Log file Viewer

[00:46:16] <techalchemy> wow warehouse is getting automated malware checks?

[05:21:55] <pradyunsg> techalchemy: yup.

[05:22:41] <pradyunsg> techalchemy: https://github.com/python/request-for/blob/master/2019-Q4-PyPI/RFP.md#milestone-2---systems-for-automated-detection-of-malicious-uploads

[05:23:03] <pradyunsg> techalchemy: there was an RFP too!

[05:23:07] <techalchemy> pradyunsg, was that announced somewhere? I mentioned that idea a bunch of times in october

[05:24:21] <techalchemy> i was at a meeting with people from a bunch of other ecosystems discussing that exact thing and was trying to find someone to talk to about that at the same time as i was pushing the typo squatting thing

[05:24:25] <pradyunsg> techalchemy: https://pyfound.blogspot.com/2019/09/pypi-security-q4-2019-request-for.html

[05:24:41] <pradyunsg> techalchemy: yea, the GitHub event, right?

[05:24:49] <techalchemy> yeah

[05:25:37] <techalchemy> i dont get why there is a random blogspot i need to track for things

[05:26:37] <techalchemy> not like i'd see it but is this being tracked anywhere else?

[05:26:55] <techalchemy> also pradyunsg not your job obviously to answer these questions :p

[05:26:59] <techalchemy> feel free to ignore

[05:27:34] <pradyunsg> techalchemy: https://github.com/pypa/warehouse/milestone/16?closed=1

[05:27:45] <techalchemy> yeah i found the issue on warehouse now too

[05:27:46] <pradyunsg> ^GH milestone for the work

[05:28:31] <techalchemy> but there wasnt like any public discussions of it or announcements of who is doing it or anything?

[05:28:41] <pradyunsg> https://github.com/pypa/warehouse/issues/4998#issuecomment-587961652 — the work is almost done now.

[05:29:55] <techalchemy> yeah that's the bit where i was surprised because there was no information (from my perspective) and then suddenly it was implemented which i found a bit surprising

[05:30:21] <pradyunsg> techalchemy: I don’t think there was any need for discussions, since there’s basically concensus that we should do this. :P

[05:30:36] <pradyunsg> techalchemy: AFAICT, most of the work done till now has been "set up for malware checks", and not the actual malware checks themselves. :)

[05:31:13] <techalchemy> pradyunsg, typically if a project gets funding you would announce where the funding went, who got it, what they are doing, etc

[05:32:32] <techalchemy> esp a project like warehouse where you are implementing upload introspection tools, like, what is the plan for that, some kind of enforcement clearly, but who is doing the enforcing, based on what, will any of it be automated, are we looking to sustain funding for full time staff to help manage that

[05:33:06] <pradyunsg> EWDurbin: di_codes: sumanah: ^ (I guess)

[05:35:51] <techalchemy> malware detection is super complicated and discussion could have also helped around like, does it make sense to actually build your own malware engine? I'm guessing the patterns being searched are ones that have caused problems in the past? Anyhow I just feel if you're gonna give out money you really need to announce where its going and how its being spent

[05:37:03] <techalchemy> the system itself is super cool though, and exciting

[05:39:13] <techalchemy> (would have been cool to mention this for instance back when I was asking about it and chatting with all the other package managers)

[14:38:16] <toad_polo> sumanah: EWDurbin: di_codes: I have pasted the announcement on discourse: https://discuss.python.org/t/pycon-us-2020-packaging-summit-registration-and-topic-proposal/3341

[14:38:28] <toad_polo> If y'all can tweet about it from @ThePyPA let me know, I'll retweet.

[14:39:13] <EWDurbin> i don't think i have login for @ThePyPA but i can def tweet from @pypi!

[14:39:53] <EWDurbin> oh no wait, just realized i had an invite for @thepypa on tweetdeck :)

[14:39:57] <EWDurbin> @toad_polo going out now

[14:40:16] <pradyunsg> EWDurbin and Twitter. :P

[14:40:18] <techalchemy> toad_polo, any specific topics you are hoping to cover?

[14:40:53] <toad_polo> techalchemy: That's what the topic proposal form is for.

[14:40:59] <pradyunsg> techalchemy: http://bit.ly/python-packaging-summit-2020-topics. :)

[14:41:15] <toad_polo> I have many action items, none of them blocked on anything except me, so I personally don't have too many blockers.

[14:41:28] <techalchemy> fair

[14:46:45] <EWDurbin> toad_polo: https://twitter.com/ThePyPA/status/1230141558982311936

[14:47:24] <toad_polo> Nice, thanks EWDurbin!

[14:47:32] <pradyunsg> Thanks @EWDurbin

[15:14:50] <toad_polo> sumanah: Do you have any sort of index of all the post-summit issues / threads you spawned as follow-ups last year?

[15:15:09] <pradyunsg> It’s in one of the discourse threads.

[15:15:15] <toad_polo> I'm thinking of updating the summit page with some more details (too late for the blog post, unfortunately).

[15:15:25] <pradyunsg> toad_polo: https://discuss.python.org/t/pycon-us-packaging-mini-summit-2019/833/60?u=pradyunsg

[15:16:06] <pradyunsg> toad_polo: let me know if that’s what you were for. :)

[15:16:20] <toad_polo> pradyunsg: Yes, exactly so :)

[17:27:45] <nicksloan> is there any discussion or work being done toward a public API for pip? pipenv is a recommended tool, and yet it relies on an _internal API that has shifted a few times recently, leading to issues with our builds

[17:40:50] <pyusr> anybody here ?

[17:55:30] <pradyunsg> nicksloan: there's some discussion on pip's GitHub issue tracker. Searching closed issues for API might surface them. :)

[17:55:36] <pradyunsg> pyusr: yes.

[17:56:21] <pyusr> pradyunsg: i've written it in #pypa i''ll gist the bug report and paste it here

[17:56:38] <pyusr> basically ubuntu 16.04 with system python-virtualenv is borked cas eof setputools 45.0.0+

[17:57:25] <pradyunsg> pyusr: no need. I'm on #pypa too. :)

[18:17:32] <sangy> pyusr: could that just be a silly packaging issue in the ubuntu side of things?

[18:17:42] <pyusr> sangy: https://github.com/pypa/packaging-problems/issues/325

[18:17:58] <pyusr> ofcourse, but this is a valid workflow that stoped working

[18:18:21] <sangy> right, what i wonder if it'd be more effective to reach out to downstream to fix that

[18:18:39] <pyusr> I have no idea who the people are responsible there

[18:18:58] <pyusr> and my previous experience was bad (their modified pip borked numpy 1.15 on many systems)

[18:19:18] <sangy> ouch

[18:21:05] <sangy> I don't know any ubuntu devs unfortunately. Do you know if this happens in, say, debian oldstable/stable?

[18:21:56] <pyusr> sangy: check my previous experience: https://github.com/numpy/numpy/issues/12736#issuecomment-457097276

[18:22:00] <pyusr> this borked tons of systems :)

[18:22:26] <pyusr> you can cut and paste my repro there in any docker, I would guess it's ok there (it worked ok in ubuntu 18.04)

[18:23:24] <sangy> sec, lemme try that out. I wonder if I can pester the right people downstream for a positive change haha

[18:24:46] <sangy> all in all i'm not very fond of downstream patching sources to like they did in numpy there

[18:26:19] <sangy> boo, can't reproduce on oldstable ;/

[18:31:05] <sangy> pyusr: i know it's not ideal, but pip install setuptools==44.0.0 goes a long way there :S

[18:32:03] <pyusr> you mean pip uninstall setuptools

[18:32:21] <pyusr> then pip install setuptools

[18:32:47] <sangy> no, just pip install setuptools==44.0.0 works as well

[18:33:50] <pyusr> cool, I wonder why :) anyhow, most people won't know tha

[18:34:20] <sangy> fair, that's why I say it's not ideal

[18:36:03] <pyusr> guess it's not that of a popular workflow if first report is 1.5 month after change :)

[18:36:44] <sangy> I personally never use ubuntu because I've had similar issues in the past

[18:37:08] <sangy> also that tendency to keep every single kernel around is just weird imvho