Log file Viewer
#pypa-dev logs for Wednesday the 14th of March, 2018
[03:40:18] <sumanah> waseem18: what are you working on, in terms of Warehouse and the Python Packaging User Guide, right now?
[03:41:08] <waseem18> With respect to warehouse - https://github.com/pypa/warehouse/issues/1299 - Converting the side bar (filters) to use markup
[03:42:43] <sumanah> waseem18: https://github.com/pypa/warehouse/issues/3070 is fairly small, but as you are comfortable with frontend work, and this is in the current milestone, it would be great if you could fix it
[03:52:00] <waseem18> I see 'Delete your PyPI account' modal not being closed when I click on 'Esc' button. Generally popups get's closed on click of 'Esc'.
[03:54:47] <sumanah> waseem18: do you think it could be related to https://github.com/pypa/warehouse/issues/3152 ?
[03:58:13] <sumanah> waseem18: I'd appreciate if you could mention your experience in a comment in #3152, saying what browser you're using and that you cannot replicate it on master
[04:00:34] <waseem18> sumanah: Sorry - My bad , I'm able to replicate it now. One of my browser style extensions was causing issues
[04:02:57] <waseem18> Having 'Esc close modals' is quite a different issue (more like a small feature) - We can either add it as a new issue or fix it site wide along with #3152
[04:06:28] <sumanah> waseem18: I think you should file the "Esc close modals" issue and then I'll mark it as "cool but not urgent" - I think you are right about its priority.
[04:12:02] <sumanah> I'm a little amused. I was looking through past Wikimedia stuff to see how we/they dealt with CAPTCHA issues, and ran across https://lists.wikimedia.org/pipermail/wikitech-ambassadors/2014-April/000643.html and started reading it. *I* sent that email, 4 years ago
[07:05:52] <sumanah> I'm headed to bed nlh - hope you like the end of https://mail.python.org/pipermail/distutils-sig/2018-March/032043.html
[07:07:09] <sumanah> thanks for https://github.com/pypa/warehouse/pull/3190#issuecomment-372924397 - aim to deal with it tomorrow
[12:30:40] <sumanah> heads-up EWDurbin that this is an example of the answer I'm giving third parties when they ask whether they should switch to calling pypi.org right now https://github.com/badges/shields/issues/1569#issuecomment-372804963
[12:31:45] <sumanah> I see libraries.io reacted differently https://github.com/librariesio/libraries.io/issues/2024 https://twitter.com/teabass/status/973892846569840641
[12:32:22] <sumanah> the shields folks and the libraries.io folks received practically the same messaging from me so I'm not sure whether I particularly messed up here
[12:34:01] <EWDurbin> As I skimmed it sumanah, there was a large amount of text and no obvious call to action in the issue you filed on libraries.io skimming it made me feel like it was time to go!
[12:35:21] <sumanah> EWDurbin: if you want more traffic, clearly, I can tell some of these folks to switch now; alternately, if you want to be cautious, I can follow up with each of them and say "sorry I was unclear, please wait till you get a note"
[12:35:42] <EWDurbin> Meh, it’ll probably be OK the only concern is that we may still break stuff during the transition
[12:41:52] <dstufft> It was really cool when I noticed that Warehouse was getting like 3x the number of requests as legacy
[12:48:52] <sumanah> EWDurbin: am iterating https://wiki.python.org/psf/PackagingWG/PyPIBetaAnnouncement
[12:50:02] <sumanah> dstufft: yes, I'm pleased that we'll be able to make the switch (I hope/believe) well before PyCon NA
[12:53:29] <dstufft> sumanah: it's OK on work calendar, Tracy had a migraine all day yesterday so she didn't look for the family stuff yet
[12:54:24] <sumanah> dstufft: and speaking of PyCon! have you had a chance to get your workplace to say that yes, they're sending you?
[12:55:20] <dstufft> uh, I have a ticket. dunno aobut reimbursement for expenses, but I don't really care either way, I'll be paying out of pocket for an upgrade anyways because I ain't flying anything but first
[12:56:01] <sumanah> dstufft: Do you know the dates you're coming? Will you be there for all the days of the sprints?
[12:57:26] <sumanah> dstufft: I can't recall whether you were planning on driving, since you aren't THAT far from Cleveland
[13:03:30] <sumanah> toad_polo: I got a bugs.python.org account and added myself to the notification list for https://bugs.python.org/issue33071
[13:05:33] <dstufft> EWDurbin: meh, we should have security@pypi.org or get you added to security@python.org and redirect to there
[13:06:01] <EWDurbin> Either is fine with me, though I think I prefer the more eyes approach of @python.org
[13:06:04] <sumanah> dstufft: and then change the security policy and the relevant "contact us" bits?
[13:06:32] <sumanah> dstufft: ok, let me know when you've gotten Ernest added to that list/alias, and then I'll go around making changes in the docs
[13:06:51] <dstufft> the main downside to security@python.org is we won't "control our own destiny" as much in terms of who is on the list
[13:06:55] <dstufft> and we'll get some other stuff that isn't important to PyPI, but it's pretty low traffic
[13:12:29] <sumanah> EWDurbin: I figure you'll speak up in https://github.com/pypa/warehouse/issues/3174 if you have opinions about what we do next with CAPTCHA
[13:14:52] <dstufft> I don't think the proxy idea is a winner, we're highly likely to get API rate limited, and I suspect proxying is going to remove some of the methods of detection that recaptcha uses anyways
[13:16:51] <dstufft> sumanah: the email wiki thing looks good, was reading it and that's what made me think of the security alias
[13:18:51] <sumanah> I can make the PR now and it can be blocked and unmerged till Ernest gets added to that alias
[13:20:51] <dstufft> Although I think gpg for security@ aliases is largely theatre :P People get grumpy if it's not there.
[13:23:10] <sumanah> I have definitely used GPG to send encrypted mail to a security@ address. But I recognize that you have strong opinions on this topic and I don't need to change yours
[13:24:54] <dstufft> sumanah: Yea. From experience what happens in like 99% of cases is someone on the list decrypts the email and then responds to the list with the decrypted email (this has held true across many security@ emails I've been a part of)
[13:26:30] <toad_polo> GPG, the ultimate in security. It can only be defeated by, "Your message was all garbled or something, can you send it again?"
[14:40:42] <fungi> dstufft: pf_moore: ^ an initial stab at an escape hatch, which seems to work in places where pip 10 was otherwise failing for us. i'm not especially attached to any part of the implementation, and in fact expect that there was a more elegant way to plumb the option down into that method i just wasn't able to figure out. suggestions most welcome
[19:10:40] <sumanah> di_codes: https://github.com/pypa/warehouse/issues/1944 on predictable wheel URLs and https://github.com/pypa/warehouse/issues/2537 on normalized names -- I am sure we talked about one of these in a past meeting but can't find the notes.
[19:11:23] <sumanah> specifically -- I have a gut feeling we should tell downstream packagers to use more robust methods of grabbing these artifacts
[19:42:57] <di_codes> sumanah: I think I agree. I don’t really understand why these users want to be able to predict the location of the files. In #2537 it seems like they’re using the JSON API anyways, which already has the location of all these files, so they probably should just use that?
[19:44:17] <di_codes> I don’t think we make any guarantees that the URLs to the distributions won’t change some day, so unless they’re getting it from our API, it’s always going to potentially be brittle.
[20:09:57] <nlh> for https://github.com/pypa/warehouse/pull/3190, is there a way for me to push to sumanah's branch?
[20:12:08] <di_codes> nlh: you can add her fork as a remote: `git remote add brainwane <https://github.com/brainwane/warehouse.git>`, if sumana has enabled “allow edits from maintainers” you should be able to `git push brainwane <branch name>`
[20:13:11] <di_codes> er, that should be `git remote add brainwane git@github.com:brainwane/warehouse.git`
[20:19:18] <sumanah> nlh: I have added you as a "collaborator" who now has push access to my GitHub fork of Warehouse.
[20:19:54] <sumanah> nlh: ALSO, if dealing with my branch stuff is too hard, you could just make a commit somewhere, on a branch you have somewhere, and I can fetch that branch and "cherry-pick" that one commit onto my branch.
[20:20:48] <di_codes> this is why I like to push to pypa/warehouse instead of my fork when I expect to not be the only committer, both of y’all should be able to do that too
[20:21:26] <sumanah> di_codes: I should start doing that, yeah -- this headache has reminded me that I should do this.
[20:37:24] <sumanah> di_codes: I'm fixing up some various little things in Twine at the moment. If you submit your branch https://github.com/pypa/twine/compare/master...di:add-metadata-2.1 as a PR I can merge it and cut a release within probably the next hour.
[21:01:05] <sumanah_> so di_codes turns out my coworking space has an event and is tossing people out early tonight.
[21:01:34] <sumanah_> di_codes: so I cannot get a new release out in, like, the next 40 minutes. But I can do it tomorrow.
[21:33:57] <di_codes> sumanah: I think I’d like to merge <https://github.com/pypa/warehouse/pull/2373> before a twine release that would upload that field is made. i’m working on it now as long as you don’t mind the delay
[21:35:23] <sumanah> di_codes: Oh, no, I don't mind the delay. I was thinking that *the twine release* would be the next bottleneck, given your sequence in https://github.com/pypa/warehouse/issues/869#issuecomment-340928703
[22:41:31] <dstufft> EWDurbin: Can you send a request to subscribe to https://mail.python.org/mailman/listinfo/psrt
[22:41:58] <dstufft> EWDurbin: sumanah We can use security@python.org for the security contact, everyone was +1
[22:42:20] <sumanah> great, thanks dstufft, say so on https://github.com/pypa/warehouse/pull/3258 and approve it, and I'll merge it
[22:49:09] <di_codes> sumanah: FYI, we can make a twine release with my PR but folks aren’t going to be able to build Metadata 2.1 distributions until <https://github.com/pypa/setuptools/pull/1286> is merged/released