Log file Viewer
#pypa-dev logs for Saturday the 8th of June, 2019
[14:18:28] <sumanah> trishankdatadog: so while you are concentrating on Python packaging/distribution stuff today there are a few issues I would particularly like you to give your opinion on
[14:18:46] <sumanah> https://github.com/pypa/warehouse/issues/5864 Audit log: what should Maintainers of projects see?
[14:19:04] <sumanah> Tell us what project Owners should see that Maintainers shouldn’t see in the audit log (so: if you maintain a PyPI package with other people, how do you use the owner/maintainer distinction?)
[14:19:34] <sumanah> and https://github.com/pypa/warehouse/issues/5825 2FA Ask for password not username when disabling 2FA -- what do you think?
[14:20:25] <sumanah> jaraco: *wave* I think bhrutledge may have a question for you about some Twine keyring stuff
[14:20:49] <sumanah> trishankdatadog: so you asked: is it correct that right now 2FA is just for website login, not package upload?
[14:21:10] <sumanah> https://github.com/pypa/warehouse/issues/994 we will in the very near future be adding support for scoped API keys
[14:21:39] <sumanah> which will -- woodruffw am I right? -- make it so that 2FA could be a part of the security story for the package upload process
[14:35:10] <trishankdatadog> sumanah, on https://github.com/pypa/warehouse/issues/5867: this is a great idea, i don't see any issue from a security point of view, many companies do it (including
[14:35:40] <trishankdatadog> Amazon), so the major security issues will really be on the server-side, on how we handle sessions in Warehouse, but that's it
[14:35:50] <sumanah> trishankdatadog: cool - would you mind saying that on the GitHub issue? Thanks!
[14:37:08] <sumanah> bhrutledge: https://blog.zulip.org/2016/10/13/static-types-in-python-oh-mypy/ is a guide to adding the optional static typechecking to your application .... it would be great to get it into Twine, IMO
[14:45:51] <sumanah> trishankdatadog: https://github.com/pypa/warehouse/issues/5863 is the issue re the audit log .... maybe you could comment, based on your experience, about what the set of "sensitive" events is?
[14:46:22] <trishankdatadog> sumanah: yes, let me take a look at what all the events being logged are
[14:47:41] <sumanah> trishankdatadog: https://pyfound.blogspot.com/2018/12/upcoming-pypi-improvements-for-2019.html and https://pyfound.blogspot.com/2019/03/commencing-security-accessibility-and.html might be interesting for you
[14:48:08] <sumanah> trishankdatadog: I figure that creating a test PyPI account https://packaging.python.org/guides/using-testpypi/ and using it to upload test package(s) will help you see what the current experience is like
[14:48:26] <sumanah> trishankdatadog: in case you need the reference for how we currently advise you do that: https://packaging.python.org/tutorials/packaging-projects/
[14:51:56] <seongsoocho> sumanah: Hi. I can work today. (Maybe after 12 hours later) My timezone is UTC+9.
[14:54:28] <sumanah> trishankdatadog wanted to know: what is actually logged? what kinds of actions are possible, for a user or package (project) in Warehouse?
[14:56:30] <sumanah> trishankdatadog: the associated GitHub issues that https://github.com/pypa/warehouse/issues/5863 links to may be a good place to start
[14:57:25] <sumanah> for instance: a new package (a new release within a project) is uploaded; a user disables or enables a 2FA method; User A removes User B from an owner/maintainer role within a project....
[14:58:08] <sumanah> woodruffw: if you already have a resource somewhere listing the kinds of sensitive actions we will probably want to cover in " Audit trail: implement auditable event logging for sensitive actions" #5863 speak up here or on the issue?
[14:59:17] <sumanah> pradyunsg: mkagesawa is sitting next to me and is working on an issue -- Masaki, which issue are you looking at right now?
[15:00:32] <sumanah> Thanks mkagesawa -- please feel free to ask questions here if you're stuck in trying to reproduce or understand that issue, and pradyunsg can help
[15:03:43] <pradyunsg> Awesome mkagesawa! Please do ask any questions that you may have. I'm around for at least 3 more hours.
[15:11:08] <woodruffw> sumanah: yup! i'll add to that issue. i'll also be at the sprint soon, got a bit of a late start today
[15:12:57] <bhrutledge> jaraco: It looks like this PR can be closed: https://github.com/pypa/twine/pull/357 (per di_codes)
[15:12:59] <sumanah> it's optional anyway -- any of your time we get today is gravy as far as I am concerned :)
[15:15:11] <sumanah> mkagesawa: you said you're having trouble reproducing the issue .... what have you tried?
[15:15:16] <pradyunsg> mkagesawa: Yep. I think that's a good question to ask OP. ISTM that they might have something specific to their machine that's causing this. (hosts file, networking/firewall issues etc)
[15:16:38] <sumanah> Thanks jaraco! Also I think bhrutledge may have a question for you about some Twine keyring stuff
[15:16:40] <pradyunsg> mkagesawa: And, do mention what you did try to reproduce the issue in the same comment.
[15:18:06] <sumanah> also, mkagesawa, if you are trying to triage an issue and the user used an old version of pip, there's a possibility that it's been fixed between now and the most recent version!
[15:18:41] <bhrutledge> Thanks jaraco. sumanah is referring to https://github.com/pypa/twine/issues/465. I wondered if it might be related to https://github.com/pypa/twine/issues/362. However, I've set those aside to look into mypy.
[15:19:04] <mkagesawa> sumanah: so I should also recommend them in the reply to try using the newest version and see if issue persists?
[15:19:37] <sumanah> mkagesawa: I'm inclined to say that -- pradyunsg could you advise? also pradyunsg when you label an issue "triage" what does that mean?
[15:20:24] <sumanah> mkagesawa: https://www.mediawiki.org/wiki/Bug_management/How_to_triage let's take a look at this together
[15:21:58] <bhrutledge> jaraco: Thanks. On the mypy note, it looks like https://github.com/pypa/twine/pull/359 builds on the PR you just closed. I wonder if that should also be closed, maybe with a reference in https://github.com/pypa/twine/issues/231?
[15:22:03] <pradyunsg> sumanah: currently, issues that either hasn't been looked at by the maintainers (a bot auto labels new issues) or needs a maintainer to take a look (manually tagged). Initially it was a more curated list but I gave up on that. :)
[15:25:10] <pradyunsg> The bunch that was sent over is fairly representative of the most common issue types and one of them can be worked on, if time permits.
[15:25:56] <pradyunsg> mkagesawa: yep. And also to post clear instructions with a minimal example of how to reproduce
[15:29:22] <pradyunsg> mkagesawa: the "What and Why" link in the MediaWiki link sumanah posted is definitely relevant!
[15:30:57] <pradyunsg> sumanah: do you reckon it's a good idea to add similar text to pip's development docs?
[15:31:39] <sumanah> pradyunsg: yes, but, if I had to prioritize, finishing the architectural overview ought to come first
[15:33:45] <pradyunsg> Definitely. I'm was thinking of filing an issue for this documentation update, so that I minimize the number of things in the back of my head!
[15:38:00] <sumanah> pradyunsg: if you're doing that, also link to https://www.mediawiki.org/wiki/Bug_management/How_to_triage#Other_triaging_documentation_sources which has links to other triaging guides, so we can steal from the best :-)
[15:47:26] <sumanah> btw trishankdatadog, mkagesawa - https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/23 is the current progress report on what woodruffw and the rest of the team just did to improve PyPI security
[15:54:34] <sumanah> trishankdatadog: whatever you find in your archaeology, re: what we currently log, would you briefly summarize that in a comment on the issue? :-)
[16:11:35] <sumanah> mkagesawa: https://github.com/pypa/warehouse/issues/5247 is about TUF and Warehouse
[16:23:17] <sumanah> in case anyone is curious: Trishank is helping Will do a SQL thing, Trishank is working to understand what actions we currently log and what we might want to log, Brian is working on mypy support in Twine, and Masaki is figuring out how to phrase a question to a pip bug reporter
[16:24:35] <mkagesawa> Seems like your machine is accessing localhost and is not trying to download the package from the internet.
[16:24:36] <mkagesawa> I was not able to reproduce the error, but I suggest you to try the following and let me know if the error persists.
[16:24:38] <mkagesawa> - Check your firewall and networking settings and make sure your computer can access pypi
[16:33:53] <woodruffw> hey dstufft: do you know if there's a human-friendly string generator anywhere in the warehouse codebase? looking to generate default labels for webauthn keys; i can add a small util module or dependency if it doesn't already exist
[16:34:57] <sumanah> trishankdatadog: https://warehouse.readthedocs.io/application/#usage-assumptions-and-concepts on a conceptual level
[16:36:02] <sumanah> Maintainer: Can upload releases for a package. Cannot add collaborators. Cannot delete files, releases, or the project.
[16:36:02] <sumanah> Owner: Can upload releases. Can add other collaborators. Can delete files, releases, or the entire project.
[16:45:16] <bhrutledge> jaraco: I'm starting with https://github.com/pypa/twine/pull/344/, to get a sense of the work so far, and how I might build on it.
[16:46:57] <trishankdatadog> sumanah: https://docs.google.com/document/d/1IODiWITI3joSJji785bWTCvpfZz05jSwGYlzdrgqqmE/edit?usp=sharing
[17:52:54] <sumanah> I am doing some issue maintenance/filing so we can more clearly make and watch progress on localizing Warehouse
[18:11:03] <trishankdatadog> sumana: https://github.com/pypa/warehouse/issues/5863#issuecomment-500147155
[18:19:56] <sumanah> trishankdatadog: https://github.com/pypa/warehouse/pull/5872 and https://github.com/pypa/warehouse/pull/5975
[18:20:30] <sumanah> and in case you want to help finish this up trishankdatadog https://github.com/pypa/warehouse/pull/4961
[18:29:33] <sumanah> mkagesawa: my suggestion: link to the deprecation plans for 2.7 and for CentOS 6
[18:30:38] <sumanah> mkagesawa: and I'll edit the last sentence to make it a little more explicit about why we're asking this
[19:06:25] <sumanah> ofek: so a few of us are sitting around a table in NYC settled into various Warehouse & Twine tasks
[19:07:01] <sumanah> ofek: if you already have ideas/plans for things you'd like to work on with us right now, I'd love to hear them -- otherwise I have some questions/thoughts
[19:10:01] <sumanah> ofek: because of your interests in security, I would appreciate your opinion on some of our Warehouse security questions, such as https://github.com/pypa/warehouse/issues/4164 "Handle security implications of PEP 561 type hinting packages"
[19:12:43] <woodruffw> trishankdatadog: https://blog.trailofbits.com/2018/08/01/bluetooth-invalid-curve-points/
[19:13:52] <sumanah> ofek: I'd also appreciate your opinion on https://github.com/pypa/warehouse/issues/5864 "Audit log: what should Maintainers of projects see?"
[19:15:56] <sumanah> ofek: if you'd like to do something less talk-y and more bug-fixing or feature-building, depending on how much time you would like to spend, I of course know of a few things that we could use help with -- are you here today for more like 30-60 min or longer?
[19:17:00] <trishankdatadog> i can vouch that ofek is one of the most pythonic and proficient hackers i know
[19:28:36] <sumanah> and ofek if you feel like adding a small feature, https://github.com/pypa/twine/issues/459 (proposed by bhrutledge) would be welcome! ("Show Warehouse URL after `upload`")
[19:29:32] <bhrutledge> sumanah and ofek: I had some initial thoughts on that, and I'm not sure it's as small a rock as I initially thought.
[19:30:51] <ofek> sumanah: I don't see any security implications of #4164, however, it is definitely annoying to not be in control of said package by default. that actually happened to me https://github.com/planetarium/coincurve-stubs
[19:37:11] <sumanah> ofek: maybe you could comment on the thread https://discuss.python.org/t/namespace-support-in-pypi/1609/33 in case you want to +1 or -1 any of the points there?
[19:38:43] <ofek> trishankdatadog: nope, just provided a type hinting package for one of my more popular projects
[19:44:50] <trishankdatadog> a common developer_experience label is that some of the Makefile tasks don't use Python-based containers, but use virtualenv on your machine
[19:46:34] <trishankdatadog> it's a small pain, but basically one-time conversion to container tasks
[19:54:28] <ofek> I wonder if switching from make to pyinvoke would be accepted, for us Windows ppl ;)
[20:06:31] <ofek> trishankdatadog: awesome job! https://github.com/pypa/warehouse/issues/5863#issuecomment-500147155
[20:14:26] <bhrutledge> ofek: I could be wrong, but as I've learned the codebase, it seems `twine upload` doesn't really have a concept of a "release" composed of multiple files; it just uploads dist files, and PyPI creates the release.
[20:23:07] <sumanah> ofek: hey - I think I was wrong to suggest that particular Twine issue for you, partly because it's something Brian has already started some prework/design on -- I now agree with Trishank re the Makefile issues in Warehouse being a great avenue for you instead
[20:23:40] <sumanah> you are of course free to work on what you like :-) but yeah we really are lacking for people to tackle that developer experience stuff https://github.com/pypa/warehouse/issues?q=is%3Aopen+is%3Aissue+label%3A%22developer+experience%22
[20:30:33] <jaraco> Okay. I think I’ve caught up on the requests above - let me know if there’s still anything that could use my attention.
[20:39:00] <sumanah> jaraco: I see https://github.com/pypa/twine/pull/437 -- making twine Python 3 only -- is waiting till you and Thea are ready to release Twine 2.0?
[20:39:46] <sumanah> or rather that's what Ian said, but it sounds like now that kind of decision is up to you + Thea
[20:40:56] <sumanah> jaraco: there's 1 more thing I can see in Twine: if I ask goodtune to rebase https://github.com/pypa/twine/pull/350 against master (" Add two new optional configuration locations to consider.") would you be inclined to review it?
[20:58:33] <jaraco> Thanks sumanah. I’ve added comments in both PRs. I’ve given a high-level review and presented some concerns on 350. If those concerns are assuaged, then I’d be happy to do a more in-depth review of a refreshed PR.
[21:03:35] <sumanah> We're wrapping up our NYC sprint -- Trishank created some PRs, Masaki responded to a few pip issues that needed triaging, William got Trishank up to speed on some MFA stuff and got further on WebAuthn, Brian made progress on mypy in Twine, and I did some issue responses, made a Warehouse docs PR, and created some more granular Warehouse issues for the upcoming i18 work