Log file Viewer
#pypa-dev logs for Friday the 25th of May, 2018
[15:28:33] <asmacdo> dstufft, cooperlees, the POC for the hypermedia api is up (tests are passing). i'm around, PM's are welcome. https://git.io/vhLCr
[16:06:13] <dwighthubbard> asmacdo that looks like a lot more fleshed out than last time I looked at it.
[16:40:49] <asmacdo> dwighthubbard: thanks! As this moves forward, I could use some help developing specific use cases and workflows to enable them. https://pad.sfconservancy.org/p/hypermedia_api_design
[16:44:09] <dstufft> cooperlees: ish, my computer is randomly going to sleep every like 5 minutes, so trying to figure out wtf is going on
[16:57:04] <cooperlees> LoL - what a lazy computer :) Would love to know you thoughts and what our chances are of merging https://github.com/pypa/pip/pull/5400
[16:58:54] <cooperlees> techalchemy: Yes, we want to get rid of the XMLRPC API. asmacdo, bizhang and I worked on a POC @ PyCon
[16:59:40] <techalchemy> yes i know about the xlmrpc plans and I saw the issue from 5 years ago on github but I didn't see any discussion of what specific features are going to be implemented here
[17:00:03] <techalchemy> so I'm not sure where that is happening but that conversation is one I have some thoughts about
[17:01:18] <asmacdo> we pulled a lot of ideas from https://github.com/pypa/warehouse/issues/284, and also got a fair amount of in-person feedback. the design document is https://pad.sfconservancy.org/p/hypermedia_api_design
[17:01:36] <cooperlees> di and dstufft were pretty verbose on https://github.com/pypa/warehouse/issues/284 and asmacdo spells out a lot here: https://pad.sfconservancy.org/p/hypermedia_api_design
[17:04:30] <techalchemy> right, I'd be happy to provide feedback to you guys, the last thing I read was that it didn't make sense to make a proof of concept yet so I didn't realize it was time to be giving feedback or that designs were being nailed down
[17:05:39] <asmacdo> techalchemy: no worries. feedback is welcome, even if you completely hate the design :)
[17:06:17] <asmacdo> ah, for specific stuff, maybe the etherpad is best. ive got a TODO going with use cases
[17:09:12] <techalchemy> i want package version listings by python version (major/minor/patch) if wheels are available
[17:10:59] <asmacdo> techalchemy: I'm also interested in improving the dependency metadata. I have a use case to retrieve deps without having to crack open every wheel.
[17:11:58] <techalchemy> so dependency metadata (and all package related metadata) being accessible via API is really important
[17:12:45] <asmacdo> techalchemy: The API can be improved there, but I think that the metadata itself is a problem
[17:14:03] <techalchemy> we use piptools on the backend and we actually vendor and patch pip10 now quite heavily internally and we use our own wheel / build caches
[17:14:57] <cooperlees> techalchemy: Have you talked with the condo guys? They are super keen to help with all the dep calculation etc. ?
[17:15:10] <asmacdo> techalchemy: do you happen to know off hand which fields of which models you need?
[17:15:20] <techalchemy> yeah the problem is that implementing an actual resolver is basically impossible
[17:17:24] <asmacdo> techalchemy: there are a few nasty db calls i want to do, and i am hopefully that good use of caching will make up for it
[17:17:51] <techalchemy> fields we need would be like, install_requires, extras_require (if extras), markers, specifier / specifierset, sha256 / links and refs to the other uploads of the same version of the project but sdist/wheel for other python/etc
[17:24:45] <asmacdo> techalchemy: i'll need to dig into how `Release.requires` works under the hood to see if it is reasonable to expose. In a perfect world it sounds like you just need /projects/{name}/releases/{version}/ which returns a link to /projects/{name}/releases/{version}/files/
[17:31:28] <asmacdo> brainstorming here, but maybe it would be worth separating this into a new endpoint, like /dependencies/{name}/{version}/
[17:31:58] <techalchemy> it's somewhat complicated because of the various ways dependencies can be exposed
[17:33:12] <asmacdo> heres a silly question, for a single Release, can we assume that the dependencies of each File are all the same?
[17:35:16] <asmacdo> OK. to start with, how about /dependencies/{filename}/ , response would link to /projects/{name}/releases/{version}/files/
[17:36:26] <asmacdo> unfortunately though, i *think* any `requires` metadata is stored on the release, not the file. so we might be talking about cracking open a tarball.
[17:40:56] <techalchemy> sdist 'requires' metadata needs to be supplemented by setup.py no matter what
[17:43:24] <dstufft> replacing the /simple/ API is more complex than replacing XMLRPC and the hacke dup JSON api
[17:43:43] <dstufft> because we're going to want to layer TUF ontop of it, which comes with it's own constraints
[17:49:47] <techalchemy> i have no issue with that if you want to keep this fuckery out of the new api
[17:56:54] <dstufft> techalchemy: the thing about dep solving and downloading packages and suff is the intent is you shouldn't have to trust PyPI the service, there should be strong cryptographic signatures backing that
[18:00:45] <techalchemy> well in practical terms at the end of the day you have to trust whoever wrote the the code to tell you waht it needs
[18:16:17] <dstufft> someone mentioned the thread on the list and I'm like... uh what? People are talking there??
[21:33:02] <cooperlees> dstufft: had any time for that pip PR or ours? https://github.com/pypa/pip/pull/5400
[21:33:02] <cooperlees> I really just want to know if it's going to be blocked or not. If not I'll fork for now and continue on internally with that.
[22:33:15] <cooperlees> So active committers can have specific discussions that don't need to go to the world and are recorded - This was discussed @ PyCon - I thought you were there.
[22:48:22] <njs> cooperlees: but IMO it's not a great idea, except maybe as a short-term thing; we already have a lot of fragmentation of communication channels, and a lot of frustration comes down to people not feeling like it's possible to keep track of what's happening or what decisions are made – makes it hard to have a shared vision and move in the same direction
[22:50:01] <njs> if it's like, used for a focused discussion on how to refine and streamline our communications then I'm all for it, but it's frustrating to realize "oh surprise there's another list and discussions happening that you care about but you didn't know about it or have a chance to participate"
[22:52:49] <cooperlees> So these conversations were just happening in mail threads before this list.
[23:14:16] <dstufft> njs: it's basically "we need to figure out communication and governance and what that means for us, and probably a random thread with 20 people in CC's that Donald started isn't the best way to structure this until we figure out the long term real solution"
[23:16:22] <njs> I agree, the private email thread with lots of CCs is even worse on all the dimensions I'm talking about :-)