PMXBOT Log file Viewer

Help | Karma | Search:

#pypa logs for Monday the 13th of October, 2014

(Back to #pypa overview) (Back to channel listing) (Animate logs)
[19:10:25] <xafer> dstufft, regarding PEP470, FWIW I'm having a hard time understanding "Of those, 99.5% of them installed something which could not be verified, and thus they were open to a Remote Code Execution via a Man-In-The-Middle attack, while 7.9% installed something which could be verified and only 0.4% only installed things which could be verified."
[19:22:32] <dstufft> xafer: What part is confusing?
[19:22:34] <dstufft> is it because the numbers don't add up?
[19:25:21] <xafer> yes, I'm wondering what those 7.9 % are
[19:25:43] <dstufft> Well the numbers don't add up but it's a Venn Diagram
[19:26:17] <dstufft> Where one side is "People who installed Something Hosted Externally Safely", and the other side is "People who Installed Something Hosted Unsafely"
[19:26:23] <dstufft> The 7.9% is the overlap
[19:26:46] <dstufft> The 0.4% is the "People who installed something hosted externally safely" but outside of the overlap
[19:29:35] <xafer> ok :)
[19:30:33] <dstufft> does that make sense? Sorry I've been staring at these numbers so long I can't tell what's obvious and what is subtle anymore
[19:30:43] <xafer> but still thinks it could benefit from a clearer formulation :p
[19:54:43] <pf_moore> xafer dstufft: Funny, I was just looking at the same thing. My take is
[19:55:36] <pf_moore> the 7.5% difference is people who installed *some* things safely, but other things not?
[19:55:57] <dstufft> yes
[19:56:11] <pf_moore> cool - see it is obvious after all :-)
[19:56:19] <dstufft> 7.9% is the total percentage of people who installed something verifiable
[19:56:36] <dstufft> IOW 0.4% of people are safely installing things not hosted on PyPI right now
[19:56:56] <dstufft> 0.4% of the people using the feaature*
[19:57:35] <pf_moore> tbh, it all comes down to "most people won't care, and the ones that do are probably getting it wrong anyway"
[19:57:44] <pf_moore> but don't tell anyone I put it like that ;-)
[20:00:37] <dstufft> yes
[20:00:39] <dstufft> more or less
[20:00:55] <dstufft> PIL is easily the primary project which will effect people
[20:01:00] <dstufft> the rest of them are minor
[20:36:39] <nanonyme> PIL as in not Pillow? I can't imagine who would voluntarily install PIL. It's just broken
[20:39:55] <dstufft> nanonyme: yes
[20:40:43] <nanonyme> I mean, it doesn't even work with virtualenv
[21:28:20] <justinabrahms> hey folks. I'm trying to install a package from a local directory full of tarballs. My command is `.virtualenv/bin/pip install --find-links="file://$PWD/pip-packages/" --no-index account_reports` and the output complains that its the wrong package name.
[21:29:07] <justinabrahms> Exact error: Skipping link file:///home/sprintly/sprint.ly-4320/pip-packages/account-reports.tar.gz; wrong project name (not account-reports) — What is it expecting there? Looking at the source, it's doing a comparison on the file:// url to the package name, not interpreting the tarball.
[21:29:16] <justinabrahms> s/interpreting/extracing and looking inside/