Re: [Catalog-sig] V2 pre-PEP: transitioning to release file hosting on PYPI

On Wed, Mar 13, 2013 at 1:23 AM, M.-A. Lemburg m...@egenix.com wrote: On 13.03.2013 07:28, Nick Coghlan wrote: On Tue, Mar 12, 2013 at 12:59 PM, M.-A. Lemburg m...@egenix.com wrote: I think we should establish a versioned API like that for PyPI to make progress easier. All major web APIs use

Re: [Catalog-sig] V2 pre-PEP: transitioning to release file hosting on PYPI

On Wed, Mar 13, 2013 at 11:19 PM, Nick Coghlan ncogh...@gmail.com wrote: On Wed, Mar 13, 2013 at 1:23 AM, M.-A. Lemburg m...@egenix.com wrote: On 13.03.2013 07:28, Nick Coghlan wrote: On Tue, Mar 12, 2013 at 12:59 PM, M.-A. Lemburg m...@egenix.com wrote: I think we should establish a versioned

Re: [Catalog-sig] V3 PEP-draft for transitioning to pypi-hosting of release files

On Wed, Mar 13, 2013 at 5:16 PM, Carl Meyer c...@oddbird.net wrote: There is no instead of. There are parallel proposals (see the TUF thread) to improve the security of the ecosystem, and those proposals are not mutually exclusive with this one. If you search the PEP text, note that you don't

Re: [Catalog-sig] A modest proposal for securing PyPI with TUF

On 3/14/13 3:03 AM, Nick Coghlan wrote: I think what you currently propose (signing the metadata pip already understands) is a good first step, especially if we can have PyPI signing *all* the target metadata in the initial deployment, and defer the delegation to package developers until the

Re: [Catalog-sig] V3 PEP-draft for transitioning to pypi-hosting of release files

On Wed, Mar 13, 2013 at 23:43 -0700, Nick Coghlan wrote: On Wed, Mar 13, 2013 at 5:16 PM, Carl Meyer c...@oddbird.net wrote: There is no instead of. There are parallel proposals (see the TUF thread) to improve the security of the ecosystem, and those proposals are not mutually exclusive

Re: [Catalog-sig] setuptools/distribute/easy_install/pkg_resource sorting algorithm

On 12.03.2013 22:26, PJ Eby wrote: On Tue, Mar 12, 2013 at 3:59 PM, M.-A. Lemburg m...@egenix.com wrote: On 12.03.2013 19:15, M.-A. Lemburg wrote: I've run into a weird issue with easy_install, that I'm trying to solve: If I place two files named egenix_mxodbc_connect_client-2.0.2-py2.6.egg

Re: [Catalog-sig] V3 PEP-draft for transitioning to pypi-hosting of release files

On 3/14/13 4:58 AM, holger krekel wrote: I haven't followed the latest TUF discussions and related docs in depths yet but if those developments will regard simple/ as a deprecated interface, i think this PEP here should maybe not introduce simple/-with-externals as it will just make the

Re: [Catalog-sig] Packaging Distribution Mini-Summit at PyCon US

On Thu, Feb 7, 2013 at 10:19 AM, Jim Fulton j...@zope.com wrote: On Wed, Feb 6, 2013 at 3:15 AM, Nick Coghlan ncogh...@gmail.com wrote: As folks may be aware, I am moderating a panel called Directions in Packaging on the Saturday afternoon at PyCon US. Before that though, I am also organising

Re: [Catalog-sig] V3 PEP-draft for transitioning to pypi-hosting of release files

Maybe a different way to say it is that the current TUF integration doc assumes that it is desirable to make minimal change to PyPI's layout and pip, easy_install, etc. while adding security. We made several choices based upon this assumption, including using and retaining the /simple dir. If

Re: [Catalog-sig] V3 PEP-draft for transitioning to pypi-hosting of release files

On Thu, Mar 14, 2013 at 7:13 AM, Justin Cappos jcap...@poly.edu wrote: Maybe a different way to say it is that the current TUF integration doc assumes that it is desirable to make minimal change to PyPI's layout and pip, easy_install, etc. while adding security. We made several choices based

Re: [Catalog-sig] Publishing metadata (was: V2 pre-PEP: transitioning to release file hosting on PYPI)

On Thu, Mar 14, 2013 at 12:54 AM, M.-A. Lemburg m...@egenix.com wrote: The index itself is just a bag of things and, as such, one that's very well suited to publish data, since it can easily be exposed in form of static files, which can be put on a CDNs or mirrored using rsync. The TUF

Re: [Catalog-sig] A modest proposal for securing PyPI with TUF

Yes, Nick's suggestions are good ones. I'd agree that getting an initial deployment together that doesn't include things like custom metadata is probably for the best. We can certainly add things incrementally. Thanks, Justin On Thu, Mar 14, 2013 at 3:21 AM, Trishank Karthik Kuppusamy

Re: [Catalog-sig] setuptools/distribute/easy_install/pkg_resource sorting algorithm

On Thu, Mar 14, 2013 at 6:07 AM, M.-A. Lemburg m...@egenix.com wrote: On 12.03.2013 22:26, PJ Eby wrote: On Tue, Mar 12, 2013 at 3:59 PM, M.-A. Lemburg m...@egenix.com wrote: On 12.03.2013 19:15, M.-A. Lemburg wrote: I've run into a weird issue with easy_install, that I'm trying to solve: If

Re: [Catalog-sig] setuptools/distribute/easy_install/pkg_resource sorting algorithm

On 14.03.2013 17:39, PJ Eby wrote: On Thu, Mar 14, 2013 at 6:07 AM, M.-A. Lemburg m...@egenix.com wrote: On 12.03.2013 22:26, PJ Eby wrote: On Tue, Mar 12, 2013 at 3:59 PM, M.-A. Lemburg m...@egenix.com wrote: On 12.03.2013 19:15, M.-A. Lemburg wrote: I've run into a weird issue with

Re: [Catalog-sig] setuptools/distribute/easy_install/pkg_resource sorting algorithm

On Thu, Mar 14, 2013 at 2:11 PM, M.-A. Lemburg m...@egenix.com wrote: Is there any way to have 0.13.1.1.0.1.5-something sort before 0.13.1.1.0.1.5 ? (e.g. like is done for release candidates) Make it 0.13.1.1.0.1.5-devsomething, and it'll have lower precedence than both 0.13.1.1.0.1.5 and