Log file Viewer
#pypa-dev logs for Thursday the 16th of May, 2019
[15:13:58] <cooperlees> EWDurbin / dstufft: What's the plan with https://github.com/pypa/warehouse/pull/5801 (/stats restore)
[15:25:36] <woodruffw> sumanah: so, here are the two major UI/X items: the authentication flow (/account/two-factor) needs a tabbed view, one tab for each 2FA method. i think nlh already has a good mockup of what that'll look like. the second item is turning the current rudimentary WebAuth provisioning flow (/manage/account/webauthn-provision) into something more consistent with the TOTP provisioning flow + adding help text
[15:26:17] <woodruffw> i'm currently fixing unit tests on the WebAuthn PR, but it should be completely unblocked for nlh to hack at by EOD today :)
[15:27:01] <woodruffw> i'll also make a quick screencast of the current behavior for sharing in a bit
[15:29:23] <sumanah> pradyunsg: are you still in touch with the people from the sprints who are helping with pip bug triage and PR testing? do you remember their GitHub usernames?
[15:32:04] <sumanah> pradyunsg: found one. https://github.com/MKagesawa is at New York University btw!
[15:59:01] <sumanah> dstufft: di_codes: EWDurbin: https://github.com/pypa/warehouse/pull/5795#pullrequestreview-237465594 woodruffw is waiting for your feedback on an auth flow choice
[15:59:47] <sumanah> cooperlees: the geographical center of PyPI is probably ..... actually you have just nerdsniped me and I am gonna stop before I get too into this
[16:04:28] <sumanah> nerdsniping is where someone says/asks a thing that causes nerds to start hairsplitting and thinking really hard and getting distracted from whatever they were doing
[16:04:49] <sumanah> on Sunday I accidentally did this by asking some game designers whether Dwarf Fortress is a roguelike
[16:06:10] <cooperlees> sumanah: David's PR is a much more optimized version of 5767 - 5767 should be closed.
[17:46:04] <sumanah> di_codes or EWDurbin -- I could use 5-10 min of your time sometime today as I work on what-depends-on-what issue organizing
[17:46:58] <EWDurbin> Howdy, was running around doing life maintenance work today reviewing backlog.
[17:49:01] <sumanah> EWDurbin: more urgent than the "please vote" email -- this will help me organize the "what's left to do on OTF" assessment you want this week -- but can wait till tomorrow.
[18:34:33] <sumanah> EWDurbin: https://github.com/pypa/warehouse/issues/5758 manual account recovery process definition -- I think we can technically proceed and finalize OTF work without doing this. agreed?
[18:36:29] <EWDurbin> sumanah: we can proceed as is, technically OTF scope didn't include recovery codes. so if there is time left at the end i think they could be implemented there.
[18:36:49] <EWDurbin> as is it falls on pypi admins to perform the recovery process on behalf of users
[18:37:18] <sumanah> EWDurbin: next up: https://github.com/pypa/warehouse/issues/5863 skim the notification issues I have decided are blocked on this, tell me if you disagree on any
[18:37:37] <sumanah> EWDurbin: I conferred with woodruffw and we said: doing these the right way means waiting till event logging is in place
[18:38:14] <EWDurbin> that's an excellent point, if we have have the audit trail it's the ideal thing to trigger those notifications off of.
[18:39:09] <EWDurbin> sumanah: afaict all of the flagged issues fit that bill... except maybe the deprecation one
[18:39:39] <EWDurbin> as a subset the deprecation one could include a notification, but i don't think that's the direct intentiton
[18:39:40] <sumanah> EWDurbin: ok. and even in that case my comment is more "good to revisit after" and not "blocked"
[18:40:09] <sumanah> next up EWDurbin https://github.com/pypa/warehouse/issues/994#issuecomment-493171700 I note that the task will also cover adding token-based login support to twine and setuptools, to improve the security of uploads
[18:40:46] <sumanah> so if anything springs to mind re OTHER tools we will also need to plumb, feel free to say so to me now and I will go chase that down
[18:41:14] <EWDurbin> my presumption is that the token serves in place of the password, so clients don't actually have to change
[18:43:12] <sumanah> EWDurbin: and finally -- I'm basically getting the security milestone stuff in order in GitHub issues, but haven't gotten to a11y/i18n stuff yet, just FYI
[18:43:44] <EWDurbin> that makes sense sumanah, i believe we'll have to get nlh involved with planning for those aspects
[18:46:30] <sumanah> who is a PyPI admin whom I can ask to check this support ticket about emails & user accounts? https://github.com/pypa/warehouse/issues/5560
[19:26:07] <sumanah> di_codes: EWDurbin: a few days ago I was talking with Filippo Valsorda, who's been securing the Go package repo and would like to give us some thoughts on TUF and its applicability to PyPI. I think the best way forward would be an email intro so he can have a short call with y'all to offer advice. May I do so?
[19:37:12] <sumanah> EWDurbin: if you have additional TUF-related paper notes from the sprints, let's combine them with Lukas's notes, which are currently at https://docs.google.com/document/d/1Wz2-ECkicJgAmQDxMFivWmU2ZunKvPZ2UfQ59zDGj7g/edit#heading=h.3gosclwhhc50 ..... if you don't have any, then tell me and I will just move those into a GitHub issue for greater findability and permanence
[21:46:54] <woodruffw> it's WebAuthn according to the spec, but i'm guilty of both "WebAuthN" and "Webauthn"