PMXBOT Log file Viewer

Help | Karma | Search:

#pypa-dev logs for Thursday the 17th of October, 2019

(Back to #pypa-dev overview) (Back to channel listing) (Animate logs)
[00:59:58] <pradyunsg> RJ722: FYI -- https://github.com/pypa/pip/pull/7225
[12:42:38] <Crys> Hi, this is Christian Heimes from Python core and Python Security Response Team. We just had somebody reporting already known issues with passwords in ~/.pypirc and "sudo pip install can destroy systems" on the security mailing list.
[12:44:21] <Crys> We told the reporter that these issues are known for years and that the reporter is free to talk about them. His reply sounded like he might write an angry blog post about pip.
[12:45:10] <Crys> I would like to forward the mails to some pip core devs and give you a chance to make a public statement in advance.
[12:46:40] <apollo13> oh hi Crys
[12:47:17] <Crys> hi apollo13
[12:47:23] <apollo13> Crys: may I nag you about https://github.com/tiran/socketfromfd/issues/1 ? (you asked for it ;))
[12:47:30] <Crys> EWDurbin is on the list, too.
[12:47:38] <apollo13> btw can't any package manager destroy systems? *scnr*
[12:48:30] <Crys> It's silly :)
[12:49:14] <Crys> ah, that bug
[14:07:25] <ngoldbaum> angry blog posts, the horror
[14:12:27] <Crys> He is now complaining about the fact some other core dev wrote a lengthy explanation and included him in CC.
[14:15:28] <mgedmin> will there be a website with a logo and a cute name?
[14:17:50] <Crys> I wanna have the shirt! And the plushy toy!
[15:34:11] <tos9> Crys: (FWIW probably you know about keyring support for pypirc?)
[15:34:41] <tos9> I think that the ticket asking to remove suggesting putting passwords in pypirc plaintext even got some progress recently
[15:42:01] <Crys> tos9: yes, the initial mail referred to https://github.com/pypa/packaging.python.org/issues/297 and https://github.com/pypa/pip/issues/4575
[15:57:13] <techalchemy> I mean it's not a bad idea
[16:12:22] <cooperlees> Anyone got a link - I'm another who needs to remove password.
[16:13:05] <cooperlees> Is token uploads done? Or am I dreaming that.
[16:13:59] <techalchemy> cooperlees, yeah that's done but I'm not sure if it's still in beta
[16:14:37] <techalchemy> someone may need to flip a switch or something
[16:14:51] <techalchemy> you may need to flip it yourself if you have access :p
[16:15:10] <cooperlees> I have 0 access in Python lands :(
[16:15:24] <techalchemy> same here
[16:15:39] <techalchemy> I have access to email people a lot and complain though
[16:16:02] <techalchemy> 'um excuse me, can you tell me who's in charge around here'
[16:16:09] <techalchemy> i guess that doesn't work here though
[16:16:29] <techalchemy> i would assume? hope?
[16:16:49] <cooperlees> http://pyfound.blogspot.com/2019/07/pypi-now-supports-uploading-via-api.html - No mention of twine
[16:17:03] <techalchemy> wait what
[16:17:24] <techalchemy> oh fair
[16:17:35] <cooperlees> I think you just change your password to the API Token?
[16:18:16] <techalchemy> i think you're supposed to post it over https and use the token as your credential
[16:18:49] <cooperlees> Cool - I can even scope them to particular projects. O yeah, this is hot.
[16:18:51] <techalchemy> Set your username to __token__, Set your password to the token value, including the pypi- prefix
[16:18:52] <techalchemy> https://pypi.org/help/#apitoken
[16:19:29] <cooperlees> Yeah - saw that after making one
[16:19:30] <cooperlees> Hot
[16:19:52] <techalchemy> yeah i was at a security discussion with some other packaging folks from some other langauges / orgs and we seem to actually be pretty advanced on this front
[16:20:43] <techalchemy> maybe mid-tier on the package signing front because we are playing with distro maintainers
[16:21:53] <cooperlees> Hopefully my donated Facebook money will make that better H1 next year :D
[16:22:11] <cooperlees> The RFIs are out
[16:22:21] <techalchemy> you donated facebook's money?
[16:22:25] <techalchemy> do they know about that?
[16:22:31] <cooperlees> $100k to PSF
[16:22:43] <cooperlees> For PyPI Security work
[16:25:13] <techalchemy> cooperlees, interesting, I also just joined the Canonical Security Team in a partly sponsored role to work on packaging related things
[16:25:29] <techalchemy> also python integration
[16:26:05] <cooperlees> Nice. Hiring? :P
[16:27:04] <cooperlees> Ok - Next upload will use my token
[16:27:12] <cooperlees> Sweet.
[16:27:28] <techalchemy> cooperlees, probably
[16:27:30] <cooperlees> Love the "Security history"
[16:29:31] <techalchemy> cooperlees, if you do know anyone who is looking and you'd recommend I don't know if we are actually hiring but I think overall the team is growing and favors experienced developers
[16:29:39] <techalchemy> i guess security tends to be that way
[16:30:15] <cooperlees> I'll keep an eye out. I may be next year. Been here 7 years in January ... crazy.
[16:30:33] <techalchemy> i was at my last role for 5
[16:30:40] <techalchemy> i just kept checking that they were paying me market value
[16:30:43] <techalchemy> they stopped :p
[16:30:56] <cooperlees> O, I'm more want change. FB is huge now too
[16:31:02] <cooperlees> #bigCompanyFun
[16:31:20] <techalchemy> yeah that happened to us too, not quite at the same scale maybe... I don't actually know how big FB is
[16:31:27] <ngoldbaum> too big
[16:31:42] <cooperlees> agree
[16:31:51] <techalchemy> my company was also just a random non-technical archaic leviathan that refused to change anything
[16:33:10] <cooperlees> I will miss how stuff changes here going back to the real world
[16:33:26] <techalchemy> also I just bought a house and the property is nice to look at and i work remotely now
[16:33:55] <techalchemy> how does stuff change?
[16:34:13] <cooperlees> new services and things get deprecated all the time. Our infra is forever growing etc. etc.
[16:34:35] <techalchemy> ah yeah
[16:34:53] <cooperlees> WE always use latest and greatest things ... Which is nice.
[16:34:58] <techalchemy> that's so different, such few places like that
[16:35:11] <techalchemy> everywhere just gets stuck in an old thing that sucks usually
[16:35:18] <techalchemy> but they're too scared to migrate forward
[16:35:21] <cooperlees> We have legacy, don't get me wrong.
[16:35:34] <cooperlees> But very few places try move out of it as aggressively
[16:36:01] <techalchemy> it's hard to do cost benefit on the tradeoffs there
[16:36:14] <techalchemy> there's a tipping point though and it's probably a lot earlier than most people think
[16:38:35] <cooperlees> We're employed at a "tech company" so if it makes sense and we get benefits from a new technology etc. we should be using it ...
[16:38:46] <cooperlees> Or improving it
[16:39:00] <cooperlees> You do get to focus deep on your part of the product / infra here
[16:40:23] <techalchemy> my last job i could kind of do whatever i decided was important which was nice
[16:41:21] <techalchemy> but in the same way it seems like i might need to learn a few things pretty deeply here because canonical's security team needs to be able teo make statements about stuff and not be wrong etc
[16:41:46] <cooperlees> Test and POC - Never assume.
[16:42:38] <techalchemy> jus take everyone at their word, all the best code gets written that way