from:"Sumana Harihareswara"

[Distutils] Re: Archive this list & redirect conversation elsewhere?

2021-05-07 Thread Sumana Harihareswara

I figure now's a good time to revive this question, so that the new
packaging community/project manager
https://pyfound.blogspot.com/2021/04/the-psf-is-hiring-python-packaging.html
can have a cleaner slate and potentially have fewer things to subscribe
to when they come in!

On 7/29/20 9:47 PM, Pradyun Gedam wrote:
Over the last year, the Packaging category on discuss.python.org
<http://discuss.python.org> had 841

active topics, with only 40 topics with 3 or fewer responses. [^5]
In the last 100 days, the Packaging category on discuss.python.org
<http://discuss.python.org> has

had 91 active topics. More than 10 PEPs have been discussed in the
Packaging category on discuss.python.org <http://discuss.python.org> in
the last 100 days.

Over the last year, distutils-sig had ~109 active threads, with
(based on a quick skim) most having 3 or fewer responses/posters. [^4]
In the last 100 days, distutils-sig has had 32 active threads (at least
7 of these have the same subject as another thread with Re:/Fwd: added).
There has been only 1 PEP-related feedback discussion on distutils-sig
in the last year. Most of the other threads are user support requests or
announcements.
May I ask for you (or someone) to please re-run these stats for the past
year? If the traffic decline on distutils-sig has continued then I would
like to re-start the discussion period Pradyun suggested.

--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at
https://mail.python.org/archives/list/distutils-sig@python.org/message/ATD5N5OUKXJVNJ5HCNACLKWBI76T3AB7/

[Distutils] PSF hiring full-time project/community manager for packaging

2021-04-15 Thread Sumana Harihareswara

Great news: [the Python Software Foundation is **hiring a full-time
project manager/community manager for Python's packaging
toolchain**](https://pyfound.blogspot.com/2021/04/the-psf-is-hiring-python-packaging.html).
Thanks to
[Bloomberg](https://www.techatbloomberg.com/blog/supporting-the-python-community-by-shifting-left/)
for the funding! Please [read the
announcement](https://pyfound.blogspot.com/2021/04/the-psf-is-hiring-python-packaging.html),
check out [the job description](https://www.python.org/jobs/5317/), and
spread the news. Please apply by May 18th, 2021.

The job is remote and you can apply from anywhere in the world. As the
description says: "Total compensation will range from $100k-$125k USD
based on qualifications and experience." And you'd report to @EWDurbin
Ee W. Durbin III, a colleague I strongly recommend and love working with.

I [blogged about why this role is
critical](https://www.harihareswara.net/sumana/2021/04/13/1). This new
position does build on activities I've led, so I figured I'd explicitly
say: I won't be applying for it. I'm going to be, instead, excited to
collaborate with this person and help them learn all the stuff I know,
so that in the long run, we'll have more people, with that set of skills
and domain knowledge, working on Python packaging. I'll concentrate on
the Python supply chain security piece specifically (via [the NSF-funded
work at
NYU](https://discuss.python.org/t/new-packaging-security-funding-nyu/7792)).

[Distutils] New packaging security funding & NYU

2021-03-19 Thread Sumana Harihareswara


Good news!

New York University -- specifically Professor Justin Cappos -- and I 
have successfully asked the US National Science Foundation for a grant 
to improve Python packaging security. The NSF is awarding NYU $800,000 
over two years -- from mid-2021 to mid-2023 -- to further improve the 
pip dependency resolver and to integrate The Update Framework further 
into the packaging toolchain.


https://nsf.gov/awardsearch/showAward?AWD_ID=2054692=false

For what we're planning to do, what this means in the short term, an 
explanation of why NYU and the NSF are involved, and thank-yous, please 
see https://discuss.python.org/t/new-packaging-security-funding-nyu/7792 .


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/MUH254XTCE5EUL5YJV7ZD6HSUYNFXUD6/

[Distutils] Re: pip 20.3 release (new resolver as default)

2020-12-13 Thread Sumana Harihareswara


Incidentally, I should have mentioned here earlier:

pip 20.3 turned the new resolver on by default for Python 3 users. When 
users use pip 20.3 in a Python 2 environment, the old dependency 
resolver is still the default. Python 2 users should also note that pip 
21.0 in January will remove Python 2 support: 
https://pip.pypa.io/en/latest/development/release-process/#python-2-support 
.


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/YC5J3V5GV74LGLQW6QWW5WT7JCFVBGVQ/

[Distutils] pip 20.3 release (new resolver as default)

2020-11-30 Thread Sumana Harihareswara

On behalf of the PyPA and the pip team, I am pleased to announce that we 
have just released pip 20.3, a new version of pip. You can install it by 
running `python -m pip install --upgrade pip`.


[Cross-posted to 
https://discuss.python.org/t/announcement-pip-20-3-release/5948 which 
will be easier to read in a web browser and to link to.]


This is an important and disruptive release -- we [explained why in a
blog post last
year](https://pyfound.blogspot.com/2019/12/moss-czi-support-pip.html). We
even made [a video about
it](https://www.youtube.com/watch?v=B4GQCBBsuNU).

## Highlights

* **DISRUPTION**: Switch to the new dependency resolver by
default. (#9019) Watch out for changes in handling editable
installs, constraints files, and more:

https://pip.pypa.io/en/latest/user_guide/#changes-to-the-pip-dependency-resolver-in-20-3-2020

* **DEPRECATION**: Deprecate support for Python 3.5 (to be removed in
pip 21.0) (#8181)

* **DEPRECATION**: pip freeze will stop filtering the pip, setuptools,
distribute and wheel packages from pip freeze output in a future
version. To keep the previous behavior, users should use the new
`--exclude` option. (#4256)

* Substantial improvements in new resolver for performance, output and
  error messages, avoiding infinite loops, and support for constraints
  files.

* Support for PEP 600: Future ‘manylinux’ Platform Tags for Portable
  Linux Built Distributions. (#9077)

* Documentation improvements: Resolver migration guide, quickstart
  guide, and new documentation theme.

* Add support for MacOS Big Sur compatibility tags. (#9138)

The new resolver is now *on by default*. It is significantly stricter
and more consistent when it receives incompatible instructions, and
reduces support for certain kinds of constraints files, so some
workarounds and workflows may break. Please see [our guide on how to
test and migrate, and how to report
issues](https://pip.pypa.io/en/latest/user_guide/#changes-to-the-pip-dependency-resolver-in-20-3-2020). 
You

can use the deprecated (old) resolver, using the flag
`--use-deprecated=legacy-resolver`, until we remove it in the pip 21.0
release in January 2021.

You can find more details (including deprecations and removals) [in the
changelog](https://pip.pypa.io/en/stable/news/).

## User experience

Command-line output for this version of pip, and documentation to help
with errors, is significantly better, because you worked with our
experts to test and improve it. [Contribute to our user experience work: 
sign up to become a member of the UX Studies 
group](https://bit.ly/pip-ux-studies) (after you join, we'll notify you 
about future UX surveys and interviews).


## What to expect in 20.1

We aim to release pip 20.1 in January 2021, per our [usual release 
cadence](https://pip.pypa.io/en/latest/development/release-process/#release-cadence). 
You can expect:


* Removal of [Python 
2.7](https://pip.pypa.io/en/latest/development/release-process/#python-2-support) 
and 3.5 support

* Further improvements in the new resolver
* Removal of legacy resolver support


## Thanks

As with all pip releases, a significant amount of the work was
contributed by pip's user community. Huge thanks to all who have
contributed, whether through code, documentation, issue reports and/or
discussion. Your help keeps pip improving, and is hugely appreciated.

Specific thanks go to Mozilla (through its [Mozilla Open Source
Support](https://www.mozilla.org/en-US/moss/) Awards) and to the [Chan
Zuckerberg Initiative](https://chanzuckerberg.com/eoss/) DAF, an
advised fund of Silicon Valley Community Foundation, for their funding
that enabled substantial work on the new resolver.

That funding went to [Simply Secure](https://simplysecure.org/)
(specifically Georgia Bullen, Bernard Tyers, Nicole Harris, Ngọc
Triệu, and Karissa McKelvey), [Changeset
Consulting](https://changeset.nyc/) (Sumana Harihareswara),
[Atos](https://www.atos.net) (Paul F. Moore), [Tzu-ping
Chung](https://uranusjr.com), [Pradyun Gedam](https://pradyunsg.me/),
and Ilan Schnell. Thanks also to Ernest W. Durbin III at the Python
Software Foundation for liaising with the project.

--
Sumana Harihareswara, pip project manager
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/OU6SUVG5EU6LOAVMROAAZO4AI2G6S7EJ/

[Distutils] Re: Announcement: pip 20.2 release!

2020-10-23 Thread Sumana Harihareswara

pip 20.2.4 is out right now and has a bunch of performance improvements 
compared to previous 20.2.x releases, so it's worth trying out. We 
intend on releasing pip 20.3, with the new dependency resolver as 
default, next week, maybe Wednesday or Thursday the 28th or 29th of October.



--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/G3IF3UQONMXVULOWSOLDMXALRRQG73OU/

[Distutils] End of Travis-CI.org

2020-10-20 Thread Sumana Harihareswara

Reminder: Travis-CI.org will be shut down on December 31, 2020: 
https://mailchi.mp/3d439eeb1098/travis-ciorg-is-moving-to-travis-cicom?e=%5BUNIQID%5D


If you still have packages that use Travis-CI.org (and I think some 
packaging projects do), now is the time to migrate them to Travis-CI.com.


Migration instructions here: 
https://docs.travis-ci.com/user/migrate/open-source-repository-migration


"We encourage you to migrate your existing repositories that are 
currently on travis-ci.org over to travis-ci.com as soon as possible, 
enabling you to identify any additional changes required to your code or 
configuration well in advance of the December 31st deadline."

--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc

--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/ZFNBTQGF5XELLMCRIF4CD7BJTKAJVHHP/

[Distutils] Thursday Aug 20th: short talk on PyPI & sustainability

2020-08-12 Thread Sumana Harihareswara

Two researchers studied PyPI's sustainability to understand problems 
that affect FOSS infrastructure sustainability in general. On Thursday 
20 Aug (2:30 - 3:45 PM EDT), one of the study's authors will speak in a 
Ford Foundation event about FOSS sustainability: 
https://www.eventbrite.com/e/digital-infrastructure-labor-roles-and-incentives-tickets-115498275451


You can read the researchers' report at 
https://github.com/FOSSRIT/mismatches/blob/master/Mismatches%20Final%20report.docx 
. Key section of the summary:



These results suggest that different strategies are needed for addressing the 
non-technical capacities of digital FOSS infrastructure projects. While 
capacity for things such as documentation, outreach, project management, 
design, legal work, etc. are often acknowledged as needs within FOSS 
communities at-large, they are rarely addressed proactively. Rather, they are 
often addressed only when a project is in crisis.


I also draw your attention to the table of tensions between "FOSS 
culture" and "Infrastructure culture" on page 7, and the misperception 
that capacity-building may seem to be slowing a project down (p 6-7).


(Disclosure: I was a consultant on this analysis.)
--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/JDRHIDTQW5YD47OPFIDKYNEWFPMWZRQ2/

[Distutils] Re: Announcement: pip 20.2 release!

2020-08-01 Thread Sumana Harihareswara

In case you want a broader view of what the team's been doing, we posted 
a midyear report on the Python Software Foundation blog: 
https://pyfound.blogspot.com/2020/07/pip-team-midyear-report.html


Also, I'd love input from y'all on this question on performance for the 
new resolver https://github.com/pypa/pip/issues/8664 : what level of 
performance is acceptable for pip, and are we there yet?



Our new dependency resolver may make pip a bit slower than it used to be.


[Later data shows: yeah.]


Therefore I believe we need to pull together some extremely rough speed tests 
and decide what level of speed is acceptable, then build some automated testing 
to check whether we are meeting those marks.


Another question arising from that issue: is it appropriate to tell more 
of our users to use `--no-deps` to speed up performance? I think a lot 
of our users would benefit from using `--no-deps` for a lot of their use 
cases, but don't know about it.


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/N3AV6KDFBO33PDPAKX3WDC6ZSGB55BLK/

[Distutils] Re: Archive this list & redirect conversation elsewhere?

2020-07-29 Thread Sumana Harihareswara

On 7/29/20 10:14 PM, Jeremy Stanley wrote:

On 2020-07-30 07:17:03 +0530 (+0530), Pradyun Gedam wrote:

TL;DR: OK to archive this mailing list? Reply by Aug 30th.

[...]

I find it disappointing that there will no longer be a mailing list
for discussions of Python packaging. Web forums with some E-mail
integration are hardly the same. But those of us who still use
E-mail (and worse, Usenet) eventually need to get out of the way of
the wheels of progress lest they run us over.

Many thanks to those who have maintained, moderated, and
collaborated through this list over the years. It has been much
appreciated.

Jeremy, I'm not sure whether you were serious? If your disappointment is
only out of nostalgia, then yeah, accepting change makes sense. But if
your disappointment is because the Discourse experience is/will be worse
for your participation, then it's totally fine to speak up and tell us how.

Pradyun, thanks for starting this conversation.

I am definitely interested in consolidating our conversational channels
and reducing fragmentation, but I have substantial reservations about
taking this particular step:

* The majority of information overwhelm in my PyPA-related life is
because of GitHub repo and issue sprawl -- if we're going to put energy
into pruning sprawling communications venues, I would prefer that we
spend some time inventorying all the teams, shutting some down, and
locking noisy issues/repositories.

* I would like to know, of our ~700 list members, how many of them have
serious problems using Discourse -- accessibility, user experience,
sheer tech problems, etc. I suspect that we have several members in that
category, some who contribute to packaging, some who lurk so they can
stay apprised and bridge to other communities (distributions, major
packages, etc.).

On Discourse I've seen
https://discuss.python.org/t/disappointed-and-overwhelmed-by-discourse/982
, https://discuss.python.org/t/if-mailing-list-mode-were-better/3951 ,
and https://discuss.python.org/t/e-mail-settings-are-not-respected/396
talking about problems people have had keeping up with/watching and
participating in conversations on Discourse -- including Paul Moore and
Paul Ganssle, whose opinions I really want to hear from here. I believe
I've heard Dan Ryan say that he finds Discourse practically unusable,
and I'd like to hear from him as well.

* There are some things I don't like about how Discourse shapes our
conversations. Some examples: I think people are chattier on Discourse,
posting shorter replies more frequently, and that's not always good. In
the email notifications, Discourse preserves threading so I can see
better who's replying to whom, but the web view is flat which makes that
harder to see. And -- as came up in
https://discuss.python.org/t/pep-458-secure-pypi-downloads-with-package-signing/2648/30
-- people use the heart/"like" button in different ways that have led to
confusion. “Liking” a post on Discourse does not have clear semantics.
It could mean “I like how you expressed this” or “I’m glad you spoke” or
“welcome” or “yes, please do the things you have proposed, I approve"
and there's no way of telling without explicit explanation.

* Discourse is written in Ruby and I have rarely seen Discourse
developers interact with us, and I don't believe I've ever seen (in the
"Discourse feedback" threads above) any Python community member saying
that they could try to fix a problem we were seeing with Discourse. The
more we lock in to using Discourse and moving away from Mailman --
written in Python 3 and now with a web frontend that includes search,
posting, and threaded archive views -- the more we give up control of
our tools.

What if we bridged them, instead? Barry Warsaw in
https://discuss.python.org/t/disappointed-and-overwhelmed-by-discourse/982/15
suggested:

My ultimate dream would be to add an IMAP and/or NNTP interface directly to
[Mailman 3/HyperKitty]. Then I could use my normal mail application to catch up
and interact with Mailman lists in a very lightweight way, driven entirely by
my own workflow. That plus a Discourse bridge would be a pretty powerful and
flexible combination.

Is that something that other folks here who have trouble with Discourse
would find fruitful? If so, we can start pushing to make it happen.

[Distutils] Re: July 1 deadline for Mercurial repositories on Bitbucket

2020-06-15 Thread Sumana Harihareswara

I also just looked more closely at 
https://bitbucket.org/pypa/distlib_hg/src/default/ and 
https://bitbucket.org/pypa/distlib/src/master/ . The latter is a Git 
port of the former. So I still think it would be a very good idea to 
export and archive the old version history, issues, etc. for the 
Mercurial distlib repo, but it's less crucial.


On 6/15/20 5:39 PM, Sumana Harihareswara wrote:

Sorry I missed the note on the README!

On 6/15/20 5:34 PM, Cooper Lees wrote:
Bandersnatch moved over 2 years ago and has been displaying the move 
on the repository this whole time via the README.md.


I just deleted it from BitBucket. As we have been for the last 2 
years, all bandersnatch action can be found here: 
https://github.com/pypa/bandersnatch 
<https://github.com/pypa/bandersnatch>


Cooper

On Jun 15, 2020, at 2:29 PM, Sumana Harihareswara <mailto:s...@changeset.nyc>> wrote:


TL;DR: distlib_hg and bandersnatch, you have a July 1st deadline to 
switch to Git or move off Bitbucket.


https://bitbucket.org/blog/sunsetting-mercurial-support-in-bitbucket 
<https://bitbucket.org/blog/sunsetting-mercurial-support-in-bitbucket>


"we've decided to remove Mercurial support from Bitbucket Cloud and 
its API."


"Mercurial features and repositories will be officially removed from 
Bitbucket and its API on July 1, 2020."


Most of https://bitbucket.org/pypa/ is Mercurial repos. Maintainers 
of those repositories need to switch them to Git or move them off 
Bitbucket by July 1st.


distlib_hg and bandersnatch are the active Mercurial repos that most 
clearly need to switch or move.


A few repos in bitbucket.org/pypa have explicit "moved to GitHub" 
notices on them. And I assume its pkg_resources , setuptools, 
import_resources, pylauncher, and bootstrap projects are now defunct, 
but it's probably worth archiving them somehow anyway, for historical 
reference.


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/QOSUVOF6RY4EVFBFZRHL4WAENXVKH5YL/ 




--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/N5QXZNGMIB2GA7IYYBK5ILLGGSZRQCAC/ 


--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/6WTOFC63BAEG3KZSY3ARYQLLTYFH73SR/

[Distutils] Re: July 1 deadline for Mercurial repositories on Bitbucket

2020-06-15 Thread Sumana Harihareswara


Sorry I missed the note on the README!

On 6/15/20 5:34 PM, Cooper Lees wrote:
Bandersnatch moved over 2 years ago and has been displaying the move on 
the repository this whole time via the README.md.


I just deleted it from BitBucket. As we have been for the last 2 years, 
all bandersnatch action can be found here: 
https://github.com/pypa/bandersnatch <https://github.com/pypa/bandersnatch>


Cooper

On Jun 15, 2020, at 2:29 PM, Sumana Harihareswara <mailto:s...@changeset.nyc>> wrote:


TL;DR: distlib_hg and bandersnatch, you have a July 1st deadline to 
switch to Git or move off Bitbucket.


https://bitbucket.org/blog/sunsetting-mercurial-support-in-bitbucket 
<https://bitbucket.org/blog/sunsetting-mercurial-support-in-bitbucket>


"we've decided to remove Mercurial support from Bitbucket Cloud and 
its API."


"Mercurial features and repositories will be officially removed from 
Bitbucket and its API on July 1, 2020."


Most of https://bitbucket.org/pypa/ is Mercurial repos. Maintainers of 
those repositories need to switch them to Git or move them off 
Bitbucket by July 1st.


distlib_hg and bandersnatch are the active Mercurial repos that most 
clearly need to switch or move.


A few repos in bitbucket.org/pypa have explicit "moved to GitHub" 
notices on them. And I assume its pkg_resources , setuptools, 
import_resources, pylauncher, and bootstrap projects are now defunct, 
but it's probably worth archiving them somehow anyway, for historical 
reference.


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/QOSUVOF6RY4EVFBFZRHL4WAENXVKH5YL/



--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/N5QXZNGMIB2GA7IYYBK5ILLGGSZRQCAC/

[Distutils] July 1 deadline for Mercurial repositories on Bitbucket

2020-06-15 Thread Sumana Harihareswara

TL;DR: distlib_hg and bandersnatch, you have a July 1st deadline to 
switch to Git or move off Bitbucket.


https://bitbucket.org/blog/sunsetting-mercurial-support-in-bitbucket

"we've decided to remove Mercurial support from Bitbucket Cloud and its 
API."


"Mercurial features and repositories will be officially removed from 
Bitbucket and its API on July 1, 2020."


Most of https://bitbucket.org/pypa/ is Mercurial repos. Maintainers of 
those repositories need to switch them to Git or move them off Bitbucket 
by July 1st.


distlib_hg and bandersnatch are the active Mercurial repos that most 
clearly need to switch or move.


A few repos in bitbucket.org/pypa have explicit "moved to GitHub" 
notices on them. And I assume its pkg_resources , setuptools, 
import_resources, pylauncher, and bootstrap projects are now defunct, 
but it's probably worth archiving them somehow anyway, for historical 
reference.


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/QOSUVOF6RY4EVFBFZRHL4WAENXVKH5YL/

[Distutils] Pipenv release

2020-05-28 Thread Sumana Harihareswara


And pipenv 2020.5.28 is now out: https://pypi.org/project/pipenv/

This roadmap and contribution process issue 
https://github.com/pypa/pipenv/issues/4130 is where folks will talk 
about improving the Pipenv release cadence in the future.


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc

On 5/10/20 10:36 AM, Sumana Harihareswara wrote:

Thanks, Dan!

Dan is now planning to release tomorrow (Monday). 
https://github.com/pypa/pipenv/issues/3369#issuecomment-626108212



--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/47KGNFDNEBORNB6XIK5MBDSWCGI6HI76/

[Distutils] Fwd: [tuf] TUF Community Meeting

2020-05-20 Thread Sumana Harihareswara

Heads-up if you are interested in PyPI's implementation of TUF.

 Forwarded Message 
Subject:[tuf] TUF Community Meeting
Date:   Wed, 20 May 2020 09:58:05 -0700
From:   Marina Moore
To: theupdateframew...@gcom

Hello,

The next TUF community meeting will be Wednesday May 27 at 10am ET at 
https://meet.jit.si/TUFCommunityMeeting 
. Please let me know if there 
is anything you would like to discuss with the TUF community or if you 
have any questions. A draft agenda is available at 
https://hackmd.io/jdAk9rmPSpOYUdstbIvbjw 
 and will be updated as more 
agenda items are proposed.

I hope to see you there.

Thanks,
Marina

--
You received this message because you are subscribed to the Google 
Groups "The Update Framework (TUF)" group.

To view this discussion on the web visit 
https://groups.google.com/d/msgid/theupdateframework/CAMyDYMeykSshKwBh-g6_RMy_8sWZ2rJrDMfBv0rXUsU9hArHmw%40mail.gmail.com 
.

--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/HWNUPQPXWSMTNFT3IBE5BFAO2N45R5XN/

[Distutils] Re: Announcement: Pipenv Beta Release

2020-05-10 Thread Sumana Harihareswara


Thanks, Dan!

Dan is now planning to release tomorrow (Monday). 
https://github.com/pypa/pipenv/issues/3369#issuecomment-626108212


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/ZMRPW4MOSCQXDCCVPMYXM2XEMAQEOCMP/

[Distutils] Announcement: pip 20.1 release

2020-04-28 Thread Sumana Harihareswara


Seconding Pradyun's thanks!

If you want to comment on how we did this beta and how we should do 
future beta test cycles (shorter? announce in different places? etc.), 
please comment on https://github.com/pypa/pip/issues/7628 .

--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/LUE3CI2PTPUYHRR3YKH6ZKA2JLELVOUP/

[Distutils] Re: Announcement: pip 20.1b1 beta release

2020-04-28 Thread Sumana Harihareswara

We're aiming on releasing pip 20.1 in the next hour or so. If you found 
bugs to file regarding the beta https://pypi.org/project/pip/20.1b1/ 
before we release 20.1, now's a good time to do that.

--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/Y7U3HRL2FK7IH3QNUHVRZ3HGKVWVOD3X/

[Distutils] Re: Announcement: pip 20.1b1 beta release

2020-04-21 Thread Sumana Harihareswara

If you're curious about the alpha version of pip's new resolver, please
visit [this GitHub issue about the resolver, what doesn't work yet, and
what kind of testing would help us
out](https://github.com/pypa/pip/issues/8099).

--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc

On 4/20/20 10:12 PM, Pradyun Gedam wrote:

On behalf of the PyPA, I am pleased to announce a beta release of pip,
pip 20.1b1 has been released.

The highlights for this release are:

* Significant speedups when building local directories, by changing
behavior to perform in-place builds, instead of copying to temporary
directories.
* Significant speedups in `pip list --outdated`, by parallelizing
network access. This is the first instance of parallel code within
pip's codebase.
* A new `pip cache` command, which makes it possible to introspect and
manage pip's cache directory.
* Better `pip freeze` for packages installed from direct URLs, enabled
by the implementation of PEP 610.

We would be grateful for all the testing that users could do, to ensure
that when pip 20.1 is released, it's as solid as we can make it.

This release also contains an alpha version of pip's next generation
resolver. It is *off by default* because it
*unstable and notready for everyday use*.

As with all pip releases, a significant amount of the work was
contributed by pip's user community. Huge thanks to all who have
contributed, whether through code, documentation, issue reports and/or
discussion. Your help keeps pip improving, and is hugely appreciated.

Specific thanks go to Mozilla (through its Mozilla Open Source Support
<https://www.mozilla.org/en-US/moss/>
Awards) <https://www.mozilla.org/en-US/moss/> and to the Chan Zuckerberg
Initiative <https://chanzuckerberg.com/eoss/> DAF, an advised fund of
Silicon Valley Community Foundation, for their support that enabled the
work on the new resolver.

--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at
https://mail.python.org/archives/list/distutils-sig@python.org/message/LKNGBVMGRDLKGAVQRGSJXOP4OPLEZZ4O/

[Distutils] Feature Proposal for PyPI: Draft Releases (comment by 30 April)

2020-04-20 Thread Sumana Harihareswara

Right now, there are ways for package maintainers to test and share 
draft versions of their upcoming releases, but they cause friction and 
confusion. So we want to add staged releases -- a temporary state that a 
release can be in, where PyPI _has_ it and can evaluate it, but hasn't 
_published_ it yet. In 2015, Nathaniel Smith opened an issue 
https://github.com/pypa/warehouse/issues/726 saying:



it would be very nice if there where better ergonomics around package uploads -- in 
particular some way to upload a new release, and then take a look over it to double-check 
that everything is correct before you -- as a second step -- hit the button to make it 
"go live".


We have also variously called this idea "unpublished releases", 
"two-phase upload", "draft releases", and "package preview". This 
feature will unblock a LOT of stuff we want to do -- see 
https://wiki.python.org/psf/Fundable%20Packaging%20Improvements#Package_preview_feature_for_PyPI 
for a list.


Alan Velasco is now working on implementing this in Warehouse. Please 
comment on the GitHub issue or in the Discourse thread at 
https://discuss.python.org/t/feature-proposal-for-pypi-draft-releases/3903/ 
where he shares his proposal at length. He notes:



I’ll need your feedback by April 30th 2020 at which point I’ll proceed with the 
basis of what I know.


(Thread was: Re: [Distutils] PyPi not allowing duplicate filenames 
https://mail.python.org/archives/list/distutils-sig@python.org/message/S37OQLGOICR5WBIOTEBHP5ISWCMFAVNT/ 
)


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/G355FYOYQZ6HIH7RK47WPZOYHNCEXGOB/

[Distutils] Online talk in 90 min: how pip works internally

2020-04-07 Thread Sumana Harihareswara

Pradyun Gedam is giving a talk to a local meetup group in 90 minutes on 
how pip works. You can watch via GoToMeeting.


https://www.meetup.com/HydPyGroup/events/269498071/


pip is the package manager for the Python ecosystem, but what actually happens when you 
"pip install foo"? This talk explores what pip does to install your packages.


When: April 7th, 9:00 p.m - 10:00 p.m. India time


It'll likely be recorded and be available on YouTube afterward.

--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/GBGMVQO66K7CUATX3LFH4BZYJASNIYZR/

[Distutils] Re: Next Pipenv Release

2020-03-27 Thread Sumana Harihareswara


Thanks Dan! Some further comments inline.

On 3/25/20 4:33 PM, Dan Ryan wrote:


4. Documentation! Pipenv documentation, now at
https://pipenv.pypa.io/, needs some serious rework. So if you have any
skills in this area,the project would really benefit from a critical
review here.


A few specific documentation bugs that people could help with:

* https://github.com/pypa/pipenv/issues/2660 a list of a few sections 
that could use better explanations
* https://github.com/pypa/pipenv/issues/1952 asking for a note about a 
particular quirk

* https://github.com/pypa/pipenv/issues/1862 on conda

And, because error logs and autogenerated lockfiles include 
documentation, some "give people info so they can troubleshoot better" 
issues they could use help with:


* https://github.com/pypa/pipenv/issues/2707 How do you see the delta 
between two Pipfile.lock files?
* https://github.com/pypa/pipenv/issues/2365 Explicitly inform user we 
can’t allow certain packages to be pinned
* https://github.com/pypa/pipenv/issues/2092  Actively warn users about 
misconfigured locale
* https://github.com/pypa/pipenv/issues/1886 Capture more auditing 
metadata in the lock file
* https://github.com/pypa/pipenv/issues/2818 Add a comment to the top of 
generated requirements.txt files



5. Make sure to say 'thanks' to Sumana if you see her on IRC, she is
responsible for moving this release forward and is pretty great!


As you probably guessed, I did not write this line. :-) Thanks, Dan.


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/2D3RPUEH542LG4MTGRANL6MLCNE2TR4O/

[Distutils] Re: pip resolver work chugging along

2020-03-24 Thread Sumana Harihareswara


On 3/24/20 4:13 PM, Sumana Harihareswara wrote:
Sounds like you'll be submitting a pull request for that documentation & 
README change -- go ahead and ping me as @brainwane for review when you 
do that! Thanks.


Sorry, that last bit was kinda snarky. Am making this change myself now.
--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/SF4VYNUCXPXKORBTW527HTG2JRP3POJD/

[Distutils] Re: pip resolver work chugging along

2020-03-24 Thread Sumana Harihareswara


Hi, Wes! Thanks for your note!

We'll look into adjusting our issue templates. But -- not sure whether 
you've read my piece https://www.harihareswara.net/sumana/2017/04/07/1 
"Inclusive-Or: Hospitality in Bug Tracking", but it's really important 
to expand how we get feedback from our users beyond people who are 
already comfortable using GitHub. And our user experience experts at 
Simply Secure are using the survey to find out not just what issues 
people currently have, but also who's available for more in-depth 
discussions as we progress. So we're going to pay attention both to the 
survey responses and to issues that come in via GitHub.


Sounds like you'll be submitting a pull request for that documentation & 
README change -- go ahead and ping me as @brainwane for review when you 
do that! Thanks.


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc

On 3/24/20 4:07 PM, Wes Turner wrote:

I think it may be most likely that you'll get quality feedback through
GitHub Issues.
Is there an issue template with at least some of the 23 questions in the
survey?

Survey:
https://tools.simplysecure.org/survey/index.php?r=survey/index=989272=en

Here's the "Resolver refactorings" project board:
https://github.com/pypa/pip/projects/5

A note in the README and the docs regarding testing the new resolver might
be good too.

On Tue, Mar 24, 2020 at 3:55 PM Wes Turner  wrote:


IIRC, the issue for this (or one of the issues for this great work) is:
"New Resolver: Rollout, Feedback Loops and Development Flow"
https://github.com/pypa/pip/issues/6536

On Tue, Mar 24, 2020 at 3:03 PM Paul Moore  wrote:


It's already available as a separate package:
https://pypi.org/project/resolvelib/

Paul

On Tue, 24 Mar 2020 at 18:52, Brett Cannon  wrote:


I couldn't find this in the blog post but is the plan to make the

resolver a separate package so other tools can use it? Or is the plan
perhaps to get it working in pip first and to break it out later?

--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/WRLRCAINM6IJ7CIEL2RWAHDVHUTURIPI/

[Distutils] pip resolver work chugging along

2020-03-23 Thread Sumana Harihareswara

The alpha or beta release of pip with its new dependency resolver should 
be out in May.


I just posted 
https://pyfound.blogspot.com/2020/03/new-pip-resolver-to-roll-out-this-year.html 
which discusses what is going to change in the pip resolver, when, and 
how you can help (including some low-effort things you can do right now).


I didn't mention this in the blog post because ordinary Python users 
shouldn't try it, but: As of right now, people who install pip from 
GitHub master will have the ability to run `pip install 
--unstable-feature=resolver` and test the new resolver code. And less 
than half of the test suite fails! Expect errors and missing features, 
but it’s there! [Celebratory trumpet honk here.]


Hope all of you, and all the people you are close to, are healthy and 
staying that way.


--
Sumana Harihareswara
pip project manager (contracting with Python Software Foundation)
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/A25SCA3ELWW4EOP54MYMFJFVI763HWGA/

[Distutils] Re: Today: livestreamed talk about PyPI malware detection

2020-03-16 Thread Sumana Harihareswara

This was recorded and is now at 
https://www.youtube.com/watch?v=28BoQLWKGWw .


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc

On 3/14/20 7:24 AM, Sumana Harihareswara wrote:
Today at 1pm PT/4pm ET: a livestreamed presentation by Cristina Muñoz, 
who's been working on the PyPI malware detection feature: 
https://www.meetup.com/pacifichackers/events/267932809/


"Automatic Detection of Malware in PyPI"

Alternate link: 
https://phack.my.webex.com/phack.my/j.php?MTID=mdb827dc0a7f6dfe9784f793686e39d58 



She noted:

A general note: this is a presentation geared more towards security 
folks. A lot of the Python stuff I talk about might feel really 
redundant/obvious for people who are software engineers and have 
Python familiarity.  Like, there are several slides describing what 
PyPI is, and the difference between packages, releases and files, for 
example.



--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/LIPIRMFEEACBO6ZFMBM735PL4OAB3AIW/

[Distutils] Today: livestreamed talk about PyPI malware detection

2020-03-14 Thread Sumana Harihareswara

Today at 1pm PT/4pm ET: a livestreamed presentation by Cristina Muñoz, 
who's been working on the PyPI malware detection feature: 
https://www.meetup.com/pacifichackers/events/267932809/


"Automatic Detection of Malware in PyPI"

Alternate link: 
https://phack.my.webex.com/phack.my/j.php?MTID=mdb827dc0a7f6dfe9784f793686e39d58


She noted:


A general note: this is a presentation geared more towards security folks. A 
lot of the Python stuff I talk about might feel really redundant/obvious for 
people who are software engineers and have Python familiarity.  Like, there are 
several slides describing what PyPI is, and the difference between packages, 
releases and files, for example.


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/ZBL4JADTOXSDXMCUPK4L4G43H4UUVGPX/

[Distutils] FASTEN and dependency analysis at call graph level

2020-02-13 Thread Sumana Harihareswara

Last week I heard for the first time about the research project FASTEN 
https://www.fasten-project.eu/. "FASTEN stands for Fine-Grained Analysis 
of Software Ecosystems as Networks."

>  instead of analyzing dependencies at the package level, we will analyze them 
> at the call graph level! This will allow us to be super precise when we are 
> tracking dependencies, when we do change impact analysis, when we recommend 
> clients to update packages etc. It will also open the door to new 
> sophisticated applications, e.g. licensing compliance, dependency risk 
> profiling and data-driven API evolution.

That's from the blog post by Georgios Gousios, the PI, at 
http://www.gousios.gr/blog/Introducing-Fasten.html . More info:

https://www.fasten-project.eu/view/Main/Introduction

https://www.fasten-project.eu/view/Main/Overview

https://www.fasten-project.eu/view/Main/Contacts

And people who are interested in dynamically and statically analyzing 
call graphs in Python may be interested in "Graph Schema and its 
representation" in https://www.fasten-project.eu/view/Main/Deliverables .

I've sent a note to FASTEN inviting the team to come talk about their 
project here on distutils-sig, because FASTEN's site says they aim to 
eventually integrate into PyPI -- I'm not 100% sure whether that means 
"create a service that people can use WITH PyPI" or "get FASTEN's work 
incorporated into pypi.org".

-- 
Sumana Harihareswara
pip project manager on contract with Python Software Foundation
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/MWZHSHFCABJOCQUACG5FQYHSMKPXO7IO/

[Distutils] Re: Surviving a Compromise of PyPI - PEP 458 and 480

2020-02-12 Thread Sumana Harihareswara

The revised PEP 458 is at https://www.python.org/dev/peps/pep-0458/ as 
"PEP 458 -- Secure PyPI downloads with package signing." Discussion has 
been proceeding on Discourse.


BDFL-Delegate Donald Stufft wrote today 
https://discuss.python.org/t/pep-458-secure-pypi-downloads-with-package-signing/2648/110 
:


> It looks like discussion about the actual meat and potatoes of this 
PEP has petered out. Unless someone has an objection, I intend to accept 
this PEP on Friday.



--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/SCLJOBDLPHXRXHUJ34W6CD2KBNV6H5AA/

[Distutils] Re: localization, accessibility, & security progress on PyPI

2020-01-17 Thread Sumana Harihareswara

API tokens and all our 2FA methods are out of beta on PyPI and Test 
PyPI! If you maintain or own a project on the Python Package Index, you 
should start using these features. Details, future policy changes, and 
help needed:


https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/49


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/RQ2NRKHTVAUND5PYQ5S4LJFYEDMOUM2N/

[Distutils] Re: Surviving a Compromise of PyPI - PEP 458 and 480

2019-12-20 Thread Sumana Harihareswara

Earlier this year, Brett Cannon consulted with Donald and updated the 
status of PEP 458 to Deferred. https://github.com/python/peps/pull/931


The PEP status is now Draft again and the new proposed title is

"PEP 458: Secure transport independent download integrity for PyPI packages"

(see 
https://github.com/secure-systems-lab/peps/blob/c13384a4fac6822626abb7e09ab7f6143179820f/pep-0458.txt 
).


Current discussion is happening on Discourse:

https://discuss.python.org/t/pep-458-surviving-a-compromise-of-pypi/2648/

--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/CICYGLMVXPNBFZVV7I33XBGCPGFYXKQC/

[Distutils] Re: Apply by Nov 22 for paid contract on pip

2019-11-26 Thread Sumana Harihareswara


Thanks to everyone who applied!

Due to the large number of applicants, we will not be able to provide a 
final decision by November 27th, but will work to provide at least a 
preliminary status to everyone by November 27th, and final decisions to 
all applicants by December 4th. (I've updated the RfP timeline: 
https://github.com/python/request-for/blob/master/2020-pip/RFP.md#timeline 
) I'm sorry for the delay.


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/J7JRAZRLJJT6EO2K2EQKTUNUV4ZPXPJO/

[Distutils] Re: proposing Python package index upload API spec (potential PEP)

2019-11-18 Thread Sumana Harihareswara

I don't have time to work on this and hope someone else can pick it up - 
https://github.com/pypa/packaging-problems/issues/128 is a good issue to 
use to keep track.

--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/EFDYBGANIUTN4WJAQ5S2U6DRITCWZH4R/

[Distutils] Re: Apply by Nov 22 for paid contract on pip

2019-11-12 Thread Sumana Harihareswara

Also: Dustin Ingram wrote a Twitter thread about why this is big news, 
giving context and shout-outs:


https://twitter.com/di_codes/status/1193980331004743680

--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/JJOGNXONEWO34TF42H4GFTT7R4CLGLVL/

[Distutils] Apply by Nov 22 for paid contract on pip

2019-11-11 Thread Sumana Harihareswara

Freelancers and other programming consultants: Get paid to improve pip. 
Specifically, to help finish the dependency resolver overhaul.


https://pyfound.blogspot.com/2019/11/seeking-developers-for-paid-contract.html

Role 1: We seek a senior Python developer, work starting in mid-December 
2019 or early January 2020, work ending at the end of May 2020. Pay: 
USD$116,375 total (665 hours of work at $175 per hour). Detailed task 
list and timeline: 
https://github.com/python/request-for/blob/master/2020-pip/RFP.md#role-1-senior-developer


Role 2: We seek an intermediate-to-senior Python developer, work 
starting in early January 2020, till the end of December 2020. Pay: 
USD$103,700 (670 hours of work at $150 per hour), plus $1600 budgeted 
for onboarding travel and $1600 budgeted for PyCon travel. Details: 
https://github.com/python/request-for/blob/master/2020-pip/RFP.md#role-2-intermediate-developer


Full request for proposals: 
https://github.com/python/request-for/blob/master/2020-pip/RFP.md


Please apply by November 22nd, or please spread the word.

Here's the giant list of reasons why this project is important: 
https://wiki.python.org/psf/Fundable%20Packaging%20Improvements#Finish_dependency_resolver_for_pip


--
Sumana Harihareswara
contract project manager for PSF
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/JU2AN2TGX77XVMJP4FGTGRJ4G5VKVQTR/

[Distutils] Contract available: Help PyPI improve security

2019-10-07 Thread Sumana Harihareswara

Please check out and forward this Request for Proposals for a Python 
Software Foundation contract. PSF is seeking developers to implement 
cryptographic signing and malware detection features on PyPI:


https://github.com/python/request-for/blob/master/2019-Q4-PyPI/RFP.md

The RFP closes on Oct. 21st. We hope work can start in early December.

PSF got a gift from Facebook Research to fund this work.

Please feel free to forward to candidates! 
https://pyfound.blogspot.com/2019/09/pypi-security-q4-2019-request-for.html 
is the PSF blog post about it.



--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/NGHFEJ6DGX5756SJQZMPF5N7GKSP3WPY/

[Distutils] localization, accessibility, & security progress on PyPI

2019-10-07 Thread Sumana Harihareswara

I've just posted a final progress report on Discourse about the last 
month of Open Tech Fund-supported progress on PyPI's localization and 
accessibility features. Including a screenshot and a bar graph!


https://discuss.python.org/t/pypi-localization-accessibility-progress/2284/4

We've finished our OTF-funded accessibility & internationalization work. 
And sometime this month people will be able to use PyPI in Brazilian 
Portugese and Japanese!


--
Sumana Harihareswara
PyPI project manager
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/QSJQAZJ5Y34NQZ7OMK6ZWOMZ6N6NFU7C/

[Distutils] localization, accessibility, & security progress on PyPI

2019-09-08 Thread Sumana Harihareswara

I've just posted a few progress reports on Discourse about the last 
month of Open Tech Fund-supported progress on PyPI's localization, 
accessibility, & security features.


https://discuss.python.org/t/pypi-localization-accessibility-progress/2284

https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/47

We've shifted our focus from security work to accessibility & 
internationalization work. We're aiming to wrap it up by September 30th.


--
Sumana Harihareswara
PyPI project manager
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/4ERNYQ6MBFIB4XIVXR5HO3LVNZUZ5FP3/

[Distutils] Re: PyPI & cryptographic signing and malware detection - seeking comment

2019-09-03 Thread Sumana Harihareswara


Sorry, forgot to add:

Please comment by September 18th. That's when the RFI ends.

Then, the Request for Proposals period will be September 23-October 16. 
Then we aim to start work in December. (Timeline details are in RFI.)


On 9/3/19 10:40 AM, Sumana Harihareswara wrote:


https://github.com/python/request-for/blob/master/2019-Q4-PyPI/RFI.md

--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/4C7ULZ27KRAFT2KT4NIDV7DGPHD7SC25/

[Distutils] PyPI & cryptographic signing and malware detection - seeking comment

2019-09-03 Thread Sumana Harihareswara

Python Software Foundation has published a Request for Information 
seeking software developers to add these features to Warehouse (PyPI):


* Verifiable cryptographic signing of artifacts (PEP 458/TUF or simiilar)
* Technical infrastructure and methods for automated detection of 
malicious package uploads


More info:

https://github.com/python/request-for/blob/master/2019-Q4-PyPI/RFI.md

We'd like for potential contractors & other experts to keep discussion 
at the Discourse forum 
https://discuss.python.org/c/python-software-foundation/pypi-q4-rfi , 
especially on these questions:


• What methods should we implement to detect malicious content? 
https://discuss.python.org/t/what-methods-should-we-implement-to-detect-malicious-content/2240/2


and

* PEPs 458 and 480 offer different levels of security; which (if either) 
should we implement? Which one has more appropriate operational 
efficacy? Should we use TUF (The Update Framework) or another approach? 
https://discuss.python.org/t/which-cryptographic-signing-approach/2241


and more generally:

* What should community acceptance criteria be?
* How feasible is it to implement this on PyPI?
* What features do PyPI administrators need to make use of these 
features in the future?
* What work would the developer need to do to make these features more 
maintainable by future Warehouse maintainers?


--
Sumana Harihareswara
PyPI project manager
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/RWV3CEWE4TFRWGQDJV2Q77CFNJLIF6BG/

[Distutils] timeline for new pip resolver rollout - feedback?

2019-08-19 Thread Sumana Harihareswara

What timeline are we thinking is realistic for rolling out the new pip 
resolver? (latest update on resolver work: 
https://pradyunsg.me/blog/2019/08/06/pip-update-2/ ) I'm re-upping this 
question which I originally asked on a GitHub issue about the rollout: 
https://github.com/pypa/pip/issues/6536#issuecomment-521696430 and would 
prefer to corral answers there.


This depends a lot on Pradyun's health and free time, and code review 
availability from other pip maintainers, and whether we get some grants 
we're applying for, but I think the sequence is something like:


1) build logic refactor: in progress, done sometime December-February
2) UX research and design, test infrastructure building, talking to 
downstreams and users about config flags and transition schedules: we 
need funding for this; earliest start is probably December, will take 
2-3 months
3) introduce the abstractions defined in resolvelib/zazo while doing 
alpha testing: will take a few months, so, conservatively estimating, 
May 2020?

4) adopting better dependency resolution and do beta testing: ?

Is this right? What am I missing?

I ask because some of the info-gathering work is stuff a project manager 
and/or UX researcher should do, in my opinion, and because some progress 
on the increase in metadata strictness 
https://github.com/pypa/packaging-problems/issues/264 and other issues 
might help with concerns people have brought up here.



--
Sumana Harihareswara
PyPI project manager, PyPA member & coordinator, and person who seems to 
write a lot of grant applications

Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/6SMATLMGYPKV4JHCF5NKVKJJRW2BDMJK/

[Distutils] Re: PyPI security work: multifactor auth progress & help needed

2019-08-06 Thread Sumana Harihareswara


The last 2 fortnightly work summaries are on Discourse:

https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/29

https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/43

Short version:

We have deployed a beta version of scoped upload API tokens for PyPI, 
and made progress on improving 2FA and accessibility, and started the 
audit log feature.


And we need your help to test the new API tokens feature. If you've 
uploaded packages to PyPI before, and 
https://blog.python.org/2019/07/pypi-now-supports-uploading-via-api.html 
makes sense to you, please get in touch with our UX researcher and 
designer, Nicole Harris, via https://calendly.com/nlhkabu/pypi-testing 
for a 30-minute structured conversation/user test.



--
Sumana Harihareswara
Warehouse/PyPI project manager
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/5V4FGWQQMZ4ZVZ7MWV53Q72WLNIUAKNS/

[Distutils] Re: PyPI security work: multifactor auth progress & help needed

2019-07-03 Thread Sumana Harihareswara

I've summarized the last month of work on Discourse: 
https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/27


Short version: we're fixing bugs found in the WebAuthn beta; we've made 
key design decisions for upload-scoped API keys and have started 
implementation; and we've started improving Warehouse's (already 
surprisingly good) accessibility.


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/XQO5Z67T2L7OHM75GZS5XNDF2VU2DSDQ/

[Distutils] Re: PyPI will no longer accept compromised passwords!

2019-06-19 Thread Sumana Harihareswara

More context: Donald wrote a blog post soon after this announcement 
https://caremad.io/posts/2018/08/pypi-compromised-passwords/ with some 
statistics.

--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/4ZXY7AAQMZGAZVWN6EPYKAT4SEA46SRP/

[Distutils] Re: PyPI will no longer accept compromised passwords!

2019-06-19 Thread Sumana Harihareswara

More context: Donald wrote a blog post soon after this announcement 
https://caremad.io/posts/2018/08/pypi-compromised-passwords/ with some 
statistics.
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/PRJJHTFJJFDSQOYPAT4N4ZE6V5HLIOC7/

[Distutils] new PyPI beta feature: U2F-compatible keys for 2FA

2019-06-18 Thread Sumana Harihareswara

To quote the blog post
https://pyfound.blogspot.com/2019/06/pypi-now-supports-two-factor-login-via.html
:

To further increase the security of Python package downloads, we're adding a
new beta feature to the Python Package Index: WebAuthn support for U2F
compatible hardware security keys as a two-factor authentication (2FA) login
security method. This is thanks to a grant from the Open Technology Fund,
coordinated by the Packaging Working Group of the Python Software Foundation.

...

Starting today, PyPI also supports (in beta) WebAuthn (U2F compatible) security
keys for a second login factor. A security key (also known as a universal
second factor, or U2F compatible key) is hardware device that communicates via
USB, NFC, or Bluetooth. Popular keys include Yubikey, Google Titan and Thetis.
PyPI supports any FIDO U2F compatible key and follows the WebAuthn standard.
Users who have set up this second factor will be prompted to use their key
(usually by inserting it into a USB port and pressing a button) when logging
in. (This feature requires JavaScript.)

We need your help testing this while it's in beta:
https://wiki.python.org/psf/WarehousePackageMaintainerTesting Later this
week I'll publicize it to some more communities, and then in maybe 10
days, assuming we can quickly fix all the urgent bugs we find, we'll
remove the "beta" badge.

During this testing period, if things go awry, there's a chance we will
need to wipe tokens from users' accounts, so if you choose to try it,
please be forewarned. That's why you have to have a PyPI-verified email
address on your user account before trying the feature, to make
potential account recovery smoother.

Thanks to the Open Technology Fund for funding this work. More progress
reports at the Packaging Working Group's wiki page:
https://wiki.python.org/psf/PackagingWG .

(cross-posted to
https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/24
)

[Distutils] Re: PyPI security work: multifactor auth progress & help needed

2019-06-07 Thread Sumana Harihareswara

I've summarized the last couple weeks of progress on Discourse: 
https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/23


Short version: TOTP-based 2-factor auth has rolled out as a login option 
for everyone on PyPI.org and Test PyPI, WebAuthn support (for Yubikeys 
and similar things) is coming this month and maybe as early as next 
week, and we're also going to parallelize work a bit and start 
accessibility auditing and improvements.


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/L4U5NLV5ZIMVUMKMDJDC3ANDRK47P2OK/

[Distutils] tiny sprint Saturday, June 8th

2019-06-06 Thread Sumana Harihareswara

A few folks will be getting together on Saturday and doing a short 
in-person sprint on some Python packaging & distribution tools, around 
10am-4pm ET, at a coworking space/lounge in New York City.


A few packaging/distribution folks, e.g., a Twine contributor, a pip bug 
fixer/triager, and a Warehouse maintainer (me), are confirmed as coming. 
I figure we'll review some open pull requests, triage bugs to find ones 
we can close as no longer reproducible, and explain stuff to each other.


I think we've already run out of space for who can participate in 
person, but please feel free to hang out and chat with us via IRC! I'll 
be on Freenode IRC (#pypa-dev) as user "sumanah". And that way logs of 
our conversations will also be available at 
http://kafka.dcpython.org/channel/pypa-dev .


(If you have never contributed to Python packaging/distribution tools 
before, and you want to start, this is probably not the best event for 
you; let me know, and I'll set up a more introductory event in the future.)


--
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/O76RG5IKSEBZYAFQR53Z7WSVIXAIPRKP/

[Distutils] Re: PyPI security work: multifactor auth progress & help needed

2019-05-22 Thread Sumana Harihareswara

Further progress in today's summary: 
https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/17 



Short version: Work continues on Milestone 1, Security Feature 
Development, and specifically on the Multi-Factor Authentication task. 
TOTP-based 2FA is about to roll out for everyone, and we’re working on 
WebAuthN (e.g., Yubikeys).


--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/YMVZEGE5YZLZSQX6WXWWS4GCZBMHP6FG/

[Distutils] Sprints have started at PyCon NA 2019

2019-05-06 Thread Sumana Harihareswara

https://wiki.python.org/psf/PackagingSprints

Sprints have started and Packaging is in room 26C. We're starting a shared 
editable document of what people are working on at 

https://docs.google.com/document/d/1Wz2-ECkicJgAmQDxMFivWmU2ZunKvPZ2UfQ59zDGj7g/edit

Shortlink: http://bit.ly/pypa2019

(Thanks Chris Wilcox for setting that up!)

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/6S37E7AL33QV6C2TJ5KI7QEGCS2HLR5E/

[Distutils] PyPI two-factor auth (2FA) trial May 3-20

2019-05-02 Thread Sumana Harihareswara

PyPI users: To increase the security of PyPI downloads, we're beginning to 
introduce two-factor authentication (2FA) as a login security option, and want 
project maintainers and owners to start testing it.

Starting this Friday, May 3rd, you'll be able to use 2FA on [Test 
PyPI](http://test.pypi.org/). And if you'd like to try 2FA on [official 
PyPI](https://pypi.org), please fill out [this Google 
form](https://docs.google.com/forms/d/e/1FAIpQLSfRmXhkfAL-LgLfcMdzTG7iIaSwPo-pyzkgv5DzvAU7Q-6XWQ/viewform)
 so we can invite you to the private beta, which we plan to hold 3-20 May.

PyPI currently supports a single 2FA method: generating a code through a 
Time-based One-time Password (TOTP) application. After you set up 2FA on your 
PyPI account, then you must provide a TOTP (along with your username and 
password) to log in. Therefore, to use 2FA on PyPI, you'll need to provision an 
application (usually a mobile phone app) in order to generate authentication 
codes; our [our testing wiki 
page](https://wiki.python.org/psf/WarehousePackageMaintainerTesting) gives you 
suggestions and pointers.

This change only applies to the login step, not package uploads.

More details at [our testing wiki 
page](https://wiki.python.org/psf/WarehousePackageMaintainerTesting).

During this testing period, if things go awry, there's a chance we will need to 
wipe tokens from users' accounts, so if you choose to try it, please be 
forewarned. We strongly suggest you make sure you have a PyPI-verified email 
address on your user account before trying the feature, to make potential 
account recovery smoother.

And please [let us know](https://github.com/pypa/warehouse/issues/new) if you 
run into glitches.

We expect to end this testing period on May 20th, then enable the optional 2FA 
feature for all PyPI users, and move on to working on WebAuthn support.

Thanks to the Open Technology Fund for funding this work. More progress reports 
at [the Packaging Working Group's wiki 
page](https://wiki.python.org/psf/PackagingWG).

-Sumana on behalf of the PyPI team

(cross-posted to 
https://discuss.python.org/t/pypi-two-factor-auth-2fa-trial-may-3-20/1590 )
-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/JMOBWXWYC2EFYB5JBFMXWBEGD4EAD3CC/

[Distutils] Re: PyPI security work: multifactor auth progress & help needed

2019-04-03 Thread Sumana Harihareswara

Further progress, and requests for your opinions, in today's summary:  
https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/10

Wes: thanks - I have linked to your suggestion and linked resources within 
https://github.com/pypa/warehouse/issues/996 but, good news, folks working on 
this task have already mentioned WebAuthn, so it is on the table.

-- 
Sumana Harihareswara


On Fri, Mar 22, 2019, at 10:37 PM, Wes Turner wrote:
> Is webauthn the multi-factor / 2FA spec to implement now? It's now 
> approved; so while you experts are working on it it may be worth a look 
> to just implement webauthn while we have funding for experts
> 
> https://www.w3.org/TR/webauthn/
> 
> Discourse mentions FIDO. FIDO2 is webauthn, AFAIU.
> 
> There are a number of implementations:
> 
> https://pypi.org/search/?q=webauthn
> 
> https://github.com/topics/webauthn
> 
> On Friday, March 22, 2019, Sumana Harihareswara  wrote:
> > Work has started on the Open Technology Fund-supported project to improve 
> > Warehouse security, accessibility, and internationalization. More details 
> > in today's progress report:
> > 
> > https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/2
> > 
> > 
> >  best,
> >  Sumana Harihareswara
> >  Warehouse project manager
> >  Changeset Consulting
> >  --
> >  Distutils-SIG mailing list -- distutils-sig@python.org
> >  To unsubscribe send an email to distutils-sig-le...@python.org
> > https://mail.python.org/mailman3/lists/distutils-sig.python.org/
> >  Message archived at 
> > https://mail.python.org/archives/list/distutils-sig@python.org/message/3E64P4GNVFSG4JA42OITJUCYU5H3QLAZ/
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/LSEFPHXYLDY34A6DI7OLCZCPU6JUKLBX/

[Distutils] PyPI security work: multifactor auth progress & help needed

2019-03-22 Thread Sumana Harihareswara

Work has started on the Open Technology Fund-supported project to improve 
Warehouse security, accessibility, and internationalization. More details in 
today's progress report:

https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/2


best,
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/3E64P4GNVFSG4JA42OITJUCYU5H3QLAZ/

[Distutils] Maintainers' summit at PyCon NA

2019-03-02 Thread Sumana Harihareswara

https://us.pycon.org/2019/hatchery/maintainers/

> The Maintainers Summit will take place on the morning of Saturday, May 4th, 
> the first day of PyCon proper. A part of PyCon’s hatchery program, the Summit 
> is seeking to build a community of practice for project maintainers and key 
> contributors. We seek to help the Python community sustain and grow healthy 
> projects and communities.
> 
> Activities will include talks and mini unconference around technology, 
> community, resourcing, and more as it relates to package maintenance.

The call for proposals for lightning talks 
https://www.papercall.io/pycon-maintainers-summit is open till March 15th. But 
even if you don't want to propose a talk, I suggest you keep the Summit on your 
radar -- one of the topic suggestions is:

> What tools and techniques have helped you maintain your Python project, and 
> what challenges have yet to be addressed? Potential topics: CI/CD tooling, 
> package layout, setuptools, PyPI, licenses compatibility, process and release 
> tooling

And then we could take some of those topics into the sprints.
-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/PDJDRQKODMXLLVQF5AXICQPFUUW7YWXF/

[Distutils] Fwd: [PSF-Community] Google Summer of Code 2019 needs you!

2019-01-31 Thread Sumana Harihareswara

Packaging and distribution folks: would any of you like to mentor for GSoC?

As a reminder, we have at least one current maintainer, Pradyun Gedam, who did 
an apprenticeship via GSoC -- probably there are more that I don't know about. 
If you can, consider investing in the future maintainability of your codebase 
by mentoring this year. :-)

(Might be worth checking whether any of your current contributors are eligible 
to apply for GSoC -- for instance, graduate students are eligible. 
https://developers.google.com/open-source/gsoc/faq#what_are_the_eligibility_requirements_for_participation
 )

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc


 Forwarded Message 
Subject: [PSF-Community] Google Summer of Code 2019 needs you!
Date: Tue, 29 Jan 2019 18:50:12 -0800
From: Terri Oda 
Reply-To: gsoc-adm...@python.org 
To: PSF Community 

Hi Python community folk!

As we've done for the past many years, Python is hoping to participate 
in Google Summer of Code.  This is a neat program where students write 
code over the (northern hemisphere) summer under the tutelage of open 
source mentors and get paid: we provide the project ideas, mentors and 
choose the students, Google provides the program framework and the money 
to pay students.  You can read more about GSoC here: 
https://summerofcode.withgoogle.com/

Python participates as an "umbrella org" where many different smaller 
projects ("sub orgs") that use Python can take part under our banner.  
You can also participate separately, but for people who've never done it 
before and want help or for whom the paperwork is a hassle, you're 
welcome to join up with us and let us show you the ropes!

It's really fun, and we've gotten lots of new contributors to 
Python-based projects over the years, taking in as many as 70+ students 
in a single year.  Last year we only had 15, though, so we've got lots 
of space for new mentors and new projects.

We need a good set of sub-orgs and ideas by Feb 4th for our application, 
and if we're accepted by Google we'll be able to add a few more ideas 
and groups until March 5th or so.

Sound intriguing?  You can read all about what we're doing at 
http://python-gsoc.org/ (which has answers to questions like "what does 
it take to be a mentor?" and "what does it take to be a sub-org?")

You can also send questions to gsoc-adm...@python.org (or just hit reply 
to this email!)

  Terri


___
PSF-Community mailing list
psf-commun...@python.org
https://mail.python.org/mailman/listinfo/psf-community
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/C6RIITZ42V2KSO2WP4HS263Q4KRWJ2EV/

[Distutils] upcoming work to facilitate PyPA communications/roadmaps

2018-12-24 Thread Sumana Harihareswara

It's been eight months since the release of Warehouse[0] and the sunsetting of 
legacy PyPI[1]. Following up from our meeting at PyCon in May[2], Changeset 
Consulting is back on board for another round of project management to 
facilitate next steps! For the next 3-6 months this work will be spearheaded by 
myself (Sumana) assisted by Jenny Ryan (https://jennyryan.net ). 

The goal over these upcoming months is to create, steward and facilitate 
internal and public-facing communications to aid the folks within PyPA. 

What this means is that we'll be focused on the following:
* Facilitating regular meetings of and for maintainers and contributors;
* Stewarding communications with various PyPA stakeholders, including funders 
and users;
* Organizing, labelling, prioritizing, and responding to GitHub issues;
* Coordinating public communications, such as announcements, sprints, and calls 
for participation;
* Maintaining and improving documentation, meeting notes and development 
roadmaps for PyPA projects.

Feedback from and participation by the Python packaging developer community is 
obviously part and parcel of this project, so you may see some new "here's what 
I think is up with this issue, is that right?" questions on old unresolved 
discussions. And we'll be asking questions on this & other lists and on GitHub 
and in IRC to collect ideas, concerns, and other productive input regarding the 
tools roadmaps.

You'll be seeing more details in mid-January to properly kick off this next 
chapter of levelling up PyPI and the PyPA -- just wanted to give y'all a 
heads-up.

But of course, if you were already planning on using the next few weeks to do 
issue triage and roadmap-writing and PyCon planning, please don't wait for us 
-- that'll make this work all the easier.

Thanks,
Sumana Harihareswara


[0] https://blog.python.org/2018/04/new-pypi-launched-legacy-pypi-shutting.html
[1] 
https://mail.python.org/archives/list/distutils-sig@python.org/thread/YREMU56QKRMTTFBFVFJ2B4EHOEKOJZFJ/
[2] 
https://mail.python.org/archives/list/distutils-sig@python.org/thread/CCOV6PITEWELONZHP4ZHXALBFQA3K3MY/

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/archives/list/distutils-sig@python.org/message/OAE2A5FPD5IX2U3SIL4FIMPBWVN2VHLS/

[Distutils] Stepping away from Twine maintainership

2018-09-25 Thread Sumana Harihareswara

Quick note to thank Ian Stapleton Cordasco and Thea Flowers for their work 
maintaining Twine! I realized I don't have time to help maintain it right now 
so I'm stepping away from that, and am grateful for their work, including new 
releases this month: https://pypi.org/project/twine/#history

And thanks to Dustin Ingram for all his recent work on Twine as well. As he 
said https://twitter.com/di_codes/status/1044358639081975813 :

> New twine subcommand: $ twine check dist/*

> Use it to verify that the README for your package is valid and will be 
> rendered correctly on PyPI.
 > Between that and Markdown support, there's no excuse for mis-rendered PyPI 
 > descriptions anymore! More details: 
 > https://packaging.python.org/guides/making-a-pypi-friendly-readme/#validating-restructuredtext-markup


-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/mm3/archives/list/distutils-sig@python.org/message/YW6FFQ4JJYGLNG5ENE2AI7VERTXDJFAR/

[Distutils] Re: Distlib vs Packaging (Was: disable building wheel for a package)

2018-09-21 Thread Sumana Harihareswara

Bert, it sounds like you have a Code of Conduct complaint about a PyPA-
maintained project -- may I formally pass that along to all of the
pipenv maintainers perhttp://www.pypa.io/en/latest/code-of-conduct/ 
for followup and ask for more specific details? You can let me know on-
list or offlist.--
Sumana Harihareswara
Changeset Consulting
s...@changeset.nyc



On Thu, Sep 20, 2018, at 9:34 PM, Bert JW Regeer wrote:
> 
> 
>> On Sep 20, 2018, at 16:30, Dan Ryan  wrote:
>> 
>> Pipenv also uses pip as mentioned several times in the thread, and
>> (reiterating here) the entire point of the conversation is about how
>> both can work together on changes. That is the thrust of the whole
>> discussion. We are actively using pip via its internals and pips
>> developers (who _actively develop pip_) would like us to an alternate
>> approach.>> 
>> The discussion is about how to find one and then contribute it back
>> to pip. Nobody is discontinuing work on pip, nobody is splitting from
>> pip, and I would prefer if we could refrain from trying to spread
>> this kind of inaccurate picture.> 
> Wait, what? How did my apparently misunderstanding of what "it's
> looking like things could be on track to split the user and maintainer
> base in two" and me explaining why I don't think all new innovation
> should go into pipenv suddenly turn into "spread this kind of
> inaccurate picture".> 
>> I know we have had unproductive conversations on the issue tracker,
>> please don’t bring them to the mailing list.> 
> This isn't about you, has absolutely NOTHING to do with you, don't
> make it about you. I am trying to contribute my thoughts back to the
> discussion which only is of peripherally concerned about pipenv, but
> is about the future of pip/package installation, and a comment that
> was made regarding pip becoming "legacy".> 
> You made me feel incredibly unwelcome to pipenv, I will no longer
> actively attempt to contribute back to that community. I have gone out
> of my way to stay away from any PyPA projects because of the actions
> and behaviours you showed on the pipenv tracker, and have actively
> encouraged others to do the same and look at other open source
> projects instead. Let us be crystal clear here, the way you and
> Kenneth have shown your colours on the pipenv issue tracker is a real
> shame and is turning off many potential contributors and good feedback
> to help improve pipenv.> 
> This post, right here, has re-iterated that view.
> 
> Don't contact me again.
> 
>> 
>> Dan Ryan // pipenv maintainer
>> gh: @techalchemy
>> 
>> On Sep 20, 2018, at 2:29 PM, Bert JW Regeer
>>  wrote:>>> 
>>> 
>>>> On Sep 20, 2018, at 12:11, Tzu-ping Chung 
>>>> wrote:>>>> 
>>>> 
>>>> 
>>>> On 21 Sep 2018, at 02:01, Bert JW Regeer  wrote:>>>>> 
>>>>> 
>>>>>> On Sep 19, 2018, at 23:22, Chris Jerdonek
>>>>>>  wrote:>>>>>> 
>>>>>> Thus, it's looking like things could be on track to split the
>>>>>> user and maintainer base in two, with pip bearing the legacy
>>>>>> burden and perhaps not seeing the improvements. Are we okay with
>>>>>> that future?>>>>> 
>>>>> This'll be a sad day. pip is still used as an installer by other
>>>>> build system where using pipenv is simply not a possibility.>>>> 
>>>> I am not quite sure I understand why you’d think so. pip has been
>>>> bearing the legacy burden for years, and if this is the future (not
>>>> saying it is), it would more like just another day in the office
>>>> for pip users, since nothing is changing.>>> 
>>> pip not seeing any improvements is something I think will be sad. I
>>> don't use pipenv, but use poetry which uses pip behind the scenes to
>>> do installation. I also use flit. For either of those cases I would
>>> think it sad that pipenv splits from pip, and then developers of
>>> alternate tooling around building packages (but not installing)
>>> don't get new improvements because "pip is legacy".>>> 
>>> pipenv doesn't work in various scenarios, and trying to shoehorn it
>>> into those scenarios is just wrong especially since it wasn't
>>> designed to do those things.> 
> --
> Distutils-SIG mailing list -- distutils-sig@python.org
> To unsubscribe send an email to distutils-sig-le...@python.org
> https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/
> Message archived at
> https://mail.python.org/mm3/archives/list/distutils-sig@python.org/message/BC7DTEX7VGBZ5NEAXQH2TRF7EXF3PMH3/
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/mm3/archives/list/distutils-sig@python.org/message/KXNRH75RP5USUTYWGQGGKGNT34VQYHZU/

[Distutils]Package maintainers: verify your PyPI account email address

2018-07-16 Thread Sumana Harihareswara

Heads-up: if you have a pypi.org or test.pypi.org account, please verify your 
email address:

  https://pypi.org/manage/account/

  https://test.pypi.org/manage/account/

Reason:

> We have a problem with a bit of our data, namely that due to historical 
> reasons we have a fair amount of users in the database that do not have a 
> verified primary email address. The side effect of this is that we're 
> currently sending emails to email addresses that we have not had verified. 
> This is a bad situation to be in, because in order to keep our bounce/spam 
> rate low, we should be confirming all email addresses before sending email to 
> them. In addition the way our bounce handling code works is it un-verifies 
> the email address, which the intent was to stop sending email to it until the 
> user has reverified their email address.
> 
> In total there are about 193k user accounts with a unverified email address 
> for their primary address, and 44k that do have a verified email address for 
> their primary account.
> 
> So we need to come up with a strategy to resolve this, because it's pretty 
> important that we don't send email to unverified addresses.

(quoting from Donald Stufft's explanation 
https://github.com/pypa/warehouse/issues/3632 which goes on to detail the 
step-by-step plan)

Package maintainers should especially do this soon. As of a few days ago, any 
user whose primary email address is unverified can't upload a file: 
https://github.com/pypa/warehouse/pull/4292 

Please forward to other package maintainers.

After we iron out any issues I figure we'll email the announce list 
https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/ .

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/mm3/archives/list/distutils-sig@python.org/message/5ER2YET54CSX4FV2VP24JA57REDDW5OI/

[Distutils] EuroPython financial aid deadline: 5 June

2018-06-03 Thread Sumana Harihareswara

EuroPython 2018 will be in Edinburgh, Scotland, UK, from July 23-29, and will 
include packaging/distribution sprints:

https://wiki.python.org/psf/PackagingSprints

and a devpi help desk, among other sessions:

https://ep2018.europython.eu/en/events/sessions/

Financial aid is available, for free tickets, travel costs, and accommodation. 
Apply by 5 June:

https://ep2018.europython.eu/en/registration/financial-aid/

(I'm not involved in organizing EuroPython -- just signal-boosting.)
-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/mm3/archives/list/distutils-sig@python.org/message/O6D5EAEZQG4LSZOEMGDDFJZG5XBANTPT/

[Distutils] Re: Packaging/Warehouse sprint at PyCon 2018

2018-05-08 Thread Sumana Harihareswara

Reminder: it's free to attend and participate in the PyCon development sprints 
(you don't need a Talks and Events PyCon registration to come to the sprints).

If you live anywhere nearish Cleveland, even if you couldn't make it to the 
talks days, consider joining us at least for Monday May 14th, which will 
probably have the most discussion.

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc

On 05/01/2018 05:29 PM, Sumana Harihareswara wrote:
> https://wiki.python.org/psf/PackagingSprints now has more info:
> 
> * we'll have at least one Open Space/Birds of a Feather session on packaging
> * folks representing Anaconda/conda-build, bandersnatch, Pipenv, GitHub,
> the Python Packaging User Guide, & more will be at the sprints
> * more things we'll work on
> 
> Happy to take suggestions on things to talk about and work on during the
> BoF and sprints!
> -Sumana
> 
> 
> On 03/13/2018 10:04 AM, Sumana Harihareswara wrote:
>> https://wiki.python.org/psf/PackagingSprints is where I've started a
>> list of our upcoming planned sprints (right now, PyCon North America and
>> EuroPython), with who's attending each and what we might work on there.
>>
>> At PyCon in Cleveland, possible work includes:
>>
>> * User testing
>> * Updating the PyPA roadmap
>> * Packaging Problems triage
>> * PyPI API keys and two-factor auth, with Luke Sneeringer & Donald Stufft
>> * Architecture for new Warehouse API URL structure
>>
>> -Sumana
>>
>> On 02/13/2018 11:22 PM, Sumana Harihareswara wrote:
>>> Reminder: this Thursday, Feb. 15th, is the last day to request financial
>>> aid to attend PyCon https://us.pycon.org/2018/financial-assistance/ and
>>> thus the sprints. If money's a reason you're assuming you can't come
>>> join us and improve Warehouse and other Python packaging/distribution
>>> tools, I hope you'll apply for financial assistance.
>>>
>>> On 01/30/2018 01:39 PM, Sumana Harihareswara wrote:
>>>> In case you're planning your PyCon Cleveland travel: we are planning to
>>>> hold a Warehouse/packaging sprint at PyCon (the sprints are Monday, May
>>>> 14th - Thursday, May 17th 2018).
>>>>
>>>> We welcome package maintainers, backend and frontend web developers,
>>>> infrastructure administrators, technical writers, and testers to help us
>>>> make the new PyPI, and the packaging ecosystem more generally, as usable
>>>> and robust as possible. I took the liberty of updating
>>>> https://us.pycon.org/2018/community/sprints/ to say so.
>>>>
>>>> Once we're closer to the sprints I'll work on a more detailed list of
>>>> things we'll work on in Cleveland.
>>>>
--
Distutils-SIG mailing list
distutils-sig@python.org
https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/mm3/archives/list/distutils-sig@python.org/message/DXB2UKSIDHZRFLHX4EAIRPMPQL4AEIHV/

[Distutils] proposing Python package index upload API spec (potential PEP)

2018-05-08 Thread Sumana Harihareswara

As a new Twine maintainer I've been running into questions like:

* Now that Warehouse doesn't use "register" anymore, can we deprecate it from 
distutils, setuptools, and twine? Are any other package indexes or upload tools 
using it? https://github.com/pypa/twine/issues/311
* It would be nice if Twine could depend on a package index providing an HTTP 
201 response in response to a successful upload, and fail on 200 (a response 
some non-package-index servers will give to an arbitrary POST request).

I do not see specifications to guide me here, e.g., in the official guidance on 
hosting one's own package index 
https://packaging.python.org/guides/hosting-your-own-index/ . PEP 301 was long 
enough ago that it's due an update, and PEP 503 only concerns browsing and 
download, not upload.

I suggest that I write a PEP specifying an API for uploading to a Python 
package index. This PEP would partially supersede PEP 301 and would document 
the Warehouse reference implementation. I would write it in collaboration with 
the Warehouse maintainers who will develop the reference implementation per 
pypa/warehouse/issues/284 and maybe add a header referring to compliance with 
this new standard. And I would consult with the maintainers of packaging and 
distribution tools such as zest.releaser, flit, poetry, devpi, pypiserver, etc.

Per Nick Coghlan's formulation, my specific goal here would be close to:

> Documenting what the current upload API between twine & warehouse actually 
> is, similar to the way PEP 503 focused on describing the status quo, without 
> making any changes to it. That way, other servers (like devpi) and other 
> upload clients have the info they need to help ensure interoperability.

Since Warehouse is trying to redo its various APIs in the next several months, 
I think it might be more useful to document and work with the new upload API, 
but I'm open to feedback on this.

After a little conversation here on distutils-sig, I believe my steps would be:

1. start a very early PEP draft with lots of To Be Determined blanks, submit as 
a PR to the python/peps repo, and share it with distutils-sig
2. ping maintainers of related tools
3. discuss with others at the packaging sprints 
https://wiki.python.org/psf/PackagingSprints next week
4. revise and get consensus, preferably mostly on this list
5. finalize PEP and get PEP accepted by BDFL-Delegate
6. coordinate with PyPA, maintainers of `distutils`, maintainers of packaging 
and distribution tools, and documentation maintainers to implement PEP 
compliance

Thoughts are welcome. I originally posted this at 
https://github.com/pypa/packaging-problems/issues/128 .
-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list
distutils-sig@python.org
https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/mm3/archives/list/distutils-sig@python.org/message/WEPTF7Q7475UA7VVULDLIG3A445WOCLI/

[Distutils] Oct 27-28: Bloomberg sponsoring packaging sprint

2018-05-02 Thread Sumana Harihareswara

The weekend of October 27-28, simultaneously in London, UK and New York
City, USA, Bloomberg will host a Python packaging and distribution tools
event. Please mark your calendars!

If you live in North America or Europe and would need assistance to
attend this as a mentor/helper, watch for more details in July.

If you live outside of the US or UK and would need an invitation letter
to get a visa to travel to one of these sprints, please write to Kevin
P. Fleming at Bloomberg, kpfleming AT bloomberg DOT net, and he'll start
setting you up.

Details:

Thanks to Bloomberg for their generosity. They're already a Platinum PSF
sponsor, and they'll host this, pay for a maintainers'/mentors' dinner
the night before, provide clusters of cloud virtual machines for the
attendees to use, and book and pay for some contributors' lodging and
travel.

This'll be an opportunity to advance Python packaging/distro tools,
teach new contributors (including many Bloomberg employees), and yeah,
if you want to get to know Bloomberg for career reasons, that too. :)

We hope mentors can arrive Thursday night 25 Oct, do prep, setup, and
dinner on Friday, then participate Sat-Sun, then leave Sunday evening or
Monday.

We'll be putting more details on these lists (distutils-sig and
pypa-dev) and at https://wiki.python.org/psf/PackagingSprints .

Thanks to Bloomberg folks Mario Corchero and Henry Kleynhans in London
and Kevin P. Fleming in New York City for coordinating this, and thanks
especially to Mario and to Paul Ganssle for suggesting it!
--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list
distutils-sig@python.org
https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/
Message archived at
https://mail.python.org/mm3/archives/list/distutils-sig@python.org/message/UKMJ7QRBFASA5EPY54QQWO6JJNYPGISO/

[Distutils] (Final) PyPI/Warehouse weekly report: legacy is shut down

2018-05-01 Thread Sumana Harihareswara

As I announced yesterday[1], here and on the pypi-announce[2] and
general Python announcement[3] lists, we have shut down legacy.pypi.org,
on schedule. (See the notes from our final weekly call[4], a screenshot
of all our closed milestones[5], a screenshot of the hit ratio for
Legacy going to 0%[6], and Ernest pouring out a toast to the old
codebase[7].)

This is the last weekly report you'll get from me on this project, as
the MOSS funding has nearly run out (we set aside a little for me to run
the PyCon sprint and for Nicole to run the EuroPython sprint).

Thanks so much to Mozilla's Open Source Support program for the award[8]
that enabled this work[9]. And thanks to the PSF and its Packaging
Working Group[10] for facilitating it.
Highlights from the last week:


The podcast Talk Python To Me released an episode interviewing Dustin
Ingram, Nicole Harris, and Ernest W. Durbin III about Warehouse  -- you
can listen[11] or read the transcript[12]. And the Python Bytes podcast
had a short chat about Warehouse[13] as well.

Ernest sunset Legacy[14], fixed a subsequent outage[15] (my fault for
putting a hostname in the title of a blog post!), updated a cabotage
setting[16], updated CDN configuration[17], and fixed another service
disruption[18]. And he improved search for XML-RPC endpoint users[19].

Since we got 1700+ responses to the "buy a feature" survey[20], we took
down the banner[21] -- Nicole notes that the data is really useful and
will really help with redesigning the project detail page! She also
fixed modal alignment[22] and table alignment[23] in IE11.

Dustin replaced our Twisted usage with gunicorn[24] and fixed an
edge case concerning identical canonical versions of a release[25],
and Dustin and Ernest made old pypi.python.org links for files,
display actions[26],  search and browse actions[27] redirect
appropriately. And Dustin merged "Support XML-RPC multicall"[28] and
then "Skip tweens for XML-RPC multicall subrequests"[29] then
"Deprecate XML-RPC MultiCall"[30] and I think we've all had
sequences like that in our lives.

Laura Hampton and I ran a Warehouse sprint night[31] in New York City
(giving participants several tasks at varying difficulty levels[32]),
where Corey Girard helped us make profile pages display "you" versus a
username more logically[33] -- thanks, Corey! -- and Kshitij Chawla
found a setup issue[34].  And the team found some more developer
experience snags and got to fixing them: PyPUG instructions[35], the
README[36], Docker instructions[37], discoverability for the
architecture overview[38].

We are slowing down a bit on pull request review and issue response as
our dedicated time on Warehouse comes to a close, but we still did a lot
of review and replying. Thanks to the volunteers who got pull requests
merged in the past week:
 * nixjdm, who added description_content_type to the JSON API[39]
 * cheungnj, who improved how we display the "last released" date on a
   project[40]
 * aalmazan, who fixed how we handle tab cycling inside active
   modals[41]
 * alex, who fixed a pytest argument[42]
 * kpayson64, who updated wheel types Warehouse supports[43] (see the
   followup conversation, on whether PyPI should allow Linux wheel
   uploads for ARM[44])

Special shoutout to GitHub user jdufresne[45] who has submitted a bunch
of pull requests to various projects, including setuptools[46], updating
their URLs from pypi.python.org to pypi.org (example[47]). I've done
some similar issue-opening (example[48]). And thanks to Donald Stufft
for helping with the infrastructure changeover[49]!

You can help by:

 * updating the distutils docs[50] to reflect how PyPI currently works
 * giving yeraydiazdiaz feedback on this approach to automated frontend
   testing[51]
 * keeping an eye on Warehouse pull requests and reviewing[52] them
 * telling hiring managers you know to consider hiring Ernest[53] and
   giving him paid time to work on PyPI
 * finding us at PyCon North America[54] and giving us friendly feedback

Dustin, Ernest, Laura, Nicole and I will continue volunteering a few
hours per week around here, just as many of us did before the project.
We're all grateful we got to work together and make this happen, and
hope to have further paid opportunities to dedicate time to this
infrastructure and its symbiotic community.
--
Sumana Harihareswara
(basically my last note as) Warehouse/PyPI project manager
PyPA member
Packaging Working Group member
Changeset Consulting -- open to new client engagements starting
in June/jul...@changeset.nyc


Links:

   1. 
https://mail.python.org/mm3/archives/list/pypi-annou...@python.org/thread/2HTWYE4WPCOTIIIE3Z2IKLGDHYCWVR2J/
   2. 
https://mail.python.org/mm3/archives/list/pypi-annou...@python.org/thread/2HTWYE4WPCOTIIIE3Z2IKLGDHYCWVR2J/
   3. 
https://mail.python.org/pipermail/python-announce-list/2018-April/011916.html
   4. https://wiki.python.org/psf/PackagingWG/20

[Distutils] Re: Packaging/Warehouse sprint at PyCon 2018

2018-05-01 Thread Sumana Harihareswara

https://wiki.python.org/psf/PackagingSprints now has more info:

* we'll have at least one Open Space/Birds of a Feather session on packaging
* folks representing Anaconda/conda-build, bandersnatch, Pipenv, GitHub,
the Python Packaging User Guide, & more will be at the sprints
* more things we'll work on

Happy to take suggestions on things to talk about and work on during the
BoF and sprints!
-Sumana


On 03/13/2018 10:04 AM, Sumana Harihareswara wrote:
> https://wiki.python.org/psf/PackagingSprints is where I've started a
> list of our upcoming planned sprints (right now, PyCon North America and
> EuroPython), with who's attending each and what we might work on there.
> 
> At PyCon in Cleveland, possible work includes:
> 
> * User testing
> * Updating the PyPA roadmap
> * Packaging Problems triage
> * PyPI API keys and two-factor auth, with Luke Sneeringer & Donald Stufft
> * Architecture for new Warehouse API URL structure
> 
> -Sumana
> 
> On 02/13/2018 11:22 PM, Sumana Harihareswara wrote:
>> Reminder: this Thursday, Feb. 15th, is the last day to request financial
>> aid to attend PyCon https://us.pycon.org/2018/financial-assistance/ and
>> thus the sprints. If money's a reason you're assuming you can't come
>> join us and improve Warehouse and other Python packaging/distribution
>> tools, I hope you'll apply for financial assistance.
>>
>> On 01/30/2018 01:39 PM, Sumana Harihareswara wrote:
>>> In case you're planning your PyCon Cleveland travel: we are planning to
>>> hold a Warehouse/packaging sprint at PyCon (the sprints are Monday, May
>>> 14th - Thursday, May 17th 2018).
>>>
>>> We welcome package maintainers, backend and frontend web developers,
>>> infrastructure administrators, technical writers, and testers to help us
>>> make the new PyPI, and the packaging ecosystem more generally, as usable
>>> and robust as possible. I took the liberty of updating
>>> https://us.pycon.org/2018/community/sprints/ to say so.
>>>
>>> Once we're closer to the sprints I'll work on a more detailed list of
>>> things we'll work on in Cleveland.
>>>
--
Distutils-SIG mailing list
distutils-sig@python.org
https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/
Message archived at 
https://mail.python.org/mm3/archives/list/distutils-sig@python.org/message/G7MUNVL5ZXDZFMTG2ADDYEWCV67BK6OJ/

[Distutils] Fwd: [pypi-announce] legacy.pypi.org shut down, please use pypi.org

2018-04-30 Thread Sumana Harihareswara

Roadmap's updated https://wiki.python.org/psf/WarehouseRoadmap . We'd
love your help for the next chapter, the post-legacy-shutdown tasks:
https://github.com/pypa/warehouse/milestone/12


-- 
Sumana Harihareswara
PyPI/Warehouse project manager
Changeset Consulting
https://changeset.nyc


 Forwarded Message 
Subject: [pypi-announce] legacy.pypi.org shut down, please use pypi.org
Date: Mon, 30 Apr 2018 15:25:50 -
From: s...@changeset.nyc
Reply-To: distutils-sig@python.org
To: pypi-annou...@python.org

We have sunset the original Python Package Index service, which was
temporarily deployed at https://legacy.pypi.org .


The new PyPI is at https://pypi.org . Browser and API calls to
pypi.python.org will continue to redirect to pypi.org .


If you have been using legacy.pypi.org directly, please start using
pypi.org :
https://warehouse.readthedocs.io/api-reference/integration-guide/#migrating-to-the-new-pypi
If there is a feature that the new codebase does not support, you should
file an issue at https://github.com/pypa/warehouse/issues as soon as
possible.


If you use JFrog Artifactory, please make sure you're running the latest
version. Please see the guidance from JFrog
https://jfrog.com/knowledge-base/why-am-i-not-able-to-connect-to-pypi-python-org/
and full discussion of the issue
https://github.com/pypa/warehouse/issues/3275 .


Maintenance report on the sunsetting:
https://status.python.org/incidents/ptvp1wnn0jmq


Historical context and future plans: https://lwn.net/Articles/751458/


Sincerely,
Sumana Harihareswara on behalf of the PyPI team
___
pypi-announce mailing list
pypi-annou...@python.org
https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/
___
Distutils-SIG mailing list
distutils-sig@python.org
https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/

Re: [Distutils] PyPI update: legacy shutdown 30 April, new classifiers page, seeking funding

2018-04-24 Thread Sumana Harihareswara

And thanks, as ever, to Mozilla for their support for the PyPI &
Warehouse work, and to the PSF for facilitating this work!
https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html
https://blog.mozilla.org/blog/2018/01/23/moss-q4-supporting-python-ecosystem/

MOSS has a number of types of award that are open to different sorts of
open source/free software projects. If your project is looking for
financial support, check https://mozilla.org/moss to see if you qualify.
 The next application deadline is April 30th.

-Sumana
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] PyPI update: legacy shutdown 30 April, new classifiers page, seeking funding

2018-04-24 Thread Sumana Harihareswara

Almost the end.

On Monday April 30th we're going to shut down https://legacy.pypi.org/ .
The URL pypi.python.org will continue to redirect to Warehouse
(pypi.org). As you can see from https://status.python.org/ , Warehouse
has been holding up well, and we don't see any reason to delay the
shutdown of Legacy. If you need to compare new Warehouse behavior with
old Legacy behavior, tell us about a redirect that isn't working right,
etc., please do that this week.

Older versions of JFrog's Artifactory have trouble with the
pypi.python.org redirect. Users whose instances proxy/mirror PyPI should
upgrade before April 30th.
https://www.jfrog.com/jira/browse/RTFACT-16223?focusedCommentId=54641=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-54641
(more context[1])

We've been fixing up search[2], dealing with memory consumption[3] and
reliability, adding metrics and monitoring, replying to user issues,
reviewing volunteers' contributions, and improving PyPI admins' ability
to do things like deprecate classifiers[4]. Check out the new page
listing classifiers and linking to a search for each one!
https://pypi.org/classifiers/ And we've been working on user research
to help guide future design decisions and work. We're grateful for the
59 volunteers who have stepped up to participate in Nicole's user
tests. And if you have a spare 5 minutes, we'd like for you to play
our "buy a feature" game via this Google form!
https://docs.google.com/forms/d/e/1FAIpQLSfABpsRcVYt7RDJEsbL_2CnyH-IKXRCRwaBhCm4sYnNI6yB3A/viewform
(short URL: bit.ly/2HpsAWd & tweet to RT[5]) More in our weekly
meeting notes[6].

Some open issues that could use comments from you:

* Why does warehouse allow linux_armv6l and linux_armv7l wheels?[7]
* Derive list of classifiers from a public, version-controlled
source[8]
* Offer a discouraged/deprecated releases option?[9]

Thanks to jonparrott for adding sticky caching for release
descriptions[10], to contrepoint for adding a browser warning for IE
10[11], and browniebroke for customizing an email address verification
message[12].

As I said last week[13], we're running out of MOSS money. We will
probably be able to deal with any issues that come up immediately
following the legacy shutdown, but then this project (and the weekly
emails from me) will be done. Of course Warehouse could use further
sustained effort, so the Packaging Working Group has submitted some
grant proposals and requests to some funders for amounts ranging from
about USD$35,000 to about USD$150,000. Depending on the funders and
their objectives, we've mentioned chunks of work that could happen
faster (or at all) with funding, such as:
* Adding support for two-factor authentication via TOTP and U2F/Fido.
* Adding application-specific tokens scoped to individual
users/projects (also covering adding token-based login support to
twine and setuptools).
* Adding a more advanced audit trail of user actions beyond the current
journal (allowing publishers to track all actions taken by third-
party services
* on their behalf).
* Performing accessibility repair work to follow an
accessibility audit.
* Researching and implementing localization and
internationalization features.
* Recruiting translators and integrating translations into PyPI.
We also would like to accelerate work on group/organization support[14],
better notifications, better staging/testing workflow for project
maintainers, GitHub signon, and more. If you want details on predicted
costs and are interested in hooking the Packaging Working Group[15] up
with potential funders, email cochair Ewa Jodlowska at ewa at python dot
org -- and she may advise that PSF sponsorship[16] is the route to take!
(Also if I'm wrong here about how the PSF wants to do money things,
trust actual PSF staffers and not me.)

So, things you can do:

* check legacy.pypi.org for any behavior, links, etc. you need
* upgrade Artifactory
* play our "buy a feature" game
* comment on issues that need discussion
* help us get more funding for future work
Thanks and best wishes.
--
Sumana Harihareswara
Warehouse/PyPI project manager
Changeset Consulting
s...@changeset.nyc

Links:

1. https://github.com/pypa/warehouse/issues/3275
2. https://github.com/pypa/warehouse/pull/3772
3. https://github.com/pypa/warehouse/pull/3774
4. https://github.com/pypa/warehouse/pull/3771
5. https://twitter.com/nlhkabu/status/988856279526465537
6. https://wiki.python.org/psf/PackagingWG/2018-04-23-Warehouse
7. https://github.com/pypa/warehouse/issues/3668
8. https://github.com/pypa/warehouse/issues/3786
9. https://github.com/pypa/warehouse/issues/3709
10. https://github.com/pypa/warehouse/pull/3745
11. https://github.com/pypa/warehouse/pull/3764
12. https://github.com/pypa/warehouse/pull/3789
13. https://groups.google.com/forum/#!topic/pypa-dev/MBa5300VlI8
14. https://github.com/pypa/warehouse/issues/201
15.

[Distutils] Warehouse/PyPI update: launch, project wrapup approaching

2018-04-18 Thread Sumana Harihareswara

On Monday, we launched Warehouse and redirected[1] browser and API
traffic so Warehouse is now the codebase, and http://pypi.org/ is the
site, serving nearly everyone who requests files from PyPI. The old
codebase is now up at http://legacy.pypi.org/ temporarily. We had a few
hiccups (incident report)[2] and are now fixing up some search,
indexing, caching, encoding, API compatibility, and UI issues. We're
monitoring incoming bug reports and, so far, don't see anything new that
absolutely needs fixing before we shut down the legacy site on Monday,
April 30th.
https://github.com/pypa/warehouse/projects/1 is the rollout board you can watch 
to see our progress, and our weekly meeting notes are up[3]. Please continue to 
report bugs -- if you know they're in PyPI, file them against Warehouse[4], and 
if you're not sure, file them in the "packaging problems" repository[5].
(The "nearly everyone" in that first sentence above is because of this
User-Agent exclusion[6], and because I'm sure a few users are specifying
legacy.pypi.org in their requests right now while working on forwards
compatibility.)
We've made a number of user-visible improvements in the past couple
weeks. For instance, we added a "switch to desktop version" link in the
mobile view[7], fixed dropdowns for accessibility[8], added user help[9]
for folks affected by the TLS 1.0/1.1 deprecation (mea culpa[10], we
should have done that sooner), and created a page thanking our
sponsors[11].
And we've made many backend improvements to performance, API
compatibility with legacy, sorting and indexing, instrumentation for
metrics, and security -- and Donald implemented[12] email sending via
SES. Thanks[13] to Noah Kantrowitz for reporting a privacy concern
regarding Gravatar URLs and leaking users' email addresses (fixed[14]).
It is not feasible for me to summarize all the work that volunteers put
in, as testers, coders, code reviewers, writers, and user support
helpers within the last two weeks. We have an embarrassment of riches
here. Since April 3rd (two weeks ago) we've merged 98 PRs to
Warehouse[15]; thanks to ymyzk, reaperhulk, glasnt, alex, RazerM,
bskinn, saxenanurag, hugovk, waseem18, cheungnj, contrepoint,
yeraydiazdiaz, jonparrott, jMuzsik, and aalmazan for those. And I'd also
like to thank the many people who, on their own, provided and continue
to provide help to affected users on IRC, Twitter, StackOverflow, and
elsewhere.
We don't have any virtual office hours coming up, but we have some other
events planned. The Talk Python to Me podcast[16] just interviewed
Dustin, Nicole, and Ernest for an  upcoming episode. Dustin will be
speaking on PyPI and packaging in general at PyCon NA in May[17] and at
SciPy in July[18], and we're sprinting at PyCon and EuroPython[19] --
join us? And if you're in New York City, you can join Laura and me for a
Warehouse sprint night[20] on Thursday, April 26th.
And the project's starting to wrap up. Our MOSS funding (thanks to
Mozilla[21] for their support[22] for the PyPI & Warehousework!) is nearly 
finished; after we shut down the legacy site on April
30th, the general pace of Warehouse development may slow down.
(Warehouse has far more volunteer contributors than it did when we
started MOSS-funded work in early December, but maintainer time
available will diminish.) So we're seeking further funding, to speed up
security and accessibility work, (potentially) localization,
group/organization support[23], better notifications, better
staging/testing workflow for project maintainers, GitHub signon, and
more (see the "Post-Legacy shutdown" milestone[24] and "cool but not
urgent" milestone[25]). We have submitted a few more grant proposals and
are waiting to hear back. And donations to the Python Software
Foundation’s Packaging Working Group, which works to sustain PyPI, pip,
setuptools, and all other Python Packaging Ecosystem efforts, can now be
made on a recurring basis! Please check out https://donate.pypi.org/
and consider pitching in or spreading the word. I'm working on writing
up and sharing a more structured list explaining what we could do at
various levels of funding.
Thanks as always. Please keep the kind words, bug reports, and -- I hope
-- funding coming! :)--
Sumana Harihareswara
Warehouse/PyPI project manager
Changeset Consulting
s...@changeset.nyc



Links:

   1. https://github.com/python/pypi-infra/commits/master
   2. https://status.python.org/incidents/mgjw1g5yjy5j
   3. https://wiki.python.org/psf/PackagingWG/2018-04-17-Warehouse
   4. https://github.com/pypa/warehouse/issues
   5. https://github.com/pypa/packaging-problems/issues/
   6. https://github.com/pypa/warehouse/issues/3275
   7. https://github.com/pypa/warehouse/pull/3602
   8. https://github.com/pypa/warehouse/pull/3287
   9. https://pypi.org/help/#tls-deprecation
  10. https://groups.google.com/d/msg/pypa-dev/Oz6SGA7gefo/UXCu7jM6AQAJ
  11. https://pypi.org/sponsors/
  12. h

Re: [Distutils] please mark good first issues in your projects

2018-04-13 Thread Sumana Harihareswara

In my experience (not just here but within Zulip, Wikimedia, Mailman,
and other projects), this depends on the project's maintainers.

If maintainers actively put the word out that a project is seeking new
volunteers, respond to new questions and patches within a few days, and
comment on finished issues to say "great! want another?", volunteers
work through the "good first issues" queue steadily and it needs regular
replenishment. It is worth taking a fresh look at the queue every month
or two to double-check whether any of the open issues labelled "good
first issue" are harder than they first appeared, then remove the label
with an explanatory comment.

(My further advice on stuff like this -- "How To Improve Bus Factor In
Your Open Source Project", "How to Teach And Include Volunteers who
Write Poor Patches", "Inclusive-Or: Hospitality in Bug Tracking", etc.
-- are at my resources page https://changeset.nyc/resources.html .)
-- 
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc

On 04/13/2018 11:32 AM, C Anthony Risinger wrote:
> Do these kind of issues ever linger on unreasonably, or do enough
> voluneteers step up to keep them low? Do you expire that label after a few
> months?
> 
> I don't have any feedback on your actual request, I'm mostly curious of the
> process/interplay around feeding new users work without introduce excessive
> delay or otherwise.
> 
> Thanks,
> 
> On Fri, Apr 13, 2018, 9:55 AM Sumana Harihareswara <s...@changeset.nyc> wrote:
> 
>> Warehouse is attracting several newer contributors including people new
>> to open source, which is great. As Warehouse matures, we have fewer and
>> fewer easy small bugs *in the Python side* left. (So, we have more work
>> for new frontend contributors, and less for Pythonists.)
>>
>> I'd love to refer these folks to other parts of the Python packaging and
>> distribution ecosystem so we can improve the whole toolchain. Right now
>> there are 29 open issues in PyPA projects on GitHub marked "good first
>> issue", 11 in Warehouse and most of the rest in pip:
>>
>>
>> https://github.com/issues?utf8=%E2%9C%93=user%3Apypa+is%3Aopen+label%3A%22good+first+issue%22+
>>
>> I'm totally fine with giving new volunteers teensy tiny doc fix tasks,
>> "manually test this functionality" tasks, and "check whether this bug is
>> still reproducible" tasks, in case you want to write up some of those.
>> Here's a template we use to make good first issues in Warehouse, in case
>> you want to emulate it:
>> https://github.com/pypa/warehouse/issues/new?template=good-first-issue.md
>>
>>
>> **Good First Issue**: This issue is good for first time contributors. If
>> you've already contributed to Warehouse, please work on [another issue
>> without this
>> label](
>> https://github.com/pypa/warehouse/issues?utf8=%E2%9C%93=is%3Aissue+is%3Aopen+-label%3A%22good+first+issue%22
>> )
>> instead. If there is not a corresponding pull request for this issue, it
>> is up for grabs. For directions for getting set up, see our [Getting
>> Started Guide](https://warehouse.pypa.io/development/getting-started/).
>> If you are working on this issue and have questions, please feel free to
>> ask them here, [`#pypa-dev` on
>> Freenode](https://webchat.freenode.net/?channels=%23pypa-dev), or the
>> [pypa-dev mailing list](https://groups.google.com/forum/#!forum/pypa-dev).
>>
>>
>> If your project isn't under https://github.com/pypa , but you want to
>> publicize your good first issues, reply to this thread? Thanks.
>>
>> --
>> Sumana Harihareswara
>> Warehouse project manager
>> Changeset Consulting
>> https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] please mark good first issues in your projects

2018-04-13 Thread Sumana Harihareswara

Warehouse is attracting several newer contributors including people new
to open source, which is great. As Warehouse matures, we have fewer and
fewer easy small bugs *in the Python side* left. (So, we have more work
for new frontend contributors, and less for Pythonists.)

I'd love to refer these folks to other parts of the Python packaging and
distribution ecosystem so we can improve the whole toolchain. Right now
there are 29 open issues in PyPA projects on GitHub marked "good first
issue", 11 in Warehouse and most of the rest in pip:

https://github.com/issues?utf8=%E2%9C%93=user%3Apypa+is%3Aopen+label%3A%22good+first+issue%22+

I'm totally fine with giving new volunteers teensy tiny doc fix tasks,
"manually test this functionality" tasks, and "check whether this bug is
still reproducible" tasks, in case you want to write up some of those.
Here's a template we use to make good first issues in Warehouse, in case
you want to emulate it:
https://github.com/pypa/warehouse/issues/new?template=good-first-issue.md

**Good First Issue**: This issue is good for first time contributors. If
you've already contributed to Warehouse, please work on [another issue
without this
label](https://github.com/pypa/warehouse/issues?utf8=%E2%9C%93=is%3Aissue+is%3Aopen+-label%3A%22good+first+issue%22)
instead. If there is not a corresponding pull request for this issue, it
is up for grabs. For directions for getting set up, see our [Getting
Started Guide](https://warehouse.pypa.io/development/getting-started/).
If you are working on this issue and have questions, please feel free to
ask them here, [`#pypa-dev` on
Freenode](https://webchat.freenode.net/?channels=%23pypa-dev), or the
[pypa-dev mailing list](https://groups.google.com/forum/#!forum/pypa-dev).

If your project isn't under https://github.com/pypa , but you want to
publicize your good first issues, reply to this thread? Thanks.

--
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] IRC/Twitter livechats about Warehouse today & Thursday

2018-04-04 Thread Sumana Harihareswara

The next chat will be in a little under half a day.

We're also adding one more IRC livechat, for next week: Tuesday, April
10th, 19:00 UTC:
https://www.timeanddate.com/worldclock/converter.html?iso=20180410T19=24=1440=179
.

-Sumana


On 04/03/2018 10:44 AM, Sumana Harihareswara wrote:
> The next one starts in ~16 minutes. Links, etc. at
> https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html#livechat
> .
> 
> -Sumana
> 
> On 03/26/2018 05:13 PM, Sumana Harihareswara wrote:
>> Warehouse developers will be in IRC, in #pypa-dev on Freenode, and on
>> Twitter (hashtag: #newpypi), available to talk about problems you run
>> into, or about how to hack on Warehouse, for four livechats over the
>> next few weeks:
>>
>>
>> 1. Tuesday, March 27th, 9am-10am PDT, noon-1pm EDT, 18:00-19:00 CEST,
>> 9:30pm-10:30pm India, 16:00-17:00 UTC
>> https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+chat=20180327T16=:=1
>>
>>
>> 2. Friday, March 30th, 10-11am EDT, 16:00-17:00 CEST, 7:30pm-8:30pm
>> India, 14:00-15:00 UTC
>> https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+live+chat=20180330T14=1440=1
>>
>>
>> 3.  Tuesday, April 3rd, 8am-9am PDT, 11am-noon EDT, 17:00-18:00 CEST,
>> 8:30pm-9:30pm India, 15:00-16:00 UTC
>> https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+livechat=20180403T10=24=1
>>
>>
>> 4. Thursday, April 5th, 5pm-6pm PDT, 8pm-9pm EDT, (April 5th) 8am-9am
>> Manila, (April 5th) 10am-11am Melbourne, (April 5th) 0:00-1:00 UTC
>> https://www.timeanddate.com/worldclock/fixedtime.html?p1=24=20180405T19=Warehouse/PyPI%20beta%20livechat=1=4
>>
>>
>> Feel free to drop in! (By participating, you agree to abide by the PyPA
>> Code of Conduct: https://www.pypa.io/en/latest/code-of-conduct/ .)
>>

___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] PyPI/Warehouse update: new advice & launch, shutdown dates

2018-04-03 Thread Sumana Harihareswara

helping review each other's work, which
helps everyone learn and improve PRs faster.

How you can help:

 * forward the beta announcement[49] to downstreams
 * tell people on Macs to upgrade pip[50], and answer Guido's
   question[51] about which users are potentially affected
 * test[52] Warehouse pull requests, and consider making one[53]
 * talk with Nicole about being a subject or interviewer for user
   tests[54]
 * improve the official Python packaging guide[55]
 * remind well-off companies/foundations you know that further Warehouse
   work is more likely if they give the PSF donations[56],
   sponsorship[57], or grants
Thanks again to the Mozilla Open Source Support grant[58] that makes
this work possible.
--
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
s...@changeset.nyc

Links:

   1. https://wiki.python.org/psf/WarehouseRoadmap
   2. https://wiki.python.org/psf/PackagingWG/2018-04-02-Warehouse
   3. https://github.com/pypa/warehouse/issues/3411
   4. 
https://warehouse.readthedocs.io/api-reference/integration-guide/#migrating-to-the-new-pypi
   5. 
https://warehouse.readthedocs.io/api-reference/integration-guide/#migrating-to-the-new-pypi
   6. https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/
   7. 
https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html
   8. http://status.python.org/
   9. https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/
  10. https://github.com/pypa/warehouse/milestones
  11. https://github.com/pypa/warehouse/pull/3503
  12. https://github.com/pypa/warehouse/pull/
  13. https://github.com/pypa/warehouse/pull/3327
  14. https://github.com/pypa/warehouse/pull/3477
  15. https://github.com/pypa/warehouse/pull/3393
  16. https://github.com/pypa/warehouse/pull/3434
  17. https://github.com/pypa/warehouse/pull/3418
  18. https://github.com/pypa/warehouse/pull/3372
  19. https://github.com/pypa/warehouse/pull/3396
  20. https://github.com/pypa/warehouse/pull/3457
  21. https://github.com/pypa/warehouse/pull/3459
  22. https://github.com/pypa/warehouse/pull/3475
  23. https://github.com/pypa/warehouse/pull/3429
  24. https://github.com/pypa/warehouse/labels/cross%20browser%20bug%20%3Abug%3A
  25. https://github.com/pypa/conveyor/pull/3
  26. 
https://github.com/pypa/pypi-legacy/commits?author=ewdurbin=2018-03-01T05:00:00Z=2018-04-01T04:00:00Z
  27. https://github.com/pypa/warehouse/pull/3522
  28. https://github.com/pypa/warehouse/pull/3498
  29. https://github.com/pypa/warehouse/pull/3320
  30. https://github.com/pypa/warehouse/pull/3466
  31. https://github.com/pypa/warehouse/pull/3493
  32. https://github.com/pypa/warehouse/pull/3403
  33. https://github.com/pypa/warehouse/pull/3354
  34. http://kafka.dcpython.org/day/pypa-dev/2018-04-03
  35. 
https://blog.python.org/2018/03/the-all-new-python-package-index-is-now.html
  36. 
https://mail.python.org/pipermail/python-announce-list/2018-March/011883.html
  37. https://lists.debian.org/debian-python/2018/04/msg0.html
  38. https://groups.google.com/forum/#!topic/python-brasil/Synj27Fczww
  39. https://www.facebook.com/groups/pythonpl/permalink/1680880335336289/
  40. 
http://lists.software-carpentry.org/pipermail/discuss/2018-March/005891.html
  41. https://groups.google.com/forum/#!topic/numfocus/uu8aGRmQ-oc
  42. https://changelog.com/news/the-new-pypi-is-finally-in-beta-l66G
  43. https://twit.tv/shows/floss-weekly
  44. 
https://www.google.com/calendar/event?eid=cTNzdDByZWxmOGRsaXRiMWo3ZXJvY2lwaW9fMjAxODAzMjdUMTkwMDAwWiA1dm90czZraGxlNm02dnNzdWFsdDJvZjg3MEBn=America/New_York
  45. https://twitter.com/hashtag/newpypi?src=hash
  46. 
https://mail.python.org/pipermail/python-announce-list/2018-April/011885.html
  47. https://github.com/pypa/warehouse/issues/3293#issuecomment-378416605
  48. 
https://github.com/pypa/warehouse/pulls?utf8=%E2%9C%93=3410+3448+3467+3322+3495+3412+3405+3485+3243+3535+2163+3533+3500+3415+3407+3314+3328+3202+3377+3388+3409+
  49. 
https://mail.python.org/pipermail/python-announce-list/2018-March/011883.html
  50. 
https://mail.python.org/pipermail/python-announce-list/2018-April/011885.html
  51. https://github.com/pypa/warehouse/issues/3293#issuecomment-378416605
  52. 
https://warehouse.readthedocs.io/development/reviewing-patches/#testing-branches-on-your-local-machine
  53. https://warehouse.readthedocs.io/development/getting-started/
  54. http://whoisnicoleharris.com/2018/03/13/user-testing-warehouse.html
  55. 
https://github.com/pypa/python-packaging-user-guide/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22
  56. https://donate.pypi.org/
  57. https://www.python.org/psf/sponsorship/
  58. https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] IRC/Twitter livechats about Warehouse today & Thursday

2018-04-03 Thread Sumana Harihareswara

The next one starts in ~16 minutes. Links, etc. at
https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html#livechat
.

-Sumana

On 03/26/2018 05:13 PM, Sumana Harihareswara wrote:
> Warehouse developers will be in IRC, in #pypa-dev on Freenode, and on
> Twitter (hashtag: #newpypi), available to talk about problems you run
> into, or about how to hack on Warehouse, for four livechats over the
> next few weeks:
> 
> 
> 1. Tuesday, March 27th, 9am-10am PDT, noon-1pm EDT, 18:00-19:00 CEST,
> 9:30pm-10:30pm India, 16:00-17:00 UTC
> https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+chat=20180327T16=:=1
> 
> 
> 2. Friday, March 30th, 10-11am EDT, 16:00-17:00 CEST, 7:30pm-8:30pm
> India, 14:00-15:00 UTC
> https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+live+chat=20180330T14=1440=1
> 
> 
> 3.  Tuesday, April 3rd, 8am-9am PDT, 11am-noon EDT, 17:00-18:00 CEST,
> 8:30pm-9:30pm India, 15:00-16:00 UTC
> https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+livechat=20180403T10=24=1
> 
> 
> 4. Thursday, April 5th, 5pm-6pm PDT, 8pm-9pm EDT, (April 5th) 8am-9am
> Manila, (April 5th) 10am-11am Melbourne, (April 5th) 0:00-1:00 UTC
> https://www.timeanddate.com/worldclock/fixedtime.html?p1=24=20180405T19=Warehouse/PyPI%20beta%20livechat=1=4
> 
> 
> Feel free to drop in! (By participating, you agree to abide by the PyPA
> Code of Conduct: https://www.pypa.io/en/latest/code-of-conduct/ .)
> 
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Mac users, upgrade to pip 9.0.3 (due to TLS deprecation)

2018-04-02 Thread Sumana Harihareswara

Mac users who use pip and PyPI:

If you are running macOS/OS X version 10.12 or older, then you ought to
upgrade to the latest pip (9.0.3) to connect to the Python Package Index
securely:

curl https://bootstrap.pypa.io/get-pip.py | python

and we recommend you do that by April 8th.

Pip 9.0.3 supports TLSv1.2 when running under system Python on macOS <
10.13. Official release notes: https://pip.pypa.io/en/stable/news/

Context:

As PSF blogged last year
https://pyfound.blogspot.com/2017/01/time-to-upgrade-your-python-tls-v12.html
, on June 30, 2018, Python.org sites are going to entirely stop
supporting TLS versions 1.0 and 1.1, because our CDN provider is
deprecating support for those versions.

We are launching the new PyPI (in beta at https://pypi.org) this month
and replacing the legacy PyPI (https://pypi.python.org). Here's the beta
announcement for the new PyPI:
https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html

Warehouse, the codebase for the new PyPI, does not support TLS 1.0 or 1.1.

As of late March, the Python Package Index has started doing brownouts
of the deprecated TLS versions. For some portion of each hour, anyone
attempting to access PyPI with TLSv1.0 or TLSv1.1 will get a 403
response with an informative error. We are ramping up the amount of time
the endpoint is down for the deprecated TLS versions, and plan to make
the endpoint 100% unavailable (for the deprecated TLS versions) on and
after April 8th, prior to the final deadline. That gives us a few months
where, someone tries to "pip install", we can give a good error message
-- once June 30th hits, it will just be an uninformative OpenSSL error.

More info:

* https://github.com/pypa/warehouse/issues/3293
* https://github.com/pypa/warehouse/issues/3411
* https://status.python.org/incidents/btjtz01lzp88

If you have problems accessing PyPI, upgrading pip, etc., please file an
issue at https://github.com/pypa/packaging-problems/issues/ and we'll
help figure it out.

Thank you. Please publicize this. (I'm about to cross-post this to
python-list/comp.lang.python.)

-- 
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] PyPI/Warehouse (short) weekly report: beta, pythonhosted docs, PEP 541

2018-03-28 Thread Sumana Harihareswara

(A short report this week that doesn't include as much detail about
merged PRs, infrastructure work, and so on, because I've been doing
stuff like writing to python-list/comp.lang.python to ask for
testing[1],  but next week's will have more.)
The new PyPI went to beta this week![2]

Now that PEP 541 is accepted, we are deciding on logistical stuff to
implement it and help deal with name transfer requests[3].
Cool things from the notes from the weekly Warehouse core developers'
meeting[4] include: if your PyPI project has docs already uploaded to
pythonhosted.org, you can now delete those docs[5]. (Further work on
docs transition is forthcoming.) And this week and next week some of our
team are busy with other projects, so code review and issue resolution
will be a little slower.
We have livechats coming up in Twitter & IRC[6] (next one is Friday the
30th), and tomorrow I hope to speak on the OpenNews community call[7] at
noon Eastern Time.
You can help this week by spreading the word[8] about the new PyPI beta
and testing it, by opining in our "needs discussion" issues[9], and by
just being your wonderful selves. Thank you for your help and kind words
through this whole process. It means a lot.
More soon!
--
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
s...@changeset.nyc

Links:

  1. https://mail.python.org/pipermail/python-list/2018-March/thread.html#732228
  2. 
https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html
  3. https://github.com/pypa/warehouse/issues/1506#issuecomment-374626455
  4. https://wiki.python.org/psf/PackagingWG/2018-03-26-Warehouse
  5. https://github.com/pypa/warehouse/pull/3413
  6. 
https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html#livechat
  7. https://opennews.org/what/community/calls/
  8. 
https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html
  9. https://github.com/pypa/warehouse/labels/needs%20discussion
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] IRC/Twitter livechat hours March 27-April 5

2018-03-26 Thread Sumana Harihareswara

Warehouse developers will be in IRC, in #pypa-dev on Freenode, and on
Twitter (hashtag: #newpypi), available to talk about problems you run
into, or about how to hack on Warehouse, for four livechats over the
next few weeks:


1. Tuesday, March 27th, 9am-10am PDT, noon-1pm EDT, 18:00-19:00 CEST,
9:30pm-10:30pm India, 16:00-17:00 UTC
https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+chat=20180327T16=:=1


2. Friday, March 30th, 10-11am EDT, 16:00-17:00 CEST, 7:30pm-8:30pm
India, 14:00-15:00 UTC
https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+live+chat=20180330T14=1440=1


3.  Tuesday, April 3rd, 8am-9am PDT, 11am-noon EDT, 17:00-18:00 CEST,
8:30pm-9:30pm India, 15:00-16:00 UTC
https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+livechat=20180403T10=24=1


4. Thursday, April 5th, 5pm-6pm PDT, 8pm-9pm EDT, (April 5th) 8am-9am
Manila, (April 5th) 10am-11am Melbourne, (April 5th) 0:00-1:00 UTC
https://www.timeanddate.com/worldclock/fixedtime.html?p1=24=20180405T19=Warehouse/PyPI%20beta%20livechat=1=4


Feel free to drop in! (By participating, you agree to abide by the PyPA
Code of Conduct: https://www.pypa.io/en/latest/code-of-conduct/ .)
-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Warehouse is in beta

2018-03-26 Thread Sumana Harihareswara

As of today, the new Python Package Index at pypi.org, powered by
Warehouse, is in beta. What does that mean?

>From https://pypi.org/help/#beta :

The site is robust, but not *fully* tested and 'production ready'. This
means:

* The UI may return unusual or erroneous results
* Performance may not yet be optimised
* Some features that you used in the old interface (pypi.python.org) may
be missing
* We need your feedback to get the site production ready

While we are in beta, the pypi.org infrastructure cannot yet support all
of the API traffic generated by our users running pip install, so don't
explicitly point to it in automated production setups. But we want you
to try it and test it, and we're occasionally redirecting portions of
that traffic in load tests we announce on our status page.

Uploads, search, and release management are working well, and project
maintainers and owners should use this version of PyPI over the legacy
site, which no longer supports uploading releases.

More at
https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html
. Congrats and thanks to the team, and onwards to the next milestone
(see https://wiki.python.org/psf/WarehouseRoadmap ), the launch and
redirect!

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] TLS support policy & PyPI communications

2018-03-21 Thread Sumana Harihareswara

PSF blogged last year
https://pyfound.blogspot.com/2017/01/time-to-upgrade-your-python-tls-v12.html
that

> The more crucial deadline comes June 30, 2018. On that date all remaining 
> python.org sites, including PyPI, will no longer support TSL 1.0 and 1.1. 
> Older Python versions that do not implement TLSv1.2 will be prohibited from 
> accessing PyPI.

I asked Ernest W. Durbin III whether I ought to re-announce this to
users in my PyPI announcements. He looked at our TLS trends/stats and
told me we have a very very low proportion of traffic that will be
affected when we shift over. Therefore, since it'll affect so few, I
won't shout about TLS versions in my PyPI communications. Marking that
here for the record.

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] PyPI/Warehouse: infrastructure hardening & the CAPTCHA conundrum

2018-03-20 Thread Sumana Harihareswara

So we aren't quite at beta yet, but we'll be shouting about pypi.org
*really soon*. We have nearly all the Warehouse improvements we need for
beta, and nearly all the infrastructure improvements we believe we'll
need for the switchover.

I'll tell you how you can help, then talk about the current state
of things.
 * The big blocker keeping us from beta: China & CAPTCHAs. Help
   advise us.[1]
 * Comment on a "needs discussion" issue[2].
 * Help us with large-scope JavaScript issues[3], like our frontend
   testing approach.
 * Please talk with Nicole about being a subject or interviewer for
   user tests[4].
 * Tell me if you're planning to join us at sprints at PyCon or
   EuroPython[5].
 * Check out our open good first Warehouse issues[6] (we usually have
   10+ open) and get started[7].

If you follow https://status.python.org/  you saw we did some load
testing last week and learned from it! We redirected some traffic, for a
few periods, for `pip install`, from the old server to Warehouse, and
learned from it. For instance, people running Ubuntu 14.04 LTS (long
term service release)[8] are usually using a pretty old version of pip,
and people on some versions of the Mac OS[9] have older versions of
Python and old versions of security-related libraries that don't support
the version of TLS that we want them to use. Ernest, Donald and Dustin
did a bunch of work addressing this, including Donald putting out pip
9.0.2[10].

(A thing to understand about Ernest's continuing work on PyPI and
distribution infrastructure is that it's in a lot of places. It's
cabotage[11] & a test cabotage app[12], configuration with salt[13],
conveyor[14], pip[15] & get-pip[16], and he filed a bug in
Kubernetes[17] which I personally find particularly impressive. And it's
in user-facing communication in IRC and GitHub comments and on our
statuspage and Twitter, plus a lot of internal discussion with
infrastructure colleagues. I have a harder time gathering links for
Ernest's work for these emails than for my other teammates; regrets.)

As usual, a summary of the past week's work is in our meeting notes[18].
We have new features like letting PyPI administrators add new trove
classifiers easily[19], infrastructure improvements like this complexity
reduction[20],  ton of polish and bug fixing around layout, description
content types (Markdown!), a FAQ restructuring[21], a more useful
collaboration page[22], etc. And we reviewed and merged a lot of
volunteers' pull requests!

Thanks to our prolific volunteers:
 *  pgadige making sure an error message reflects whether you're on PyPI
or Test PyPI[23] *  waseem18 providing an error message for the password 
reset[24]
 *  cryvate fixing form requirements for password reset[25]
 *  waseem18 fixing disabled button CSS[26]
 *  yeraydiazdiaz fixing modal window behavior[27], then refixing[28]
 *  berkerpeksag adding a "public profile" link to the user dropdown[29] *  
Mariatta sending notification email when a project
collaborator's added[30] *  berkerpeksag hiding the "view project" button 
for no-release-yet
projects in maintainers' project lists[31] *  alexwlchan renaming a CSS 
class for consistency[32]
 *  jMuzsik improving documentation of owners' and maintainers'
privileges[33] *  yeraydiazdiaz adding JavaScript validation to show the 
user if "new
password" and "confirm new password" don't match[34] *  alexwlchan 
documenting all the modifiers in our SASS directory[35]
 *  alanbato and yeraydiazdiaz adding a check to stop someone
from uploading a file whose blake2 hash matches an already-
uploaded file[36] *  cryvate improving sorting of package versions in our 
/simple/
API[37] *  jMuzsik improving how PyPI links look on Twitter, adding an 
image to
our Twitter cards[38]
 * years updating the Python Packaging User Guide[39] and sample
   project[40] for Markdown/PEP 566
And thanks to our many bug reporters, especially those who helped us
learn from our load tests.
Also, check out discussion on API key support/macaroons[41],  supporting
GitHub-flavored Markdown as Description-Content-Type[42],  and project
rating/ranking/stars[43].
And finally, we are ever closer to accepting PEP 541 (and planning
followup tasks[44])  and are testing our PEP 566 compliance[45]. And I
may start a PEP for a Python package index upload API specification[46].
More next week, as usual.

*Thanks to Mozilla for their support[47] for the PyPI & Warehouse
work[48]!*
--
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
s...@changeset.nyc

Links:

   1. https://github.com/pypa/warehouse/issues/3174
   2. 
https://github.com/pypa/warehouse/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3A%22needs+discussion%22
   3. https://github.com/pypa/warehouse/issues/1297
   4. http://whoisnicoleharris.com/2018/03/13/user-testing-warehouse.html
   5. https://wiki.python.org/psf/PackagingSp

[Distutils] Twine 1.11.0 released

2018-03-19 Thread Sumana Harihareswara

https://pypi.org/project/twine/1.11.0/ Twine 1.11.0 is now out
(changelog at https://twine.readthedocs.io/en/latest/changelog.html ).

Thanks in particular to Dustin Ingram, Jon Wayne Parrott, Donald Stufft,
Ian Stapleton Cordasco, Leonard Richardson, Matthew Planchard, Holger
Krekel, Jason R. Coombs, Maurits van Rees, and Florian Schulze for code,
testing, review, documentation, and advice.

On 03/18/2018 08:59 AM, Sumana Harihareswara wrote:
subject: prepping PEP 566 support in Twine for tomorrow
> Per
> https://dustingram.com/articles/2018/03/16/markdown-descriptions-on-pypi
> , currently, Markdown support for a package long_description depends on
> a pre-release of Twine. I released Twine 1.11.0rc1 a few days ago. Today
> I'm fixing more bugs and putting out another release candidate, and then
> tomorrow I plan to release 1.11.0. Code review and testing is welcome,
> as is camaraderie in #pypa-dev on Freenode.

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] prepping PEP 566 support in Twine for tomorrow

2018-03-18 Thread Sumana Harihareswara

Per
https://dustingram.com/articles/2018/03/16/markdown-descriptions-on-pypi
, currently, Markdown support for a package long_description depends on
a pre-release of Twine. I released Twine 1.11.0rc1 a few days ago. Today
I'm fixing more bugs and putting out another release candidate, and then
tomorrow I plan to release 1.11.0. Code review and testing is welcome,
as is camaraderie in #pypa-dev on Freenode.

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc

___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] new stuff overview, beta next week, user tests, & other Warehouse updates

2018-03-14 Thread Sumana Harihareswara

On 03/14/2018 03:29 AM, Nathaniel Smith wrote:
> On Tue, Mar 13, 2018 at 11:39 PM, Sumana Harihareswara <s...@changeset.nyc> 
> wrote:
>> I've started preparing a
>> draft overview of what's new in PyPI/packaging/distribution to publicize
>> along with the beta; it says "not to be publicized" but I'll let you in on
>> the secret early. Maybe something in it is new to you as well!
> 
> - Missing parentheses at the end of the GPG/PGP line
> 
> - I'd put the signup link for the new announce list right at the top,
> like "this post has lots of important stuff, and if you don't want to
> miss future important stuff, sign up here."
> 
> -n

Thanks. Fixed.

Ernest W. Durbin III also pointed out in IRC
http://kafka.dcpython.org/day/pypa-dev/2018-03-14 that the call to
action, at least in some predecessors of this announcement, was unclear;
I've revised
https://wiki.python.org/psf/PackagingWG/PyPIBetaAnnouncement#Migrating
accordingly.

-- 
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] new stuff overview, beta next week, user tests, & other Warehouse updates

2018-03-14 Thread Sumana Harihareswara

The new PyPI is still working towards our big public beta[1]. We have 7
open issues till we'll declare beta and make an outreach push (probably
late this week or early next week), and then 19 more open issues till we
can redirect/launch PyPI[2] probably in April (overview[3]). I've
started preparing a draft overview of what's new in
PyPI/packaging/distribution[4] to publicize along with the beta; it says
"not to be publicized" but I'll let you in on the secret early. Maybe
something in it is new to you as well!

As usual, we had a Warehouse core developers' meeting on Monday[5]. The
last week has seen a lot of polish and bugfixing and documentation for
Warehouse. For instance, project deletion is cleaner[6], we more
consistently indicate dangerous actions on a page[7], and there's now a
migration guide for third-party services[8] which we told several
projects about[9]. We've done some infrastructural work, like Datadog
instrumentation[10],  "Conveyor" (a shim for URL redirects)[11],  and
Cabotage improvements[12]. Here's an animated GIF demo of release phase
commands (scale up, scale down).[13] And we improved other codebases as
well, to fix Travis docs[14], get our HTTPS proxy service to deal with
big embedded images[15], and deal better with parsing invalid URLs in
READMEs[16].
Thanks to volunteers who got pull requests merged this week:
 * waseem[17]: we now send an email to primary email whenever primary
   email is changed
 * mds325[18]: clear input when the user closes the modal * dirn[19]: create a 
shortlink and redirect all requests for
   /p// to /project// * cryvate[20]: clarify project counter 
for searches with tons of
   results * Mariatta[21]: fix an email-sending issue 

And thanks to our many bug reporters, such as Andrew Nesbitt who noticed
an RSS feed discrepancy[22].

Check out the current discussion[23] of API keys, a bearer token
authentication scheme, and Macaroons in future PyPI.

Want to help?
 * Talk with Nicole about being a subject or interviewer for user
   tests![24]  She's been focusing on user tests and it's paid off, with
   a lot of bugs found and designs validated. * Got a good workaround for our 
CAPTCHA being blocked in  China[25]?
 * Consider joining us at sprints[26] in the next few months.
 * We have 24 good first issues open[27], and a "getting started"[28]
   guide, and quick turnaround on code review.
*Thanks to Mozilla Open Source Support[29] for their funding[30] for the
PyPI & Warehouse work.*
--
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
s...@changeset.nyc

P.S. Usually I compose these weekly report emails in plain text; here
 I'm doing it in HTML with a plaintext fallback. Let me know if it's
 better, awful, etc. Also nearly no one *replies* to these emails so
 I'd also welcome your "hey this is useful to me!" offlist reply.
Links:

   1. https://github.com/pypa/warehouse/milestone/10
   2. https://github.com/pypa/warehouse/milestone/1
   3. https://github.com/pypa/warehouse/projects/1
   4. https://wiki.python.org/psf/PackagingWG/PyPIBetaAnnouncement
   5. https://wiki.python.org/psf/PackagingWG/2018-03-12-Warehouse
   6. https://github.com/pypa/warehouse/pull/3212
   7. https://github.com/pypa/warehouse/pull/3166
   8. 
https://warehouse.readthedocs.io/api-reference/integration-guide/#migrating-to-the-new-pypi
   9. https://github.com/pypa/warehouse/issues/2935
  10. https://github.com/pypa/warehouse/pull/3076
  11. 
https://github.com/pypa/conveyor/commits?author=ewdurbin=2018-03-06T05:00:00Z=2018-03-15T04:00:00Z
  12. 
https://github.com/cabotage/cabotage-app/commits?author=ewdurbin=2018-03-06T05:00:00Z=2018-03-15T04:00:00Z
  13. https://ernest.ly/imgs/cabotage-release-scale-up-scale-down.gif
  14. https://github.com/travis-ci/docs-travis-ci-com/pull/1726
  15. https://github.com/pypa/warehouse-camo/pull/1
  16. https://github.com/pypa/readme_renderer/pull/65
  17. https://github.com/pypa/warehouse/pull/3158
  18. https://github.com/pypa/warehouse/pull/3160
  19. https://github.com/pypa/warehouse/pull/3165
  20. https://github.com/pypa/warehouse/pull/3193
  21. https://github.com/pypa/warehouse/pull/3214
  22. https://github.com/pypa/warehouse/issues/3238
  23. https://github.com/pypa/warehouse/issues/994
  24. http://whoisnicoleharris.com/2018/03/13/user-testing-warehouse.html
  25. https://github.com/pypa/warehouse/issues/3174
  26. https://wiki.python.org/psf/PackagingSprints
  27. 
https://github.com/pypa/warehouse/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22
  28. https://warehouse.readthedocs.io/development/getting-started/
  29. 
https://blog.mozilla.org/blog/2018/01/23/moss-q4-supporting-python-ecosystem/
  30. https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Packaging/Warehouse sprint at PyCon 2018

2018-03-13 Thread Sumana Harihareswara

https://wiki.python.org/psf/PackagingSprints is where I've started a
list of our upcoming planned sprints (right now, PyCon North America and
EuroPython), with who's attending each and what we might work on there.

At PyCon in Cleveland, possible work includes:

* User testing
* Updating the PyPA roadmap
* Packaging Problems triage
* PyPI API keys and two-factor auth, with Luke Sneeringer & Donald Stufft
* Architecture for new Warehouse API URL structure

-Sumana

On 02/13/2018 11:22 PM, Sumana Harihareswara wrote:
> Reminder: this Thursday, Feb. 15th, is the last day to request financial
> aid to attend PyCon https://us.pycon.org/2018/financial-assistance/ and
> thus the sprints. If money's a reason you're assuming you can't come
> join us and improve Warehouse and other Python packaging/distribution
> tools, I hope you'll apply for financial assistance.
> 
> On 01/30/2018 01:39 PM, Sumana Harihareswara wrote:
>> In case you're planning your PyCon Cleveland travel: we are planning to
>> hold a Warehouse/packaging sprint at PyCon (the sprints are Monday, May
>> 14th - Thursday, May 17th 2018).
>>
>> We welcome package maintainers, backend and frontend web developers,
>> infrastructure administrators, technical writers, and testers to help us
>> make the new PyPI, and the packaging ecosystem more generally, as usable
>> and robust as possible. I took the liberty of updating
>> https://us.pycon.org/2018/community/sprints/ to say so.
>>
>> Once we're closer to the sprints I'll work on a more detailed list of
>> things we'll work on in Cleveland.
>>
> 

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Twine 1.10.0 release

2018-03-07 Thread Sumana Harihareswara

https://pypi.org/project/twine/1.10.0/ Twine 1.10.0 is now out; thanks
to Jason R. Coombs, Maurits van Rees, Matthew Planchard, Holger Krekel,
Ian Stapleton Cordasco, Donald Stufft, Dustin Ingram, Pradyun Gedam,
Leonard Richardson, Jason Owen, and Nick Coghlan for advice, testing,
review, and other help.

Please do `pip install -U twine` at your earliest convenience, speak up
if you see bugs, and leave a thumbs-up at
https://github.com/pypa/twine/pull/317 if you want to indicate that it
works just fine for you. :)

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc


On 03/02/2018 05:32 PM, Sumana Harihareswara wrote:
> (So it turns out I've taken on a volunteer gig, which is that I'm now
> one of the Twine maintainers. I may be wrong about how to do this -
> please feel free to comment on https://github.com/pypa/twine/pull/314
> which is where I'm pulling together a new release checklist for myself.)
> 
> https://test.pypi.org/manage/project/twine/release/1.10.0rc1/
> 
> This is a release candidate for Twine 1.10.0 which I'm planning to
> release early next week.
> 
> This release improves project registration usage text (in some cases
> removing it where inapplicable), and updates `--repository[-url]` usage
> text, prints progress to `stdout` instead of `stderr`, improves the
> progressbar, and reorganizes and improves user and developer documentation.
> 
> Please see the changelog
> https://twine.readthedocs.io/en/latest/changelog.html for detailed notes
> under "Next feature release".
> 
> I believe this is how you test it out:
> 
>   pip install --upgrade --pre --index-url https://test.pypi.org/simple/
> --extra-index-url https://pypi.org/simple twine
> 
> Please check existing open issues at
> https://github.com/pypa/twine/issues and open new ones if you have
> problems. Thanks!
> 

___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Fwd: PyPI & Warehouse update: redirecting & shutting down legacy by end of April

2018-03-07 Thread Sumana Harihareswara

Forwarding from pypa-dev (archived 
https://groups.google.com/forum/#!topic/pypa-dev/L9sF30_Yr2A ).

-- 
Sumana Harihareswara

- Original message -
From: Sumana Harihareswara <s...@changeset.nyc>
To: "pypa-dev" <pypa-...@googlegroups.com>
Subject: PyPI & Warehouse update: redirecting & shutting down legacy by end of 
April
Date: Wed, 07 Mar 2018 14:48:34 -0500

The big PyPI news is that we're probably getting to the beta, which we'll 
publicize heavily, in the next 2 weeks, and redirecting traffic to the new PyPI 
and shutting down legacy PyPI by the end of April.[0] (Which is good, because 
that's about when our funding from Mozilla's Open Source Support[1][2] grant 
will probably run out.) We're working on making a list of third-party services 
to alert; please help us out.[3]

The PyCon North America talk schedule is out -- including Dustin Ingram's 
"Inside the Cheeseshop: How Python Packaging Works".[4] And we hope you'll join 
us to hack on packaging and distribution at the sprints, May 14-17.[5] And 
Nicole Harris is also tentatively planning to lead a Warehouse sprint at 
EuroPython in July.[6]

We've kept on working on features, bugfixes, testing, and infrastructure; 
here's a selection of the last week's work. Ernest has been continuing cabotage 
work to manage Kubernetes credentials,[7] and our new infrastructure is stood 
up & heavily tested. Nicole's doing user tests and taking lessons from that and 
turning them into issues -- feel free to ping her if you're open to talking 
with her for 30-60 minutes so she can see how you use the new PyPI.[8] Dustin 
fixed the issue "Version lookup should take PEP 440 normalization into account" 
#445 with multiple fixes involving a canonical version for each release.[9] And 
he also updated the official Python packaging guide to cover how you indicate 
multiple emails in core metadata.[10] And, thanks to Ernest, PyPI legacy now 
has a banner for logged-in users, asking them to test pypi.org.[11]

Thanks to volunteers:
   * yeraydiazdiaz for password strength gauge[12]
   * jw for changing "Edit" to "Manage" in project management screen[13]
   * aalmazan for updating a checkbox to use the Stimulus framework[14]

We also brought up the possibility of changing the PyPI URL structure, in case 
you want to weigh in.[15]

Last week's office hours/IRC livechat went okay! Not as many participants as I 
would like, but this particular publicity/feedback structure is fairly new to 
the Python packagers community and I didn't do enough advance publicity. We got 
praise for the new PyPI, and we got bug reports and related comments and 
concerns (for Warehouse and related tools), and we shared tutorials and tools 
and command-line tips that some experienced packagers didn't know about. And we 
got people to subscribe to the announce mailing list.[16]

Notes from the weekly Warehouse core developers' meeting are, as usual, on the 
wiki.[17] And you can keep up with our current and upcoming milestone progress 
at the GitHub rollout board overview.[18]

And, thanks to Mark Mangoba, PEP 541 is going to get further progress within 
the Packaging WG this week.[19]

We would love your help. Please test PyPI and let us know what works and 
doesn't work for you. Please let us know of third-party services that should 
get a heads-up about the changeover.[20] And please consider joining us and 
hacking on Warehouse.[21] We have 16 open good first issues.[22]

Thanks to Mozilla for their support for the PyPI & Warehouse work, and thanks 
to the PSF for facilitating it!

[0] https://wiki.python.org/psf/WarehouseRoadmap
[1] https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html
[2] 
https://blog.mozilla.org/blog/2018/01/23/moss-q4-supporting-python-ecosystem/
[3] https://github.com/pypa/warehouse/issues/2935
[4] https://us.pycon.org/2018/schedule/presentation/148/
[5] https://us.pycon.org/2018/community/sprints/
[6] https://ep2018.europython.eu/
[7] https://github.com/cabotage/cabotage-app
[8] https://twitter.com/nlhkabu/status/969644629644730368
[9] Several commits necessary, including: 
https://github.com/pypa/warehouse/pull/3113, 
https://github.com/pypa/warehouse/pull/3099, 
https://github.com/pypa/warehouse/pull/3102, 
https://github.com/pypa/packaging/commits?author=di=2018-02-01T05:00:00Z=2018-03-01T05:00:00Z
[10] https://github.com/pypa/python-packaging-user-guide/pull/429
[11] 
https://github.com/pypa/pypi-legacy/commits?author=ewdurbin=2018-02-27T05:00:00Z=2018-03-08T05:00:00Z
[12] https://github.com/pypa/warehouse/pull/3128
[13] https://github.com/pypa/warehouse/pull/3130
[14] https://github.com/pypa/warehouse/pull/3136
[15] https://github.com/pypa/warehouse/issues/3143
[16] https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/
[17] https://wiki.python.org/psf/PackagingWG/2018-03-06-Warehouse
[18] https://github.com/pypa/warehouse/projects/1
[19] ht

Re: [Distutils] Twine 1.10.0rc1 on Test PyPI

2018-03-04 Thread Sumana Harihareswara

My current guess is that if the RC were on https://pypi.org, rather than
https://test.pypi.org, Travis would be able to grab it using PIP_PRE.
-Sumana

On 03/03/2018 03:09 PM, Cosimo Lupo wrote:
> Maybe you could try writing a pip configuration file in 
> $HOME/.config/pip/pip.conf (or /etc/pip.conf). Travis dpl must be using pip 
> to download twine, and pip should be able to look there for a `pre` option.
> (I just guess, haven’t tried myself)
> 
> --
> 
> 
> Cosimo
> 
> Il 3 mar 2018, 18:30 +, Jason R. Coombs <jar...@jaraco.com>, ha scritto:
>> I tried but as you can see in this job, the environment variables aren’t 
>> honored, so it seems I cannot test a twine release in Travis. At this point, 
>> I think I’ll just wait for the official release.
>>
>>> On 3 Mar, 2018, at 11:17, Jason R. Coombs <jar...@jaraco.com> wrote:
>>>
>>> This sender failed our fraud detection checks and may not be who they 
>>> appear to be. Learn about spoofing
>>> Feedback
>>> Thanks for working on this!
>>>
>>> In my particular use-case, I rarely run twine myself, but instead rely on 
>>> the Travis-CI DPL routine. Looking at that code, I don’t see any means I 
>>> have to test a pre-release version.
>>>
>>> Given the presumably broad impact this one use-case has, it would be nice 
>>> if there were a way to test it against pre-release versions of twine (and 
>>> maybe also wheel, pip, and setuptools). Perhaps it would be worthwhile to 
>>> propose a hook to that project to enable the versions of those projects to 
>>> be specified for selective testing.
>>>
>>> Oh, I just had an idea - perhaps one could set the PIP_PRE environment 
>>> variable and that would affect the install and allow the pre-release to be 
>>> tested. I’ll give that a go.
>>>
>>>> On 3 Mar, 2018, at 11:06, Sumana Harihareswara <s...@changeset.nyc> wrote:
>>>>
>>>> Wrong URL (did I mention I'm new at this?). View 1.10.0rc1, including a
>>>> fairly spiffy new README, at:
>>>> https://test.pypi.org/project/twine/1.10.0rc1/ -- and please pass word
>>>> along to our downstreams.
>>>>
>>>> -Sumana
>>>>
>>>> On 03/02/2018 05:32 PM, Sumana Harihareswara wrote:
>>>>> (So it turns out I've taken on a volunteer gig, which is that I'm now
>>>>> one of the Twine maintainers. I may be wrong about how to do this -
>>>>> please feel free to comment on https://github.com/pypa/twine/pull/314
>>>>> which is where I'm pulling together a new release checklist for myself.)
>>>>>
>>>>> https://test.pypi.org/manage/project/twine/release/1.10.0rc1/
>>>>>
>>>>> This is a release candidate for Twine 1.10.0 which I'm planning to
>>>>> release early next week.
>>>>>
>>>>> This release improves project registration usage text (in some cases
>>>>> removing it where inapplicable), and updates `--repository[-url]` usage
>>>>> text, prints progress to `stdout` instead of `stderr`, improves the
>>>>> progressbar, and reorganizes and improves user and developer 
>>>>> documentation.
>>>>>
>>>>> Please see the changelog
>>>>> https://twine.readthedocs.io/en/latest/changelog.html for detailed notes
>>>>> under "Next feature release".
>>>>>
>>>>> I believe this is how you test it out:
>>>>>
>>>>>  pip install --upgrade --pre --index-url https://test.pypi.org/simple/
>>>>> --extra-index-url https://pypi.org/simple twine
>>>>>
>>>>> Please check existing open issues at
>>>>> https://github.com/pypa/twine/issues and open new ones if you have
>>>>> problems. Thanks!
>>>>
>>>>
>>>> --
>>>> Sumana Harihareswara
>>>> Changeset Consulting
>>>> https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Twine 1.10.0rc1 on Test PyPI

2018-03-03 Thread Sumana Harihareswara

Wrong URL (did I mention I'm new at this?). View 1.10.0rc1, including a
fairly spiffy new README, at:
https://test.pypi.org/project/twine/1.10.0rc1/ -- and please pass word
along to our downstreams.

-Sumana

On 03/02/2018 05:32 PM, Sumana Harihareswara wrote:
> (So it turns out I've taken on a volunteer gig, which is that I'm now
> one of the Twine maintainers. I may be wrong about how to do this -
> please feel free to comment on https://github.com/pypa/twine/pull/314
> which is where I'm pulling together a new release checklist for myself.)
> 
> https://test.pypi.org/manage/project/twine/release/1.10.0rc1/
> 
> This is a release candidate for Twine 1.10.0 which I'm planning to
> release early next week.
> 
> This release improves project registration usage text (in some cases
> removing it where inapplicable), and updates `--repository[-url]` usage
> text, prints progress to `stdout` instead of `stderr`, improves the
> progressbar, and reorganizes and improves user and developer documentation.
> 
> Please see the changelog
> https://twine.readthedocs.io/en/latest/changelog.html for detailed notes
> under "Next feature release".
> 
> I believe this is how you test it out:
> 
>   pip install --upgrade --pre --index-url https://test.pypi.org/simple/
> --extra-index-url https://pypi.org/simple twine
> 
> Please check existing open issues at
> https://github.com/pypa/twine/issues and open new ones if you have
> problems. Thanks!


-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Twine 1.10.0rc1 on Test PyPI

2018-03-02 Thread Sumana Harihareswara

(So it turns out I've taken on a volunteer gig, which is that I'm now
one of the Twine maintainers. I may be wrong about how to do this -
please feel free to comment on https://github.com/pypa/twine/pull/314
which is where I'm pulling together a new release checklist for myself.)

https://test.pypi.org/manage/project/twine/release/1.10.0rc1/

This is a release candidate for Twine 1.10.0 which I'm planning to
release early next week.

This release improves project registration usage text (in some cases
removing it where inapplicable), and updates `--repository[-url]` usage
text, prints progress to `stdout` instead of `stderr`, improves the
progressbar, and reorganizes and improves user and developer documentation.

Please see the changelog
https://twine.readthedocs.io/en/latest/changelog.html for detailed notes
under "Next feature release".

I believe this is how you test it out:

  pip install --upgrade --pre --index-url https://test.pypi.org/simple/
--extra-index-url https://pypi.org/simple twine

Please check existing open issues at
https://github.com/pypa/twine/issues and open new ones if you have
problems. Thanks!

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Warehouse testing livechat/office hours in IRC today

2018-03-01 Thread Sumana Harihareswara

In about 5 minutes in #pypa-dev on Freenode, the maintainers of the new
PyPI pypi.org want to hear about any problems Python package maintainers
are having with it, and help you learn to hack on Warehouse. We're
holding a livechat/office hour; please drop in:
https://webchat.freenode.net/?channels=#pypa-dev

There'll be another one in a few hours. Timings:

Thursday March 1st: 1700 UTC / noon-1pm EST

Thursday March 1st: 2300 UTC / 6pm-7pm EST

The PSF blog post
https://pyfound.blogspot.com/2018/02/python-package-maintainers-help-test.html
has more info.

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] merger versus separation of publishing and download tools

2018-02-28 Thread Sumana Harihareswara

I figured folks here would want to know that there's an ongoing
discussion of the distinction between `pip` and `twine`, and related
topics (should publishing tools be separate from download/consumption
tools?), in:

https://github.com/pypa/packaging-problems/issues/60

I don't want to break up the conversation into different threads, one
here and one on GitHub,so please consider this a pointer rather than a
fork of the conversation. :)
-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Warehouse update: a week of testing, polish, & infrastructure

2018-02-27 Thread Sumana Harihareswara

This week we're publicizing pypi.org to package maintainers and asking
them/you to test it, and to spread the word to other package maintainers
you know.[1][2]

And we're probably within two or three weeks of the big public beta,
given the existing open Warehouse issues in the next milestone,[3] the
new issues we'll open based on user testing this week, and the
infrastructure work in play. You can learn more in our weekly meeting
notes.[4]

We've been doing lots of performance and memory consumption work as we
harden our infrastructure and codebase to make them production-ready,
lots of polish as we get more testers and get their feedback.Examples:

   * reduce columns pulled for main project view in admin[5]
   * Guard against all tuples in metadata upload[6]
   * Add table style to project description, clean up titles[7]
   * Add SQLAlchemy error fix to troubleshooting docs[8]
   * Update PyPI migration info in packaging guide[9]

And thanks to volunteers:

* alex for "Don't install g++ from a PPA in travis"[10]
* wasim for "Added help entry for File already exists error"[11]
* HndrkMkt for "Redirect authenticated user from reset pw pages to
index"[12]

Our infrastructure work included more improvements to cabotage[13] --
see Ernest's demo[14]:

> It’s super rough… but here’s first light of an end to end deployment
on this thing I been building.  still plenty of work to do, but already
chock full of automated end-to-end TLS, secure storage of secrets with
Vault, a bucket of Kubernetes, enough docker to make your head spin...

And our infrastructure work included a restart of Nicole's user testing,
both with the broad publicity to package maintainers and with Nicole
leading folks through one-on-one exercises and data-gathering sessions.
More about Nicole's current design process is in her blog update.[15]

Some issue discussion this week that you might find relevant:

* Which 3rd party services should we contact about the new pypi.org
domain?[16]
* APIs/feeds issues got a bit more sorted[17] -- and if there's
anything you need in our API docs[18] that isn't in there, please let us
know.
* What should we show as the default search result on
https://pypi.org/search/ ?[19]
* What do new developers need in architecture documentation?[20]
* Should we rename the "/legacy" URL?[21]

As usual, you can get an overview of Warehouse development at our GitHub
rollout board[22] And if you want to help out, this week, please do test
the site, come to our IRC livechat hours, and spread the word.

Thanks to Mozilla for their support for the PyPI & Warehouse work, and
thanks to the Python Software Foundation for coordinating it![23][24]


[1]
https://pyfound.blogspot.com/2018/02/python-package-maintainers-help-test.html
[2]
https://wiki.python.org/psf/WarehousePackageMaintainerTesting#IRC_livechat_hours
[3] https://github.com/pypa/warehouse/milestone/10
[4] https://wiki.python.org/psf/PackagingWG/2018-02-26-Warehouse
[5] https://github.com/pypa/warehouse/pull/3043
[6] https://github.com/pypa/warehouse/pull/3049
[7] https://github.com/pypa/warehouse/pull/3040
[8] https://github.com/pypa/warehouse/pull/3048
[9] https://github.com/pypa/python-packaging-user-guide/pull/439
[10] https://github.com/pypa/warehouse/pull/3037
[11] https://github.com/pypa/warehouse/pull/2997
[12] https://github.com/pypa/warehouse/pull/2988
[13] https://github.com/cabotage/cabotage-app
[14] https://twitter.com/EWDurbin/status/968315460101042176
[15]
http://whoisnicoleharris.com/2015/12/31/designing-warehouse-an-overview.html#update-27th-feb-2018
[16] https://github.com/pypa/warehouse/issues/2935
[17]
https://github.com/pypa/warehouse/issues?q=is%3Aissue+sort%3Aupdated-desc+label%3AAPIs%2Ffeeds
[18] https://warehouse.readthedocs.io/api-reference/
[19] https://github.com/pypa/warehouse/issues/3062
[20] https://github.com/pypa/warehouse/issues/2794
[21] https://github.com/pypa/warehouse/issues/2285
[22] https://github.com/pypa/warehouse/projects/1
[23]
https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html
[24]
https://blog.mozilla.org/blog/2018/01/23/moss-q4-supporting-python-ecosystem/

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Package maintainers, please help test PyPI

2018-02-26 Thread Sumana Harihareswara

The Warehouse team has improved the new PyPI, available for you to check
out at https://pypi.org/ , to the point where we would love for package
maintainers to try it out, test it, and give us bug reports.

https://wiki.python.org/psf/WarehousePackageMaintainerTesting has
guidelines, things to test (like user registration and project removal),
and how to contact Warehouse developers.

We're hosting four livechat hours this week where Warehouse maintainers
will be in IRC, in #pypa-dev on Freenode
https://webchat.freenode.net/?channels=#pypa-dev , and specifically
available to talk about problems you run into, or about how to hack on
Warehouse.

Tuesday Feb 27th: 1700 UTC / noon-1pm EST

Tuesday Feb 27th: 2300 UTC / 6pm-7pm EST

Thursday March 1st: 1700 UTC / noon-1pm EST

Thursday March 1st: 2300 UTC / 6pm-7pm EST


This isn't the big public beta yet, where we really push the message
widely to get non-package-maintainer users to test the site. Since
Warehouse must be a reimplementation of the existing PyPI, please focus
initially on any differences, missing features, or incorrect behavior
that pypi.org exhibits that affect your workflows for account management
and package maintainership. We'll be soliciting feedback on other
concerns soon! Feedback on user experience, accessibility, and overall
ease of use are welcome.

Thanks,
-- 
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Fwd: Warehouse: essential maintainer features & next steps

2018-02-21 Thread Sumana Harihareswara

Forwarding from pypa-dev.

 Forwarded Message 
Subject: Warehouse: essential maintainer features & next steps
Date: Wed, 21 Feb 2018 16:29:31 -0500
From: Sumana Harihareswara <s...@changeset.nyc>
To: pypa-dev <pypa-...@googlegroups.com>

The big Warehouse news: we're now at the Maintainer Minimum Viable
Product milestone! To quote our roadmap[0]:

> give package maintainers a solid chance to try out Warehouse and report 
> critical bugs early

So we've started asking some package maintainers to test pypi.org, and
probably later this week we'll broadcast that announcement and request
more widely. Depending on the bugs we find as we reach out to project
maintainers, and on some infrastructure work, we may hit Milestone 2
next week, which means we'd reach out to a lot of non-package-maintainer
users, and start redirecting a portion of `pip` traffic to Warehouse.
More on that in our weekly meeting notes.[1]

Our team improved or added email management, account management
including deletion, better password management and email confirmation of
changed passwords to Warehouse last week.[2] We also continued to
improve developer documentation[3] and API docs[4]. And we continued our
cabotage work[5] and worked on some further improvements to Twine
documentation.[6]

I also want to highlight some work that Ernest W. Durbin III and Dustin
Ingram have done on their own time, as volunteers, that help PyPI.
Dustin's continuing work[7] on PEP 566[8] moves us closer to Markdown
support for README files[9]. And Ernest put a BUNCH of time into
spam-fighting on PyPI this past weekend. Thank you both.

Thanks to Volcyy, waseem18, alanbato, zooba, alex, and HndrkMkt for
their pull requests which we merged in the last week![10]

In the past month, Warehouse has merged 72 pull requests from 11
distinct authors (excluding pyup-bot), and has closed 63 issues (and
opened only 26 new ones).[11][12] We have 3 remaining issues between us
and the next milestone (the End User MVP), and then ten more issues till
we widely publicize the beta.[13]

So, we're chugging along.

What you can do:

You can help improve Warehouse; we have seven open "good first
contribution" issues[14] and a guide to getting started[15]. Ernest
wants to help you dive in, and to give you stickers, and has 30-minute
1:1 slots available.[16]

Please watch your email for a "hey please help us test" email to this
very mailing list. Please file general packaging and distribution
confusions, peeves, and suggestions in the packaging-problems issue
repo.[17]

Thanks to Mozilla's Open Source Support grant for funding this PyPI &
Warehouse work![18][19]

[0] https://wiki.python.org/psf/WarehouseRoadmap
[1] https://wiki.python.org/psf/PackagingWG/2018-02-20-Warehouse
[2] https://github.com/pypa/warehouse/milestone/8?closed=1
[3] https://warehouse.readthedocs.io/application/
[4] https://warehouse.readthedocs.io/api-reference/
[5] https://github.com/cabotage/cabotage-app/commits/master
[6] https://github.com/pypa/twine/pull/297
[7]
https://mail.python.org/pipermail/distutils-sig/2018-February/031997.html
[8] https://www.python.org/dev/peps/pep-0566/
[9] https://github.com/pypa/warehouse/issues/869
[10]
https://github.com/pypa/warehouse/pulls?utf8=%E2%9C%93=2948+2971+2975+2968+2984+2922+2985+2919+2917
[11] https://github.com/pypa/warehouse/pulse/monthly
[12]
https://github.com/pypa/warehouse/pulls?utf8=%E2%9C%93=is%3Apr+is%3Amerged+-author%3Apyup-bot+updated%3A%3E%3D2018-01-20+sort%3Aupdated-asc+
[13] https://github.com/pypa/warehouse/milestones
[14]
https://github.com/pypa/warehouse/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22
[15] https://warehouse.readthedocs.io/development/getting-started/
[16] https://twitter.com/EWDurbin/status/955415184339849217
[17] https://github.com/pypa/packaging-problems
[18]
https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html
[19]
https://blog.mozilla.org/blog/2018/01/23/moss-q4-supporting-python-ecosystem/

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Fwd: Warehouse: package manager features & question about advertising

2018-02-13 Thread Sumana Harihareswara

Forwarded from pypa-dev
https://groups.google.com/forum/#!topic/pypa-dev/xQb5RvDb5rc - the
weekly Warehouse update.


 Forwarded Message 
Subject: Warehouse: package manager features & question about advertising
Date: Tue, 13 Feb 2018 23:15:10 -0500
From: Sumana Harihareswara <s...@changeset.nyc>

Here's your weekly update on Warehouse, powering the new PyPI.[0]

Perhaps the biggest news is that the pace of our progress is making us
optimistic; we expect to finish all the issues in the first milestone
next week, which means Warehouse will have all the essential features
package maintainers need.[1] When we get there, we'll be asking some
active maintainers to take some time and poke at the site (in the
browser and using the APIs) to let us know of any bugs or confusion.

In the past week, we've made a ton of progress on, for instance, viewing
releases[2] and managing user emails.[3] You can try those out right now
at the pre-production site.[4] And the PyPI footer has various policies
properly linked in the footer now -- thanks for your advice, PSF![5]
Plus, a fix to human-friendly time indicators.[6]

Also: Ever wonder how Twine is structured?[7] How does core metadata
with multiple email addresses look?[8] And we continued our work on
making our credentials handling for Kubernetes more robust.[9]

Part of our work is setting up Warehouse on a good foundation for future
work, so we spent some time sorting out stuff like: what API
documentation do we need?[10] There's a new GitHub label for issues that
ask: what APIs do we need?[11] And we restarted the discussion: How much
work should we put into Warehouse localisation?[12]

Luke Sneeringer volunteered to work on two-factor auth and PyPI API
keys, which is great![13]

As usual, the notes from our weekly meeting are on the Packaging Working
Group wiki.[14] We've also introduced an overview of Warehouse's
near-term progress using the GitHub "Projects" feature[15], in case you
want to see what we're working on and what's next in a bit more detail
than the roadmap.[16]

Folks who want to help: we have several good first contribution
issues[17] and a guide to getting started[18]. Also, as we prepare for
future publicity pushes, please let me know (replying offlist is
probably best): where should we advertise to reach occasional and
non-Anglophone programmers?[19]

Thanks to Mozilla and the PSF for their support for the PyPI & Warehouse
work![20][21]


[0] https://github.com/pypa/warehouse/
[1] https://github.com/pypa/warehouse/milestone/8
[2] https://github.com/pypa/warehouse/pull/2879
[3] https://github.com/pypa/warehouse/pull/2904
[4] https://pypi.org/
[5] https://github.com/pypa/warehouse/issues/1989
[6] https://github.com/pypa/warehouse/pull/2924
[7] https://github.com/pypa/twine/pull/296
[8] https://github.com/pypa/python-packaging-user-guide/pull/429
[9] https://github.com/cabotage/cabotage-app/commits/master
[10] https://github.com/pypa/warehouse/issues/2913
[11] https://github.com/pypa/warehouse/labels/APIs%2Ffeeds
[12] https://github.com/pypa/warehouse/issues/1453
[13] https://github.com/pypa/warehouse/issues/994
[14] https://wiki.python.org/psf/PackagingWG/2018-02-12-Warehouse
[15] https://github.com/pypa/warehouse/projects/1
[16] https://wiki.python.org/psf/WarehouseRoadmap
[17]
https://github.com/pypa/warehouse/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22
[18] https://warehouse.readthedocs.io/development/getting-started/
[19]
https://ask.metafilter.com/319055/How-do-I-reach-occasional-and-non-Anglophone-Python-programmers
[20]
https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html
[21]
https://blog.mozilla.org/blog/2018/01/23/moss-q4-supporting-python-ecosystem/

-- 
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc

___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Packaging/Warehouse sprint at PyCon 2018

2018-02-13 Thread Sumana Harihareswara

Reminder: this Thursday, Feb. 15th, is the last day to request financial
aid to attend PyCon https://us.pycon.org/2018/financial-assistance/ and
thus the sprints. If money's a reason you're assuming you can't come
join us and improve Warehouse and other Python packaging/distribution
tools, I hope you'll apply for financial assistance.

On 01/30/2018 01:39 PM, Sumana Harihareswara wrote:
> In case you're planning your PyCon Cleveland travel: we are planning to
> hold a Warehouse/packaging sprint at PyCon (the sprints are Monday, May
> 14th - Thursday, May 17th 2018).
> 
> We welcome package maintainers, backend and frontend web developers,
> infrastructure administrators, technical writers, and testers to help us
> make the new PyPI, and the packaging ecosystem more generally, as usable
> and robust as possible. I took the liberty of updating
> https://us.pycon.org/2018/community/sprints/ to say so.
> 
> Once we're closer to the sprints I'll work on a more detailed list of
> things we'll work on in Cleveland.
> 

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Fwd: Warehouse update: still on track, new features

2018-02-06 Thread Sumana Harihareswara

Our weekly Warehouse update just went out to pypa-dev and is included below.


 Forwarded Message 
Subject: Warehouse update: still on track, new features
Date: Tue, 6 Feb 2018 22:09:12 -0500
From: Sumana Harihareswara <s...@changeset.nyc>
To: pypa-dev <pypa-...@googlegroups.com>

Here's your weekly update on Warehouse, powering the new PyPI.[0]

You can see some noticeable improvements to Warehouse right now compared
to last week. There's a mobile UI for managing projects[1], and a
project owner can now delete a project.[2] We also have several CSS
tweaks and other continuing design improvements -- we're lucky to be
working with Nicole on this.[3] Less visibly, we have further Kubernetes
security work by Ernest in cabotage[4] and Dustin's work on a generic
token service[5].

We're still on track to hit the Maintainer MVP milestone at the end of
this month.[6] On the documentation and outreach side, Laura and I have
been preparing to contact very active maintainers when we hit that
milestone, and we've been improving the packaging user guide,[7] and
working a bit on Twine (e.g., documentation for using python-keyring
with Twine to avoid having to use a .pypirc).[8]

Thanks to Jon Wayne Parrott for fixing an issue Dustin spotted[9] so
that pypa.io gets fresh updates again.[10]

In PEP progress, PEP 541 is moving forward again, with a pull request
for a change in BDFL-Delegate.[11]

As usual, meeting notes from our weekly discussion are on the wiki.[12]

And if you want to get started contributing to Warehouse, Ernest wants
to help you and give you stickers, and has 30-minute 1:1 slots
available.[13] Right now we have eleven open issues marked as good for
newcomers.[14]

Thanks to Mozilla for their support for the PyPI & Warehouse work, and
thanks to the PSF for facilitating and supporting this work![15][16]


[0] https://pypi.org/
[1] https://github.com/pypa/warehouse/pull/2865
[2] https://github.com/pypa/warehouse/pull/2821
[3] http://whoisnicoleharris.com/warehouse/
[4] https://github.com/cabotage/cabotage-app/commits/master
[5] https://github.com/pypa/warehouse/pull/2864
[6] https://github.com/pypa/warehouse/milestone/8
[7] https://github.com/pypa/python-packaging-user-guide/pull/426
[8]
https://github.com/pypa/python-packaging-user-guide/issues/297#issuecomment-362426940
[9] https://groups.google.com/forum/#!topic/pypa-dev/jzXR3A3E-dw
[10] https://www.pypa.io/en/latest/roadmap/
[11] https://github.com/python/peps/pull/566
[12] https://wiki.python.org/psf/PackagingWG/2018-02-05-Warehouse
[13] https://twitter.com/EWDurbin/status/955415184339849217
[14]
https://github.com/pypa/warehouse/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22
[15]
https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html
[16]
https://blog.mozilla.org/blog/2018/01/23/moss-q4-supporting-python-ecosystem/

-- 
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc

-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Fwd: Warehouse update: Estimate for 1st milestone, new announce list

2018-01-30 Thread Sumana Harihareswara

Our weekly Warehouse update just went out to pypa-dev:
https://groups.google.com/forum/#!topic/pypa-dev/es_-fC-sdpk  and is
included below.

 Forwarded Message 
Subject: Warehouse update: Estimate for 1st milestone, new announce list
Date: Tue, 30 Jan 2018 14:33:36 -0500
From: Sumana Harihareswara <s...@changeset.nyc>
To: pypa-...@googlegroups.com

The big news in Warehouse world is that we tentatively believe we can
get our first milestone[0] out by the end of February. So around then
you can expect emails and other announcements asking package maintainers
to test pypi.org and give us bug reports.

Speaking of announcements, we now have a new PyPI-announce mailing
list.[1] I encourage you to subscribe. It'll be low-traffic and we'll
only post there with major PyPI news.

Ernest is nearing the end of his concentration on infrastructure work,
especially on Cabotage[2] which helps manage our Kubernetes security.[3]
Nicole and Dustin are steadily finishing views and design for maintainer
features (e.g., project edit button[4]). And Laura and Sumana are
preparing for the publicity push around the Maintainer MVP, and have
improved some docs to improve developer experience (e.g., twine[5],
Warehouse testing instructions[6], and the PyPA roadmap[7]).

Details are in our meeting notes from yesterday.[8]

Thanks alanbato for improving Warehouse's error messages![9] If you want
to get started contributing to Warehouse, Ernest wants to help you and
give you stickers, and has 30-minute 1:1 slots available.[10]

Thanks to Mozilla for their support for the PyPI & Warehouse work![11]

[0] https://github.com/pypa/warehouse/milestone/8
[1] https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/
[2] https://github.com/cabotage/cabotage-app
[3] https://github.com/python/pypi-infra/pull/3
[4] https://github.com/pypa/warehouse/pull/2823
[5] https://github.com/pypa/twine/pull/292
[6] https://github.com/pypa/warehouse/pull/2758
[7] https://github.com/pypa/pypa.io/pull/23
[8] https://wiki.python.org/psf/PackagingWG/2018-01-29-Warehouse
[9] https://github.com/pypa/warehouse/pull/2767
[10] https://twitter.com/EWDurbin/status/955415184339849217
[11]
https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html

-- 
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc

___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Packaging/Warehouse sprint at PyCon 2018

2018-01-30 Thread Sumana Harihareswara

In case you're planning your PyCon Cleveland travel: we are planning to
hold a Warehouse/packaging sprint at PyCon (the sprints are Monday, May
14th - Thursday, May 17th 2018).

We welcome package maintainers, backend and frontend web developers,
infrastructure administrators, technical writers, and testers to help us
make the new PyPI, and the packaging ecosystem more generally, as usable
and robust as possible. I took the liberty of updating
https://us.pycon.org/2018/community/sprints/ to say so.

Once we're closer to the sprints I'll work on a more detailed list of
things we'll work on in Cleveland.
-- 
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

1 2 >

1 - 100 of 109 matches

Mail list logo