Log file Viewer

[00:35:35] <qwcode> dstufft, PEP449 recommends bandersnatch mirror client for private mirrors, but it doesn't verify certs. should people be concerned?

[00:36:23] <dstufft> lol

[00:36:24] <dstufft> yes

[00:36:40] <qwcode> dstufft, why is it recommended?

[00:39:17] <qwcode> is devpi-server secure?

[00:40:30] <dstufft> no idea if it is or not

[00:40:38] <dstufft> and it's recommended b/c it's better than the alternatives

[00:44:33] <qwcode> looking at devpi now. btw, I asked on the devpi list about how it handles the "same version, but new file" issue in it's cache. never got a clear answer

[00:45:44] <dstufft> qwcode: you should file a bug with bandernsatch

[00:45:47] <dstufft> I thought it used requests?

[00:46:36] <qwcode> hold on, let me look closer, I do see requests in it's requirements file. maybe false alarm

[00:47:00] <Alex_Gaynor> trav

[00:51:31] <qwcode> dstufft, ok, so I guess the mirror protocol involves rpc requests to get the changelog, and that part looks like vanilla xmlrpclib/httlib

[00:52:00] <qwcode> but the files gets though a requests session

[01:27:46] <qwcode> not sure, but seems like the bandersnatch changelog request could just be spoofed with bogus package urls

[01:41:45] <qwcode> nope, the changelog returns package names.

[02:04:47] <dstufft> qwcode: you could prevent the mirror from updating a particular package

[02:04:57] <dstufft> like if pip found a serious security flaw, and issued a 1.5.3 to fix it

[02:05:04] <dstufft> you could block 1.5.3

[02:05:13] <qwcode> https://bitbucket.org/ctheune/bandersnatch/issue/40/bandersnatch-security

[02:05:39] <qwcode> can requests be used to build a transport for xmlrpclib

[02:07:35] <qwcode> so, yea, blocking an update sounds like the worst thing

[02:12:32] <dstufft> qwcode: I have xmlrpc2 which uses requests

[02:13:43] <qwcode> dstufft, ok, so it sounds like bandersnatch could fix that up better, and close a hole

[02:13:56] <dstufft> yes

[02:14:34] <qwcode> I'll mention xmlrpc2 in the issue

[02:27:34] <Ivo> dstufft: how you pull exactly the most useful package possible out of your ass

[02:28:15] <Ivo> tell me seecrets

[02:28:44] <dstufft> Ivo: lol

[02:33:35] <Ivo> dstufft: would wheel.supported be a good place to check pip supports that version of wheel, or somewhere else?

[02:34:44] <dstufft> Ivo: I dunno offhand

[02:53:43] <Ivo> dstufft: is there any helper methods/functions around to retrieve stuff inside <package>.distinfo/ files?

[04:48:11] <Ivo> dstufft: what was the behaviour you wanted for wheels of future versions?

[04:48:17] <Ivo> was it just fail, or warn for something

[04:48:37] <dstufft> Ivo: the Wheel spec says warn for same series, fail for new series

[04:48:43] <dstufft> so 1.1+ should warn, 2.0+ should fail

[04:48:58] <Ivo> alright

[04:49:17] <dstufft> ideally it would just fallback to sdist in that case, but that might require more work

[04:49:41] <Ivo> doesn't sdist require more files than a wheel might be built with?

[04:50:16] <dstufft> No I mean, I want it to abort trying to install the Wheel and instead try an sdist, but I think that'll take more refactoring

[04:50:42] <Ivo> trying to write functionality for ^^ atm

[05:12:19] <Ivo> dstufft: writing tests atm, do you know would unpack_file be proper way to unpacka wheel file so i can pass its directory to a function? or should I use something else that will make sure py.test cleans it up after?

[06:44:55] <Ivo> anyone write the TestPipResult / PipTestEnvironment?

[06:54:12] <Ivo> pew pew pew

[06:56:35] <Ivo> dstufft: you said you wanted this in before python 3.4 ^_^ https://github.com/pypa/pip/pull/1569

[21:21:13] <ionelmc> hey guys

[21:21:21] <ionelmc> is there a way to alias packages on pypi ?

[21:21:38] <ionelmc> so you can have 2 names but both installing the same thing

[21:22:12] <Alex_Gaynor> ionelmc: you could make one of them be a dummy package with just a setup.py that install_requires the other one. opther than that, no

[21:22:13] <ionelmc> well, an easier way than the other package being an empty one with a dependency on the other one :)

[21:22:21] <Alex_Gaynor> haha