Log file Viewer

[07:59:31] <pradyunsg> techalchemy: I'm not saying we should do it. I'm saying we could. Whether we do it or not, depends on how people use the current options. 🤷🏻‍♂️

[11:07:14] <graingert> sangy: it's not removing a feature it's just moving the feature into devpi

[11:11:29] <pradyunsg> graingert: it's still an expensive "move", none the less.

[11:51:24] <sumanah> https://discuss.python.org/t/pep-458-secure-pypi-downloads-with-package-signing/2648 dstufft has said that he is likely to approve PEP 458 (TUF on PyPI) this Friday

[11:56:59] <graingert> but I want TL :

[11:57:02] <graingert> :(

[11:59:13] <graingert> getting rid of --generate-hashes --require-hashes and just using something like echo "--tl-root=${pip get-tl-root}" >> requirements.txt would save me precious time

[12:07:19] <sumanah> graingert: hey have you shared your thoughts in https://discuss.python.org/t/pep-458-secure-pypi-downloads-with-package-signing/2648 ?

[12:07:41] <sumanah> (As I suggested in the GitHub issue?)

[12:07:50] <graingert> meh I feel everyone's too exited by all the different keys and types of cryptos that TUF requires

[12:08:11] <graingert> and I think my input would be ignored

[12:09:27] <sumanah> graingert: in my experience, people who write out cogent arguments for their perspectives have not been ignored in this PEP discussion thread

[12:09:42] <graingert> I also think TL solves a different problem

[12:09:59] <graingert> I just worry that TUF is a distraction from the problem I actually have

[12:10:04] <sumanah> graingert: if you're not willing to take 15 minutes to write out and edit a clear "here is what I think, here are the arguments I am hearing and here are my counterarguments" post....

[12:10:29] <sumanah> when you think that it will materially make a difference to PyPI whether PyPI adopts TUF and/or TL....

[12:10:55] <graingert> I mean TUF isn't bad and it doesn't prevent TL

[12:11:24] <sumanah> I think you are missing my point, which is less about the specific merits of TUF and TL

[12:11:26] <graingert> I'm happy to wait till TUF lands and then bring up PKI-free TL later

[13:08:20] <graingert> well I threw my 2p into that chat

[13:13:29] <pradyunsg> graingert: thanks! :)

[13:30:49] <jfl> How does a package available in search make it to https://pypi.org/simple/ ?

[13:48:10] <sumanah> glad you posted graingert

[13:48:46] <sumanah> jfl: are you asking how someone uploads a package to PyPI, or how it is that the search API works, or something else?

[13:48:53] <sumanah> https://warehouse.readthedocs.io/api-reference/

[13:49:00] <sumanah> https://packaging.python.org/tutorials/distributing-packages/

[13:49:29] <sumanah> jfl: also do you mean `pip search` or something like https://pypi.org/search/?q=zulip&o= ?

[13:51:34] <jfl> I've uploaded a package with twine and it can be found with pip search or search form on pypi.org but it's not shown on https://pypi.org/simple/

[13:53:04] <jfl> I was wondering if there was something more to do or some wait sumanah

[13:54:04] <sumanah> oh interesting. that I don't know jfl .... also I haven't used pypi.org/simple and am not sure whether it's meant to be all projects or some subset

[13:54:35] <jfl> Any isea where I should ask, sumanah?

[13:54:39] <jfl> idea

[13:54:47] <sumanah> here is good jfl - someone else, not me, may know

[13:57:52] <sumanah> jfl: if no one answers here within about 30 min, ask via an issue in https://github.com/pypa/warehouse/issues

[14:19:18] <sangy> graingert: TL's are useless without at least a little bit of PKI, and they are very much useless without any type of semantics being stored inside of the TL itself. PKI-free TL's are basically a git repository using sparse checkout or a consensus-free blockchain

[14:21:05] <graingert> sangy: they're a lot better than --generate-hashes --require-hashes though

[14:21:23] <graingert> sangy: what do you mean by semantics?

[14:21:51] <graingert> sangy: what what do you mean by a little bit of PKI?

[14:21:52] <sangy> graingert: --generate-hashes and --require-hashes would already be covered by TUF's snapshotting mechanisms I believe

[14:22:18] <graingert> The snapshots get expired

[14:22:57] <sangy> so, e.g., Trillian needs something called "personalities" in order to work. Those are the ones that e.g., verify that in case of CT the certificate chains are signed by a trusted root and so forth

[14:23:30] <sangy> there is a role in charge of signing the MHT, that *you* need to trust (i.e., either bake a trusted key for that signature to be verified or TOFU it out)

[14:24:21] <sangy> shapshots getting expired does not prevent the client to know which hashes are the right ones and which ones can coexist

[14:24:48] <graingert> But I can tofu the latest MHT into my requirements.txt

[14:24:51] <sangy> also, if things don't expired then you are pretty much likely to be vulnerable to replay attacks

[14:25:19] <graingert> I'm pinning my dependencies anyway so I'm already vulnerable to that

[14:26:16] <sangy> tofu the latest MHT won't let the system be aware of what dependencies are you interested on, unless there is something within your system that says "of all the members of this tree, I only care about all of those"

[14:26:35] <sangy> and in that case, how different would it be for you to just store a hash of all your wheels rather than the MHT?

[14:26:44] <sangy> a hash over all the wheels, to be clear

[14:27:21] <graingert> It saves me having to do it

[14:27:30] <graingert> --generate-hashes is slow

[14:28:05] <graingert> And makes a big text file

[14:28:37] <sangy> you would stil have to do it to verify against the upstream copy (the hashing). The big text file that you are talking about I said you hash all your wheels and store that single hash, rather than the MHT root. What is the difference there?

[14:29:08] <graingert> I'd be happy to that instead if pip supported it

[14:29:53] <sangy> fair, I'm just trying to scope what's the benefit of TL's that you are interested on. I guess verification time is something you're concerned about? or filesizes?

[14:31:03] <graingert> Operational complexity

[14:31:42] <graingert> Currently I run pip-compile --generate-hashes for a whole bunch of stuff and it takes ages and makes big text files

[14:31:52] <graingert> It taking ages is going to be fixed soon

[14:34:17] <graingert> https://github.com/jazzband/pip-tools/issues/543 sangy

[14:36:01] <sangy> fair, operational complexity is important

[14:36:17] <graingert> And instead I could have one MTH in the root of my repo

[14:36:26] <graingert> And use that everywhere

[14:38:11] <sangy> well, you'd still have to make your repo aware of what members are the one that matter

[14:38:39] <sangy> and in order to verify membership you'd have to build all the nodes/leaves that are necessary to confirm your wheels are members of the repo (say, we'd have to settle on what to put on the TL itself)

[14:38:53] <sangy> s/repo/tree/g

[14:39:32] <sangy> I'm also a little surprised by that issue, I'd assume that the hash information would be first queried from a local copy of the simple index (I assume a cached one)

[14:40:26] <sangy> I have to step out now to get to work, nice chatting!

[15:00:07] <techalchemy> graingert, 'moving a feature to devpi' is the same thing as removing a feature, because pip is not even a server

[15:01:56] <graingert> techalchemy: the use would be pip only supports one secure index so you use devpi to flatten multiple potentially insecure indexes into one

[15:02:10] <techalchemy> no i understood