Log file Viewer
#pypa-dev logs for Tuesday the 18th of June, 2019
[14:05:10] <cooperlees> EWDurbin: Yeah, might just give up and go to dependbot, especially with their responses to other people having issues is 0
[15:46:39] <sumanah> WHOOO https://pyfound.blogspot.com/2019/06/pypi-now-supports-two-factor-login-via.html PyPI Now Supports Two-Factor Login via WebAuthn
[18:19:29] <sumanah> pradyunsg: and how goes the pip architecture document? is https://docs.google.com/document/d/1Wz2-ECkicJgAmQDxMFivWmU2ZunKvPZ2UfQ59zDGj7g/edit#heading=h.7pbapzlwwskq still the most up-to-date version?
[18:20:08] <pradyunsg> sumanah: resolver is pipelined after some work on pip's build logic -- the build/fetch logic was the only thing I couldn't get 100% working on that initial weekend-hackathon-style prototype.
[18:21:00] <pradyunsg> sumanah: the req package is getting refactored now. :P There's a new distributions package, that's new from the refactoring work that just began.
[18:40:54] <sumanah> pradyunsg: best wishes with this! and I presume that the most recent prose in the pip architecture document is still in that Google Doc?
[18:44:18] <sumanah> I'm working to understand how PyPI's security is going to stack up against other package repositories/registries. https://docs.npmjs.com/about-two-factor-authentication and https://blog.npmjs.org/post/166039777883/protect-your-npm-account-with-two-factor -- npm does have 2FA
[18:44:53] <sumanah> https://guides.rubygems.org/setting-up-multifactor-authentication/ RubyGems supports TOTP, evidently not WebAuthn
[18:50:43] <pradyunsg> sumanah: I haven't actually written any prose on this yet. :( Stuck between https://github.com/pypa/packaging.python.org/issues/320 and the pip refactor work.
[18:59:57] <sumanah> pradyunsg: that packaging.python.org issue sounds draining. Thanks for your work
[19:20:16] <sumanah> EWDurbin: so https://github.com/pypa/warehouse/issues/5790 "Send invitations when adding owner/maintainer roles" -- evidently David Bord finished all of this in https://github.com/DavidBord/warehouse/tree/fix-5790-send-invitations except for getting the tests to pass and he's been a little hard to get ahold of
[19:20:44] <sumanah> Since this feature will really help with a bunch of other stuff we'd like to build and ship as we improve the usability of the OTF-funded features, is there a chance you could take it on?
[19:21:37] <EWDurbin> i'm not against doing so, but it's not clear what it improves for the OTF-funded features :)
[19:22:21] <sumanah> EWDurbin: "Display whether fellow maintainers/owners have enabled 2FA #5791" and "Add ability to require 2FA for a given project #5792" are blocked on this I believe
[19:22:57] <EWDurbin> wouldn't want someone to be able to determine 2FA status just by adding other users to projects
[19:25:13] <sumanah> EWDurbin: I'd love to be able to do a Public Service Announcement push where I tell projects that have a lot of dependencies/stars/etc., "hey maybe you should require 2FA" and "check whether your fellow owners/maintainers have 2FA"
[19:30:30] <sumanah> EWDurbin: not yet. But I believe I can recruit a few volunteers to start (e.g. alanbato)
[19:33:48] <EWDurbin> cool, got the branch running tests now, let's see if i can get it up to the point for review
[19:34:08] <sumanah> cooperlees: ^ I remember you were working with David Bord at the sprints -- I don't think he's in IRC but you could give him a heads up that we're working on this
[20:39:06] <sumanah> EWDurbin: I think https://github.com/pypa/warehouse/pull/5801 (another PR by David Bord) is actually awaiting your review
[20:43:14] <sumanah> And EWDurbin I have a few small documentation fixes awaiting review: https://github.com/pypa/warehouse/pull/6046 & https://github.com/pypa/warehouse/pull/6039
[20:55:49] <EWDurbin> sumanah: thanks for the headsup on those. got one doc fix landed, need tests fixed on the others. i missed 5801 since no one poked me, so good call on poking me :-D
[21:09:48] <njs> asking as a maintainer who hasn't been following this in detail: what's the value in enabling 2FA, if I still have my upload password in plaintext in ~/.pypirc?
[21:17:16] <sumanah> It "safeguards against malicious changes to project ownership, deletion of old releases, and account take overs" to quote https://pyfound.blogspot.com/2019/05/use-two-factor-auth-to-improve-your.html
[21:17:50] <sumanah> njs: we are indeed working on that next step of giving you a scoped API key as a second auth factor to better secure package uploads
[21:29:55] <njs> hmm, fair enough. It's obviously a good thing to have and a natural first step, but I guess personally I'm more worried about someone shipping malicious code to users (which upload lets you do), versus those other things (which are inconvenient but fairly recoverable). I look forward to seeing how the upload workflow works!
[21:35:26] <sumanah> njs: I should actually backtrack and say: as I understand it, the scoped API key is going to (eventually) REPLACE username/password for package upload
[21:54:24] <sumanah> EWDurbin: Travis's build there failed for no good reason (can't apt install? really?) but I made an improvement and amended anyway. https://github.com/pypa/warehouse/pull/6046 is ready
[22:10:29] <toad_polo> dstufft: Link? My workflow has me decoding an encrypted file and passing it in some kind of environment variable...