PMXBOT Log file Viewer

Help | Karma | Search:

#pypa-dev logs for Thursday the 30th of July, 2020

(Back to #pypa-dev overview) (Back to channel listing) (Animate logs)
[17:54:54] <sumanah> argh I just realized that https://pip.pypa.io/en/stable/user_guide/#fixing-conflicting-dependencies has the old name for the flag
[18:03:12] <sumanah> ok https://github.com/pypa/pip/pull/8660 filed but even once we push it the /stable/ docs won't update till we make a point release :\
[18:22:18] <lb5tr> Hey
[18:23:09] <lb5tr> I remember talking here with sumanah about a year ago about namesquatting mitigation efforts in pypi
[18:23:15] <lb5tr> he then pointed to this https://pyfound.blogspot.com/2019/03/commencing-security-accessibility-and.html
[18:24:04] <lb5tr> does anyone know if anything has been publicly discussed/designed/implemented in this problem space?
[18:24:18] <lb5tr> I understand this is a very difficult problem, was just wondering how things are going :)
[18:29:29] <lb5tr> sumanah: apologies for assumed pronoun
[19:22:22] <sumanah> Hi! I'm Sumana. Thanks, yeah, I'm a she
[19:22:40] <sumanah> lb5tr: so, namesquatting
[19:24:34] <sumanah> lb5tr: the post you mentioned is one about the donor-funded work PyPI did on security, accessibility, and localisation -- the security features added were important and foundational for future stuff
[19:25:07] <sumanah> https://wiki.python.org/psf/PackagingWG#Warehouse:_Facebook_gift is tracking a different donor-funded project to improve PyPI: Cryptographic signing of artifacts, and malware detection
[19:26:41] <sumanah> lb5tr: https://github.com/pypa/warehouse/issues/4998 is about detecting packages published with typo-ish names, so, likely namesquatters. As Cristina says in the last comment: "If someone wants to contribute such a malware check, the documentation for how is here: https://warehouse.pypa.io/development/malware-checks/ "
[19:28:25] <sumanah> lb5tr: https://github.com/psf/fundable-packaging-improvements/blob/master/FUNDABLES.md#productionize-malware-detection the PSF would love to get help -- funding or volunteer time -- to make malware verdicts auditable, add a typosquatting check, and more
[19:43:53] <sumanah> pradyunsg: I think the resolver beta is working and people are testing the functionality!!
[19:44:49] <pradyunsg> \o/
[19:45:19] <sumanah> argh pradyunsg I forgot something
[19:45:25] <sumanah> https://github.com/pypa/pip/pull/8660
[19:45:49] <sumanah> pradyunsg: more urgent actually than 8661
[19:45:53] <sumanah> sorry
[19:46:11] <pradyunsg> I still have my browser open -- looking. :)
[19:46:38] <sumanah> Thanks
[19:48:02] <pradyunsg> sumanah: would it make sense to change the link in the terminal message to be /latest/ as well?
[19:48:12] <sumanah> yeah it would
[19:48:22] <sumanah> pradyunsg: I'll file that
[20:06:38] <sumanah> lb5tr: are you interested in working on namesquatting mitigation? or maybe you have an endeavor that depends on it?
[20:20:55] <kx-chen> !logs
[20:20:56] <pmxbot> http://kafka.dcpython.org/channel/pypa-dev
[20:24:54] <travis-ci> pypa/pip#17477 (master - 930aa5c : Pradyun Gedam): The build passed.
[20:24:54] <travis-ci> Change view : https://github.com/pypa/pip/compare/31299ee37058...930aa5c70855
[20:24:54] <travis-ci> Build details : https://travis-ci.org/pypa/pip/builds/713442566
[20:28:33] <lb5tr> sumanah: sort of, I worked on analysis on the landscape of the problem last december
[20:28:40] <sumanah> Ah!
[20:28:46] <sumanah> can we see it?
[20:29:00] <sumanah> lb5tr: (I may have missed it, if you posted it publicly)
[20:29:10] <lb5tr> yeah, my paper will be released on ms security blogs soon
[20:29:13] <lb5tr> like within few weeks
[20:29:18] <lb5tr> I'll post here once it's done
[20:30:04] <sumanah> lb5tr: oh neat! congrats! Since logs in this channel are not 100% reliable, could you also post to that GitHub issue?
[20:30:52] <lb5tr> I will!
[20:30:58] <lb5tr> Also, thank you for the info
[20:31:09] <lb5tr> I have to update a paragraph and this is going to be very useful
[21:23:04] <sumanah> Thanks lb5tr! I'm @brainwane on GitHub and I'm https://changeset.nyc in case you want to cite me
[23:45:55] <travis-ci> pypa/pip#17485 (master - 930aa5c : Pradyun Gedam): The build passed.
[23:45:55] <travis-ci> Change view : https://github.com/pypa/pip/compare/27b4980c6c747b10818fcaf11f0fe1bad72754fb...930aa5c70855a150a98503119d18536f91dfcc61
[23:45:55] <travis-ci> Build details : https://travis-ci.org/pypa/pip/builds/713500315