on PEP 458 right now, which as it currently stands is mostly transparent except to us poor shmucks who agreed to maintain these tools
[13:28:18] <dstufft> PEP 480 is where it starts to get into the question of "is this even worth it"
[13:28:35] <pf_moore> Cool - so I see the best thing as a reboot of PEP 458, explicitly and repeatedly asserting that it has no UX component and is purely an internal improvement affecting PyPI and the mirroring tools.
[13:29:04] <pf_moore> We table PEP 480 totally, and anything else that intrudes, until 458 is resolved.
[13:29:23] <pf_moore> Good luck with keeping distutils-sig on-message for all of that ;-)
[13:30:05] <dstufft> basically in these things there are chains of keys where you trust the root key, and the root key signs a document that says "hey trust these other keys for X", and those other keys can sign other keys that say "hey trust these other other keys for Y" and so on
[13:31:54] <dstufft> and if you want to verify Y, you have to verify the key that signed for Y, the key that signed for X (where X is a thing that says hey trust this other other key for Y), and then you have to verify that intiial document which was signed by the root key
[13:32:14] <dstufft> and the security of Y is basically equal to whatever the security is of the weakest key in that chain
[13:32:30] <dstufft> in PEP 458, the weak keys are keys that sit on the PyPI machines in Rackspace
[13:33:12] <dstufft> in PEP 480 you don't trust a key sitting on the PyPI machines in Rackspace
[13:34:33] <pf_moore> Yeah, I sort of understood that (although the last bit about which keys you trust under the 2 PEPs is new to me, thanks)
[13:35:19] <dstufft> that's basically the difference between online and offline
[13:35:27] <pf_moore> But talk of key signing reminds me of the 90s, with security geeks talking about holding key-signing parties.
[13:36:05] <dstufft> pf_moore: In my opinion, if we do PEP 480 we should use something like what minilock has done, which is the key that an author needs to sign with is derived from a secondary password
[13:36:29] <dstufft> so the UX implications are that when you do ``setup.py upload`` it prompts you for your "signing password"
[13:36:52] <dstufft> and all that key crap is just under the covers shit
[13:39:49] <dstufft> pf_moore: it's kind of an interesting situation though, I'm talking to some other epople about PEP 458/ PEP 480 right now, and they are excited about both proposals (without having actually read them to ensure that they do what they claim), however they are part of a group of people who write software that helps fight against oppresive regimes in other countries and they distribute software via PyPI/pip for that purpose
[13:39:50] <pf_moore> Hmm, just googled minilock. I see what you mean now. Makes sense. I tend to think of a "pass phrase" for this. I'm aware there's no practical difference between a password and a pass phrase other than length and allowing spaces, but it's all about connotations...
[13:41:03] <dstufft> the range of use cases is kind of awesome
[13:41:14] <pf_moore> wow - yeah, it's easy to forget that what's just a hobby to me can be so important to others...
[13:44:53] <dstufft> I have the good old, security paranoia so I tend to lean towards designing systems that can handle "I'm distributing software where if I don't get the right software someone might die" (hows that for motivation), but I'm super grateful for people who tend to lean towards "I'm just distribution some things i do for a hobby, if i don't get the exact right software I'm not to worried about it" who force me look at the UX side of things more
[13:46:21] <dstufft> (for the oppresive regimes types, since PyPI is hosted in the US, the only thing you need to worry about is the US.... whch isn't exactly a benign operator in the global online battlefield)
[13:46:28] <dstufft> for PEP 458 that is ^
[13:47:19] <pf_moore> ... I don't even know if "lol" is appropriate any more :-)
[13:49:13] <pf_moore> dstufft: Trouble with security stuff is the people like those you mention for whom it *is* life or death tend not to be able to comment. So having the specialists speaking on their part against the "who cares" mob like me is really important
[13:49:22] <pf_moore> As usual it's all about balance.
[13:49:41] <pf_moore> Thought for the new year... :-)
[13:51:06] <dstufft> (reminder that it was roughly 2 years ago that PyPI had an untrusted TLS certiifcate, and pip/easy_install didn't even bother to verify TLS, and would just scrape random sites on the internet)
[13:51:21] <dstufft> we've come a hella long way
[13:51:40] <pf_moore> yeah...
[13:53:09] <dstufft> (and we've still got a long way to go in some places, ``setup.py upload`` on anything but Python 2.7.9 doesn't verify TLS which means it's easy to get an author's password ;(
[14:13:50] <dstufft> pf_moore: if you have a moment to read https://bpaste.net/show/5a5bd70a5c97 do you mind? before I send it :D
[14:36:47] <collinanderson> just got a varnish "backend read error" on pypi. it worked after refreshing
[14:38:19] <dstufft> collinanderson: that more or less means that something went wrong between Fastly and the PyPI origin servers, where something went wrong can include things like "the request took too long" or "the internet sucks and sometimes connections get dropped"
[14:38:51] <collinanderson> cool
[15:25:54] <pf_moore> dstufft: sorry got sidetracked, just posting a reply now but looks great to me.
[15:26:06] <dstufft> pf_moore: np!
[15:28:17] <pmxbot> jaraco pushed 13 commits to setuptools (https://bitbucket.org/pypa/setuptools/) :
[15:28:17] <pmxbot> Remove unused import
[15:28:17] <pmxbot> Convert remaining tests in test_easy_install to pytest.
[15:28:17] <pmxbot> Rewrite test using pytest.
[15:28:17] <pmxbot> Combine DALS implementations in textwrap module.
[15:28:17] <pmxbot> Replace cluttered script generation with multiline strings
[15:28:17] <pmxbot> Use contexts for tempdir generation
[15:28:17] <pmxbot> Rewrite paths construction as generator expression.
[15:28:17] <pmxbot> Rewrite config generation
[15:28:17] <pmxbot> Rewrite command construction for clarity.
[15:28:17] <pmxbot> Use trailing comma for consistency.
[15:28:17] <pmxbot> Extract method for _find_egg_info_files.
[15:28:17] <pmxbot> Use update to set the home environment variable.
[15:28:17] <pmxbot> Extract fixture for the environment.
[15:52:07] <pmxbot> jaraco pushed 5 commits to setuptools (https://bitbucket.org/pypa/setuptools/) :
[15:52:07] <pmxbot> Update test_find_packages to use pytest
[15:52:07] <pmxbot> Resave with excess whitespace removed
[15:52:07] <pmxbot> Add omitted module.
[15:52:07] <pmxbot> Remove expected failure from pbr package as it appears to be working now.
[15:52:07] <pmxbot> Use simple assertions and pytest runner for test_markerlib.
[16:47:35] <pmxbot> jaraco pushed 8 commits to setuptools (https://bitbucket.org/pypa/setuptools/) :
[16:47:35] <pmxbot> Extend contexts environment patching logic based on context manager in test_msvc9compiler and use it.
[16:47:35] <pmxbot> Reorganize imports
[16:47:35] <pmxbot> Remove dependence on unittest in favor of pytest for test_packgeindex
[16:47:35] <pmxbot> Use tmpdir in test_local_index for brevity and isolation.
[16:47:35] <pmxbot> Remove additional references to unittest.
[16:47:35] <pmxbot> Ported test_resources to pytest from unittest.
[16:47:35] <pmxbot> Ported test_sandbox to pytest from unittest.
[16:47:35] <pmxbot> Use importorskip to detect/load win32com
[17:03:24] <pmxbot> jaraco pushed 5 commits to setuptools (https://bitbucket.org/pypa/setuptools/) :
[17:03:24] <pmxbot> Minor cleanup
[17:03:24] <pmxbot> Use tmpdir fixture
[17:03:24] <pmxbot> Converted sdist tests to pytest
[17:03:24] <pmxbot> Remove unused imports
[17:03:24] <pmxbot> Use DALS for nicer indentation
[17:03:47] <pmxbot> jaraco pushed 1 commit to setuptools (https://bitbucket.org/pypa/setuptools/) :
[17:03:47] <pmxbot> Port test_test to pytest
[17:30:12] <_cjones_> Hi guys. Our team has run into an issue with PIP 6.0.3 Specifically this issue: https://github.com/xavfernandez/pip/commit/bd2a789578ea70e2207e9d4ee8e70f31f42b0957
[17:30:36] <_cjones_> Does anyone know approximately when another official release will be spun? (6.0.4)?
[17:39:54] <dstufft> _cjones_: 24-48 hours is likely
[17:41:14] <_cjones_> dstufft: TYVM.
[18:16:29] <pmxbot> jaraco pushed 19 commits to setuptools (https://bitbucket.org/pypa/setuptools/) :
[18:16:29] <pmxbot> Python 2.6 can be assumed
[18:16:29] <pmxbot> Use skipif marker for real_prefix
[18:16:29] <pmxbot> Use context opener
[18:16:29] <pmxbot> Use useroverride fixture
[18:16:29] <pmxbot> Replace setup/teardown with a shorter, more elegant fixture.
[18:16:29] <pmxbot> Use quiet context
[18:16:29] <pmxbot> Suppress exceptions in a context for clarity, brevity, and reuse.
[18:16:29] <pmxbot> Extract var
[18:16:29] <pmxbot> Use unicode literals to define files as text, and encode specifically when saving files.
[18:16:29] <pmxbot> Update comment to reflect issue was reported in Distribute.
[18:16:29] <pmxbot> Normalize imports
[18:16:29] <pmxbot> Use DALS
[18:16:29] <pmxbot> Remove dependence on unittest in test_upload_docs
[18:16:29] <pmxbot> Remove copy pasta
[18:16:29] <pmxbot> Leverage fixtures for sample project and user_overrides.
[18:16:29] <pmxbot> Replace comment with clearer docstring.
[18:16:29] <pmxbot> Use tempdir context
[18:16:29] <pmxbot> woh what?
[18:16:29] <pmxbot> Open zip file in context
[18:17:05] <jaraco> !m dstufft
[18:17:05] <pmxbot> you're doing good work, dstufft!
[18:17:09] <jaraco> !m pip
[18:17:09] <pmxbot> you're doing good work, pip!
[18:55:23] <msabramo> whoa, crate.io is back?
[18:55:50] <msabramo> didn't it go away when some other company bought the domain?
[18:55:57] <msabramo> ^ dstufft
[18:58:43] <sigmavirus24> msabramo: still is that other co.
[18:59:10] <msabramo> https://crate.io/packages/jedi/
[19:00:46] <msabramo> I guess they've agreed to maintain stuff for a while? https://crate.io/thanks-dstufft/
[19:02:07] <sigmavirus24> well crate.io itself is not warehouse
[19:02:41] <sigmavirus24> so you're saying
[19:02:53] <sigmavirus24> so long as we keep hitting /packages/* we can get them to serve an alternative index?
[19:02:55] <sigmavirus24> This seems bad
[19:03:15] <sigmavirus24> Nothing to stop them from eventually acting maliciously (or if their servers are compromised...)
[19:28:28] <pmxbot> jaraco pushed 8 commits to setuptools (https://bitbucket.org/pypa/setuptools/) :
[19:28:28] <pmxbot> Use closing for Python 2.6 compatibility
[19:28:28] <pmxbot> Remove unittest dependency from test_msvc9compiler.
[19:28:28] <pmxbot> Update changelog
[19:28:28] <pmxbot> Use mock to patch msvc9compiler.Reg.
[19:28:28] <pmxbot> Split test into two
[19:28:28] <pmxbot> Split the first test into two more tests.
[19:28:28] <pmxbot> Extract three more tests, using fixtures to unify the common aspects.
[19:28:28] <pmxbot> Move docstring to test class.
[19:31:17] <pmxbot> jaraco pushed 3 commits to setuptools (https://bitbucket.org/pypa/setuptools/) :
[19:31:17] <pmxbot> Update changelog
[19:31:17] <pmxbot> Added tag 10.2 for changeset 651d41db5884
[19:31:17] <pmxbot> Bumped to 10.3 in preparation for next release.
[20:31:06] <sigmavirus24> dstufft: thoughts on https://bitbucket.org/pypa/setuptools/issue/323/install-issues-with-102 ?
[21:25:52] <sigmavirus24> So the tests for setuptools don't even run, eh?
[21:36:55] <sigmavirus24> I'd love some review on https://bitbucket.org/pypa/setuptools/pull-request/114/fix-regression-in-entry-point-name-parsing/diff by some people who are available
[21:40:36] <pmxbot> jaraco pushed 1 commit to setuptools (https://bitbucket.org/pypa/setuptools/) :
[21:40:36] <pmxbot> Fix regression in entry-point name parsing
[21:42:38] <pmxbot> jaraco pushed 1 commit to setuptools (https://bitbucket.org/pypa/setuptools/) :
[21:42:38] <pmxbot> Update changelog. Fixes #323.
[21:48:18] <pmxbot> jaraco pushed 4 commits to setuptools (https://bitbucket.org/pypa/setuptools/) :
[21:48:18] <pmxbot> Move tests to be adjacent with other parsing tests.
[21:48:18] <pmxbot> Bumped to 10.2.1 in preparation for next release.
[21:48:18] <pmxbot> Added tag 10.2.1 for changeset 1f5de53c079d
[21:48:18] <pmxbot> Bumped to 10.2.2 in preparation for next release.
[22:49:20] <pmxbot> jaraco pushed 3 commits to setuptools (https://bitbucket.org/pypa/setuptools/) :
[22:49:20] <pmxbot> Removing shlib_test (apparently unused and broken).
[22:49:20] <pmxbot> Should be sufficient to invoke ./bootstrap.
[22:49:20] <pmxbot> Bump version loaded by ez_setup.py