Log file Viewer

[08:30:52] <ronny> hi

[08:31:02] <ronny> dstufft: is anyone working on the whel caching?

[10:51:40] <Hetman> Hello I need a specific version of that package but dont fully understand what pip saying to me. Can somebody help ? Result here http://pastebin.com/mxznAgWh . I cannot switch to virtualenv etc. this is live client system

[13:51:31] <ThomasV> hello, I found a package on pypi that contains malware

[13:51:38] <ThomasV> https://pypi.python.org/pypi/aes/1.2

[13:51:57] <ThomasV> where should I report this?

[13:52:37] <ThomasV> lust look at what aes.py is doing

[13:56:49] <xafer> mmh, indeed, it does not seem to follow the AES specifications

[13:56:51] <ronny> dstufft: ping wrt that one

[13:58:21] <ThomasV> xafer: who is in charge of pypi?

[13:58:22] <dstufft> ThomasV: toss donald@python.org and richard@python.org an email please, I'll pull it down in a minute, but i'd like the email to me and richard

[13:58:36] <ThomasV> ok

[14:00:10] <ThomasV> done

[14:01:03] <ThomasV> dstufft: any idea why "pip install slowaes" does not work anymore? I had the feeling that it had been superseeded by the new "pip install aes" package

[14:01:44] <dstufft> can you define does not work? it looks like it shoul

[14:01:46] <jwa> question; what is the "; separator" mentioned here? http://pip.readthedocs.org/en/latest/reference/pip_install.html#requirements-file-format

[14:02:11] <ThomasV> dstufft: No distributions matching the version for slowaes

[14:02:29] <ThomasV> Could not find a version that satisfies the requirement slowaes (from versions: 0.1a1)

[14:02:51] <dstufft> oh

[14:02:53] <dstufft> it's a pre-release

[14:02:57] <dstufft> ThomasV: are you on pip 1.4 or 1.5?

[14:03:15] <ThomasV> pip 1.5.4 from /usr/lib/python2.7/dist-packages (python 2.7)

[14:03:27] <dstufft> add --pre

[14:03:31] <ThomasV> oh ok

[14:03:32] <dstufft> or upgrade your pip to 6.0

[14:04:09] <ThomasV> if it's listed in my setup.py, how do I add 'pre' ?

[14:05:04] <ThomasV> it's listed in 'install_requires'

[14:05:25] <dstufft> >=0.1a1 will do it

[14:05:46] <ronny> dstufft: btw, are there any plans to let pip handle setup_requires?

[14:06:05] <dstufft> ronny: yes

[14:06:08] <ThomasV> ok

[14:07:07] <ronny> dstufft: btw - wha are the current plans for stuff like pulling version numbers from scm? i'd like to make hgdistver nicer (currently its hooking into sdist/archive metadata if its not in a checkout)

[14:08:30] <dstufft> ronny: long term plan is to make it so sdist's have static metadata backed by a PEP standard, so you can use any tool, not just setuptools to create a sdist, beyond that there are no plans specifically for that, just making it easier for people to build developer centric build tools that don't need to be installed on end user machines

[14:09:27] <ronny> dstufft: i see

[14:09:33] <ThomasV> <dstufft> >=0.1a1 will do it <-- even if I use it with pip?

[14:09:45] <dstufft> ThomasV: yea

[14:09:51] <ronny> since i caught quite a todo on fosdem i wont be able to help on it directly

[14:09:59] <ronny> dstufft: but i'd like to help with review

[14:10:31] <ronny> dstufft: oh, and another idea - i wonder if it would be possible to make python itself turn some libs into preinstalled wheels and allow update independ of the python version

[14:10:53] <ronny> (im thinking of stuff like readline, tkiinter that distributions might want to ship in extra packages anyway)

[15:41:42] <ThomasV> dstufft: if I submit a package to pypi, what are the security checks? (I am developer of the Electrum bitcoin wallet)

[15:42:12] <dstufft> ThomasV: PyPI doesn't do any security checks

[15:42:20] <ThomasV> I imagine that someone else could submit malware under the same name

[15:42:25] <dstufft> oh that

[15:42:40] <dstufft> if you register a name then only you (and people you give permissions to) can upload things under that name

[15:43:08] <ThomasV> I have been reluctant to distribute it elsewhere than on my website, for that reason

[15:43:45] <dstufft> PyPI names are first come first serve generally

[15:47:04] <tomprince> If you don't register it, anybody else could grab the name.

[15:47:44] <dstufft> yea

[15:52:20] <ThomasV> ok, it's registered

[15:52:35] <ThomasV> I'll populate it later

[21:02:25] <tdsmith> hm, I can't abuse `pip list -o | awk '{print $1}' | xargs pip install -U` because messages like "Could not find any downloads that satisfy the requirement gaussfitter" are printed to stdout by logger.critical() in index.py

[21:03:08] <tdsmith> adding -q just prints the error messages and not the list of packages :p

[22:26:58] <phryk> Heya, a while ago my pip stopped working, always failing with a certificate verification error. I already tried using CACerts root.crt with the --cert option, but it doesn't make any difference. Any clue what I can do to get closer to solving this?

[22:30:03] <phryk> This is on FreeBSD, if that makes any difference.