Log file Viewer
#pypa-dev logs for Tuesday the 27th of March, 2018
[16:00:19] <sumanah> Warehouse, the codebase behind the new PyPI, is available as a beta side https://pypi.org, and I'm one of the people working on it. (I'm Sumana Harihareswara, project manager.)
[16:00:50] <sumanah> We're making steady progress on the developer roadmap https://wiki.python.org/psf/WarehouseRoadmap thanks to funding from Mozilla's Open Source Support Program https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html
[16:01:11] <sumanah> And it's on its way to fully replacing the legacy PyPI site pypi.python.org next month.
[16:01:28] <sumanah> We're currently seeking feedback from you about what does or doesn't work for you in the new interface. https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html#workflows has a list of stuff we especially want people to test.
[16:01:49] <sumanah> And, as a reminder, participating in this livechat means you agree to abide by the PyPA code of conduct: https://www.pypa.io/en/latest/code-of-conduct/
[16:02:34] <sumanah> The main Warehouse developers we have in the channel today are me, EWDurbin, and dstufft I believe
[16:03:14] <EWDurbin> I'm Ernest! I wear a few hats in the Python community, but the one i've got on right now is as the lead on PyPI's infrastructure and a contributor to the pypa/warehouse codebase.
[16:03:47] <sumanah> ok! if you're here for the livechat today, introduce yourself? cooperlees you can go first :)
[16:04:29] <EWDurbin> cooperlees: no problem! when do you think we'll see a release? i also had a question about rehashing every file on update... seems to be troublesome for projects like mxnet-* which have hundreds of large files.
[16:05:13] <cooperlees> Fb employee who based in California. Fell into maintaining bandersnatch as I Python 3'd it as it hurt me to run it internally under Python 2. Want to polish it up a bit with warehouse etc ... Currently working along side ambv in our core Python team here @ Facebook
[16:05:41] <cooperlees> EWDurbin: I can try release today. Just time. I've been travelling and trying to catch up @ work + sick etc.
[16:05:45] <EWDurbin> thanks for picking up bandersnatch cooperlees! we've been using it internally for PyPI for some time!
[16:06:51] <cooperlees> haha :) I use it for my internal pip wrapper system of death to build wheels for Facebook main Python repo.
[16:07:50] <EWDurbin> cooperlees: may i PM regarding the hashing thing? i don't want to muddy the water here and had a couple questions
[16:08:07] <sumanah> EWDurbin: as long as it's pretty quiet here I'm happy to have that happen here in channel
[16:08:32] <sumanah> and I would like to overhear stuff so it can feed into https://wiki.python.org/psf/PackagingSprints
[16:08:49] <EWDurbin> so cooperlees whenever a project updates, bandersnatch currently double checks _every_ file on disk to make sure that they are 1) there and 2) match the expected sha
[16:10:31] <EWDurbin> https://usercontent.irccloud-cdn.com/file/veSDh8FW/Screen%20Shot%202018-03-27%20at%2012.10.21%20PM.png
[16:11:00] <EWDurbin> the lag is caused by bandersnatch spending almost 10 minutes rehashing all existing _large_ files.
[16:11:15] <EWDurbin> now, PyPI doesn't allow for packages or their SHA to change... it did at one point.
[16:11:40] <edd_lc> Gladly. Name's Edward. I work for CyberBit as a backend developer and teach basic security 2 times a week at a local tech school.
[16:11:51] <EWDurbin> so i'm curious what we could do to help a mirror stay in sync _quickly_ without sacrificing statelessness.
[16:11:55] <cooperlees> Ok - I more don't trust Gluster internally where I store all the package files :P
[16:12:14] <sumanah> Welcome :) thanks edd_lc for joining. And please do mention if there's anything you particularly find nice or any snags you're finding with pypi.org.
[16:13:05] <EWDurbin> seems reasonable, as clients _should_ be checking shas written to the simple pages
[16:16:26] <cooperlees> I install docker etc. to try and have a look at how it all works, but then saw twisted and killed it all with fire as I have nightmares still about twisted :P
[16:17:34] <sumanah> also cooperlees maybe you could rephrase that? there are probably folks in here who work on Twisted and maybe you could say that more sensitively?
[16:19:52] <cooperlees> Twisted is good, don't get me wrong. I just can't think that way. I mean no harm in my comment.
[16:20:32] <sumanah> dstufft is Donald Stufft, who has been one of the key maintainers of Warehouse and who started the project
[16:23:06] <cooperlees> sumanah: I have no ties there. Christian (owner) hates how everything is on GitHub and how they basically own Open Source and could kill the ecosystem tomorrow
[16:23:22] <sumanah> cooperlees: *ah*, yeah. I can understand that. I keep a lot of my personal repositories on gitlab
[16:23:35] <cooperlees> He did basically say in an email tho I can do what ever is best for Bandersnatch tho - So we could move it to github if everything thinks it's worth while
[16:24:24] <sumanah> cooperlees: I think I may have missed: where is the bandersnatch public roadmap?
[16:25:44] <dstufft> Facebook has made a bunch of improvements to Hg I think for large scale use cases, it's pretty cool
[16:27:42] <sumanah> cooperlees: EWDurbin: go ahead and talk about anything else you need to sort out regarding bandersnatch, I didn't mean to interrupt
[16:28:24] <EWDurbin> i got no blockers, but i would like to let cooperlees know that bandersnatch at it's current default/Head is fully pypi.org compat
[16:29:01] <cooperlees> Sweet - With sha256 turned on? I need to pull the latest version internally and hit pypi.org too
[16:29:55] <cooperlees> sumanah: basically I want to fully asyncio and fix the deletion code for 3.0
[16:30:26] <sumanah> oh I need to read https://bitbucket.org/pypa/bandersnatch/issues/94/package-files-are-never-purged which has a bunch of history in it
[16:31:08] <cooperlees> sumanah: Summary - bandersnatch still expects a super old PyPI file layout ... so today, we never delete anything
[16:32:26] <cooperlees> I've had a bitch of a time trying to get it's travis jobs to pass for 3.6 and 3.7 ... I can't repro locally etc.
[16:33:51] <sumanah> cooperlees: throwing what you just said about asyncio, etc. (plus from your emails that I saw) into a ROADMAP.txt file and putting it in the root of the bandersnatch directory would be worthwhile IMO
[16:36:10] <dstufft> cooperlees: I possess a ticket in my name via work, I don't have travel or like a hotel booked yet
[16:37:28] <sumanah> (do Australians use "burn" to talk about an insult that hits its mark? or is it an Americanism?)
[16:39:00] <sumanah> cooperlees: Facebook-related heads-up: since the Mozilla grant is going to run out probably in late April or early May, we'd love money to keep the team going.
[16:40:01] <sumanah> cooperlees: If we had about $150K we could do a really quite large chunk of security work + internationalization + accessibility work
[16:40:05] <EWDurbin> cooperlees: if you want to procrastinate some more, i'd love to get a PR in for "dangerously_skip_hashing_the_world_ or similar
[16:40:39] <sumanah> cooperlees: thanks! I saw Facebook is a PyCon sponsor right now (but did not see it on the PSF sponsors page -- if I'm working on obsolete info, sorry)
[16:41:08] <sumanah> cooperlees: and we're almost certainly applying for https://research.fb.com/programs/research-awards/proposals/secure-the-internet-grants/ in case you can put in a word for us
[16:41:22] <cooperlees> sumanah: Last two year's we've hosted and sponsored getting the top 20 core devs together for a week on campus too :)
[16:42:40] <sumanah> hi waseem18 & thanks for your work on the trove classifier https://github.com/pypa/warehouse/pull/3273 -- lots of iterative improvement :)
[16:43:41] <sumanah> waseem18: ^ in case you want to catch up on the bandersnatch conversation -- cooperlees is interested in getting PRs to improve bandersnatch, a PyPI mirroring system that Facebook and other big orgs use, and that PyPI uses as its fallback in case of certain outages
[16:44:01] <EWDurbin> anyone that's here for the office hours experienced TLS issues? this is one of our largest blockers to making the switch.
[16:44:29] <EWDurbin> we're currently performing rolling brownouts of TLSv1.0 and TLSv1.1 https://status.python.org/incidents/hdx7w97m5hr8
[16:47:59] <EWDurbin> tell them we don't _need_ it, but one of those huge novelty checks would be really cool :-p
[16:48:00] <sumanah> cooperlees: in case you want advice (I know you didn't actually ask) about running your first open source project: https://www.harihareswara.net/sumana/2016/08/04/1 is my short list of advice types you might need, and https://www.harihareswara.net/sumana/2015/08/09/0 is on how to improve bus factor in the project
[16:48:02] <cooperlees> EWDurbin: Thanks for telling me bandersnatch is used instally. Made my day :)
[16:48:32] <sumanah> cooperlees: and https://changeset.nyc/resources.html has more resources in case you want any lunchtime reading sometime soon
[16:49:48] <sumanah> look I think that if it is mission critical for morale that every member of the MOSS team get a big novelty check then I can start putting that in each milestone
[16:52:51] <sumanah> cooperlees: do you know of any other packaging/distro people who will be at the PyCon sprints who are not already in the list at https://wiki.python.org/psf/PackagingSprints ? or at EuroPython?
[16:54:32] <cooperlees> I know Lukasz Langa and Jason Fried will be there for part of the time. Lukasz will be doing core related stuff but not sure what my team mate Jason is planning to work on.
[16:55:12] <sumanah> cooperlees: https://mail.python.org/pipermail/python-list/2018-March/732138.html would you mind forwarding this around to the internal-to-Facebook Python world? we really do want as much testing as possible during the beta
[16:56:52] <sumanah> cooperlees: for Facebook work I'm sure they do, but I presume a lot of Facebook folks also have their own personal side projects, etc. and upload to PyPI sometimes. Am I wrong?
[16:57:13] <cooperlees> sumanah: yeah I agree - I posted yesterday actually about Warehouse in our internal Facebook group
[16:57:13] <EWDurbin> RBD is super fabulous! and surprisingly quick for VM hard drives and the like.
[16:58:44] <EWDurbin> i'm kind of surprised that hashing goofiness doesn't bother it more even with flash storage.
[16:58:52] <sumanah> cooperlees: and finally, if you think of someplace else we should be signal-boosting the Warehouse beta, let us know? I particularly am keen to get the word out to people who don't do *that* much Python and people who aren't strong English readers
[16:59:28] <EWDurbin> cooperlees: honestly more smaller syncs are less taxing and spread out more easily
[16:59:56] <sumanah> next one: Friday, March 30th, 10-11am EDT, 16:00-17:00 CEST, 7:30pm-8:30pm India, 14:00-15:00 UTC https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+live+chat&iso=20180330T14&p1=1440&ah=1
[16:59:58] <cooperlees> I also then have to sync the packages to 2 other regions - I have a mirror in west coast, east coast and Sweden :)
[17:00:00] <EWDurbin> cooperlees: we've slowly gotten to the point where fewer and fewer bandersnatch mirrors hammer us at UTC midnight
[17:00:19] <sumanah> this is a 24/7 channel so folks should feel free to continue talking here but Ernest and others may drift away :)
[17:00:33] <dstufft> I remember when we'd start erroring at UTC midnight because of xmlrpc kicking our ass
[17:00:59] <cooperlees> I was stoked have beer in Greenwich @ Meantime brewing company 2 days ago :P
[17:01:33] <dstufft> EWDurbin: it's strange the things we're proud of, one of my happiest PyPI changes was getting it onto mandatory TLS :P
[17:02:23] <EWDurbin> there was a time when i used to say "the PyPI team" and it was just a veiled cover of myself and donald
[17:02:57] <sumanah> cooperlees: I send a weekly email to pypa-dev & distutils-sig with progress on Warehouse
[17:03:42] <EWDurbin> https://usercontent.irccloud-cdn.com/file/rZDQvmeH/Screen%20Shot%202018-03-27%20at%201.03.34%20PM.png
[17:03:48] <sumanah> cooperlees: It's Nicole, Dustin, and Ernest comaintaining basically right now, and I'm really happy about how much space we took up in the recent mail with volunteer PRs that got merged in the last week! https://groups.google.com/forum/#!topic/pypa-dev/w7IMrNiiEuQ
[17:04:12] <pombreda> one tiny stuff: I am still not sure how to get images properly show up from my description (this is both on old and new pypi ) eg here: https://pypi.org/project/scancode-toolkit/
[17:04:15] <sumanah> cooperlees: hope the mail is useful to you - let me know if there are changes that would make it more useful
[17:04:51] <sumanah> pombreda: after "See the roadmap for upcoming features: https://github.com/nexB/scancode-toolkit/wiki/Roadmap" -- that's what you mean?
[17:07:06] <cooperlees> sumanah: Where is my best link to point my VP at to see your potential road map for our potential grant? Just finishing email
[17:07:34] <pombreda> and now for something completely different... at some point of time in a near future, I would like to tackle with a PEP and with Pypi the problem of licensing clarity in Python packages and on Pypi.
[17:08:25] <pombreda> it is not clear how to state a proper license in a package (classifier, license field?) and that should bubble up more clearly in the the pypi in the future
[17:08:42] <sumanah> cooperlees: MarkMangoba and Ernest and I are working on that grant application and can get a ~400-word thing to you later today. Or I can email you now with a one-paragraph thing.
[17:10:07] <pombreda> re:licensing I am involved a in few projects that deal with this https://spdx.org/ and https://clearlydefined.io/ as well as scancode
[17:10:18] <sumanah> pombreda: interesting! I'm looking around and bet I have seen other questions/issues about related things, like https://github.com/pypa/packaging-problems/issues/41
[17:12:39] <pombreda> and I started working on a pep at a very slow pace to address first the metadata side of things https://github.com/pombredanne/spdx-pypi-pep/issues/1
[17:13:11] <pombreda> now the clearlydefined project is another tack to actually scan, review and help every project provide proper info
[17:14:19] <pombreda> again just a heads up at this stage. Bu there are things to do imho at the pep level, then also help every author provide better licensing ingo and then eventually surface more of it in pypi :P
[17:35:22] <waseem18> sumanah: Quick update: I'm getting up to speed on Mypy. Will soon start with small PR'S to Twine.
[17:36:39] <sumanah> cooperlees: yeah I think it'd be great! I saw https://github.com/pypa/twine/issues/231 and thought "oooh". thanks waseem18.
[17:37:45] <sumanah> cooperlees: I figured it was a pretty strong chance. But I also know how institutions can be sometimes
[17:39:32] <sumanah> cooperlees: I worked on Zulip for a while and saw how type annotations helped us move faster, so now that I'm comaintaining Twine, why not
[17:40:44] <sumanah> cooperlees: cool. if you have any resources you think waseem18 and I should look at, other than the PEP & mypy & http://blog.zulip.org/2016/10/13/static-types-in-python-oh-mypy/ , lemme know
[18:20:44] <cooperlees> The typing library docs. mypy docs and running mypy should get them there :)
[18:48:18] <pombreda> sumanah, when this is starting to take more shape. If you are interested in the details for the community, peer review and curation/license clarity side, there was a prese made recently there https://osls18.sched.com/event/Djsx/clearlydefined-enabling-project-success-through-metadata-jeff-mcaffer-microsoft-rashmi-chitrakar-qualcomm
[18:50:13] <pombreda> sumanah, and this is a project we do under the the OSI umbrella https://opensource.org/clearlydefined
[20:40:08] <sumanah> thea: you mean because relative URLs, especially for embeds, will not render properly on PyPI?
[21:08:45] <sumanah> agronholm: I'll re-up my offer if there is anything I can do (testing, for instance) to help you get the next `wheel` out