PMXBOT Log file Viewer

Help | Karma | Search:

#pypa logs for Wednesday the 8th of June, 2016

(Back to #pypa overview) (Back to channel listing) (Animate logs)
[12:23:42] <ssc> Hi, is there a way to create wheel packages for sip and PyQt4?
[17:40:07] <agronholm> how do I fix the broken RST formatting here? https://pypi.io/project/cbor2/
[17:40:31] <dstufft> agronholm: did you see what readme_renderer said about it?
[17:40:49] <agronholm> dstufft: wait, what readme_renderer?
[17:41:09] <dstufft> agronholm: https://pypi.io/project/readme_renderer/
[17:41:39] <dstufft> it's literally the exact code used by Warehouse and PyPI to render the long_description
[17:42:06] <agronholm> github had no issues with the text but I'll try with this one
[17:42:24] <agronholm> ach, there was a problem
[17:43:38] <agronholm> dstufft: can I update the description now that I've fixed it?
[17:43:47] <agronholm> do I need to do that with the legacy pypi
[17:44:27] <dstufft> agronholm: need to do it with legacy PyPI, there's no UI for editing on warehouse yet besides upload
[17:44:36] <agronholm> ok thanks
[17:45:21] <dstufft> agronholm: no problem!
[17:46:10] <agronholm> dstufft: it was updated in legacy pypi but not warehouse...
[17:46:13] <dstufft> PyPI is a bit stricter than GitHub, I'm not sure if this is a good thing or a bad thing (particularly once one of the efforts to add a long_description_markup="rst" or so field gets added, and we can fail uploads that don't render)
[17:46:46] <dstufft> agronholm: yea, legacy PyPI doesn't purge Warehouse (though uploading to Warehouse does purge legacy PyPI now). It'll fall off the cache on it's own, or you can do curl -XPURGE https://pypi.io/project/cbor2/
[17:47:09] <dstufft> that behavior is just an artifact of having two different caches
[17:47:16] <agronholm> dstufft: thanks, works now!
[17:48:57] <dstufft> agronholm: no problem!
[18:38:26] <driscollis> after reading an excellent article on successful typosquatting on pypi, I wondered if there were plans to help avoid that sort of thing with warehouse?
[18:46:57] <dstufft> driscollis: not currently, it's something to think about but the focus right now is on getting Warehouse ready to launch
[18:48:08] <adamg> tbh I didn't see that as particularly successful. The effort involved was substantial, mitigation is straightforward at multiple levels (which will no doubt end up getting implemented now)
[18:49:34] <ngoldbaum> adamg: just out of curiosity, what sort of automatic mitigations are possible? I thought the way many package repositories get around this is by putting a human in the package upload process.
[18:49:38] <ngoldbaum> e.g. julia
[18:49:56] <dstufft> (For the record, it was noticed pretty early on and we left them continue in the name of science rather than kill the downloads)
[18:50:54] <driscollis> I thought 17000 computers was pretty good, but I don't know the time period this was done over
[18:51:01] <ngoldbaum> i guess you could ban packages whose names are simple transpositions of other package names, but then you run into issues where transposed names might be real
[18:51:20] <dstufft> the flip side of that, it's likely the reason it was noticed was because the typosquatted packages errored out on install and told them it was a typosquat package
[18:51:29] <dstufft> ngoldbaum: I tried to do this just for "confusables"
[18:51:40] <dstufft> e.g. 1 -> l etc
[18:51:49] <dstufft> it had a lot of false positives
[18:52:34] <ngoldbaum> yeah - what if i really *want* to upload reqeusts for legit reasons? ;)
[18:56:21] <dstufft> it looks like there were ~137 names that clashed when we tried to make l I 1 equivilant and O 0 equivilent
[18:59:44] <adamg> eeeh, 17k boxes operated by people with poor typing, they were probably gonna get compromised sooner or later anyway /s
[19:00:55] <dstufft> for the record, we do like... 3 billion HTTP requests a month
[19:01:13] <dstufft> I don't have offhand how much of that translates into installs vs web ui etc
[19:02:11] <dstufft> but there's a bit of a "even a tiny percentage gets big in raw numbers" sort of effect going
[19:02:55] <ngoldbaum> dstufft: careful now, that's no way to get hundreds of Paul Graham points on HN
[19:03:04] <driscollis> true enough
[19:03:23] <driscollis> on the other hand, almost 20k worth of spam drones would still be obnoxious