On 22.03.2013 23:33, anatoly techtonik wrote:
On Fri, Mar 22, 2013 at 4:17 PM, M.-A. Lemburg m...@egenix.com wrote:
On 22.03.2013 13:38, anatoly techtonik wrote:
On Fri, Mar 22, 2013 at 3:26 PM, M.-A. Lemburg m...@egenix.com wrote:
On 22.03.2013 13:20, anatoly techtonik wrote:
On Fri, Mar
On 22.03.2013 10:04, Ronald Oussoren wrote:
On 22 Mar, 2013, at 9:58, anatoly techtonik techto...@gmail.com wrote:
Some links are broken. I added redirects for wiki pages, but it will be
better to fix links too.
The OAuth link appears to be broken, and that's likely part of the fallout of
On 22.03.2013 10:14, M.-A. Lemburg wrote:
On 22.03.2013 10:04, Ronald Oussoren wrote:
On 22 Mar, 2013, at 9:58, anatoly techtonik techto...@gmail.com wrote:
Some links are broken. I added redirects for wiki pages, but it will be
better to fix links too.
The OAuth link appears to be broken
On 22.03.2013 09:58, anatoly techtonik wrote:
On Fri, Mar 22, 2013 at 11:16 AM, Ronald Oussoren
ronaldousso...@mac.comwrote:
On 22 Mar, 2013, at 8:37, anatoly techtonik techto...@gmail.com wrote:
Hi,
I understand that this will make PyPI a potential target for automated
spam bots, but
On 22.03.2013 10:16, M.-A. Lemburg wrote:
On 22.03.2013 10:14, M.-A. Lemburg wrote:
On 22.03.2013 10:04, Ronald Oussoren wrote:
On 22 Mar, 2013, at 9:58, anatoly techtonik techto...@gmail.com wrote:
Some links are broken. I added redirects for wiki pages, but it will be
better to fix
On 22.03.2013 11:25, anatoly techtonik wrote:
On Fri, Mar 22, 2013 at 12:14 PM, M.-A. Lemburg m...@egenix.com wrote:
On 22.03.2013 10:04, Ronald Oussoren wrote:
On 22 Mar, 2013, at 9:58, anatoly techtonik techto...@gmail.com wrote:
Some links are broken. I added redirects for wiki pages
On 22.03.2013 13:20, anatoly techtonik wrote:
On Fri, Mar 22, 2013 at 1:49 PM, M.-A. Lemburg m...@egenix.com wrote:
Again: Please don't do this.
I think you're not against renaming pages, but against renaming without
redirects. In fact, if MoinMoin could automatically insert #REDIRECT
On 22.03.2013 13:38, anatoly techtonik wrote:
On Fri, Mar 22, 2013 at 3:26 PM, M.-A. Lemburg m...@egenix.com wrote:
On 22.03.2013 13:20, anatoly techtonik wrote:
On Fri, Mar 22, 2013 at 1:49 PM, M.-A. Lemburg m...@egenix.com wrote:
Again: Please don't do this.
I think you're not against
On 21.03.2013 13:06, Christian Heimes wrote:
Hi,
the message is slightly off-topic but it might be interesting for pip,
setuptools and other developers that are working on HTTPS for PyPI.
I while ago I found C++ example code that shows how to dump CA and CRL
certs from Windows's system
On 21.03.2013 14:32, Christian Heimes wrote:
Am 21.03.2013 13:58, schrieb M.-A. Lemburg:
Why not simply use the Firefox certs ?
We started adding these to our pyOpenSSL distribution with the last release:
https://cms.egenix.com/products/python/pyOpenSSL/doc/#Module_OpenSSL.ca_bundle
Sure
On 20.03.2013 19:26, Richard Jones wrote:
Thanks to Donald Stufft for his implementation of the PEP 438 changes,
I've made them live on testpypi.python.org - specifically the urls
page of package administration. Please poke and play.
Nice... first tests:
* Going to urls and then clicking on
On 20.03.2013 20:31, M.-A. Lemburg wrote:
Other things:
-
* Would it be possible to add a link to the corresponding
/simple/ index page on the package menu (the one with files,
urls, etc.) ?
* Could you add a link to the PKG-INFO file from
pypi?:action=display_pkginfo
On 20.03.2013 21:16, Richard Jones wrote:
On 20 March 2013 12:31, M.-A. Lemburg m...@egenix.com wrote:
* Will there be an RPC interface to register URLs with PyPI ?
Doing this manually for a large number of files is, well,
not ideal :-)
It's just a HTTP POST and there's plans for a tool
On 20.03.2013 23:01, Richard Jones wrote:
On 20 March 2013 14:56, M.-A. Lemburg m...@egenix.com wrote:
Could you change The URL must end with the MD5 hash of the file
contents to The URL must include the MD5 hash of the file contents ?
(See my original test report for the reason :-))
Hm
On 20.03.2013 23:19, Richard Jones wrote:
On 20 March 2013 15:01, Richard Jones r1chardj0...@gmail.com wrote:
On 20 March 2013 14:56, M.-A. Lemburg m...@egenix.com wrote:
Could you change The URL must end with the MD5 hash of the file
contents to The URL must include the MD5 hash of the file
On 20.03.2013 23:28, Richard Jones wrote:
On 20 March 2013 14:17, Richard Jones r1chardj0...@gmail.com wrote:
On 20 March 2013 13:27, M.-A. Lemburg m...@egenix.com wrote:
On 20.03.2013 21:16, Richard Jones wrote:
On 20 March 2013 12:31, M.-A. Lemburg m...@egenix.com wrote
Thanks, Holger. This version looks a lot better :-)
There are still some minor quirks which would need to be
addressed more explicitly, but overall, this proposal provides
a good way forward.
Perhaps it would also be possible to add the secured download
links and the caching/proxying ideas to
A little off-topic, but I thought you might enjoy this in the
context of all the crypto, hash and signing debate:
http://xkcd.com/1181/
Cheers,
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Mar 15 2013)
Python Projects, Consulting and Support ...
On 12.03.2013 22:26, PJ Eby wrote:
On Tue, Mar 12, 2013 at 3:59 PM, M.-A. Lemburg m...@egenix.com wrote:
On 12.03.2013 19:15, M.-A. Lemburg wrote:
I've run into a weird issue with easy_install, that I'm trying to solve:
If I place two files named
egenix_mxodbc_connect_client-2.0.2-py2.6.egg
On 14.03.2013 17:39, PJ Eby wrote:
On Thu, Mar 14, 2013 at 6:07 AM, M.-A. Lemburg m...@egenix.com wrote:
On 12.03.2013 22:26, PJ Eby wrote:
On Tue, Mar 12, 2013 at 3:59 PM, M.-A. Lemburg m...@egenix.com wrote:
On 12.03.2013 19:15, M.-A. Lemburg wrote:
I've run into a weird issue
On 13.03.2013 07:28, Nick Coghlan wrote:
On Tue, Mar 12, 2013 at 12:59 PM, M.-A. Lemburg m...@egenix.com wrote:
I think we should establish a versioned API like that for PyPI
to make progress easier. All major web APIs use versioning
for this reason.
Why set up versioning for something we
On 13.03.2013 12:21, holger krekel wrote:
Hi all,
after some more discussions and hours spend by Carl Meyer (who is now
co-authoring the PEP) and me, here is a new V3 pre-submit draft.
It is now more ambitious than the previous draft as should be obvious
from the modified abstract (and
On 13.03.2013 20:08, Donald Stufft wrote:
On Mar 13, 2013, at 2:57 PM, M.-A. Lemburg m...@egenix.com wrote:
On 13.03.2013 12:21, holger krekel wrote:
[V3 proposal]
I must say, don't like this change in motivation compared
to V1 and V2.
The original of the discussion was to make PyPI
On 12.03.2013 03:46, PJ Eby wrote:
On Mon, Mar 11, 2013 at 8:28 PM, M.-A. Lemburg m...@egenix.com wrote:
On 12.03.2013 00:39, Donald Stufft wrote:
On Mar 11, 2013, at 7:04 PM, PJ Eby p...@telecommunity.com wrote:
Just a thought, but...
If 90% of PyPI projects do not have any external files
On 12.03.2013 10:20, Jesse Noller wrote:
On Mar 12, 2013, at 3:57 AM, M.-A. Lemburg m...@egenix.com wrote:
On 12.03.2013 03:46, PJ Eby wrote:
On Mon, Mar 11, 2013 at 8:28 PM, M.-A. Lemburg m...@egenix.com wrote:
On 12.03.2013 00:39, Donald Stufft wrote:
On Mar 11, 2013, at 7:04 PM, PJ
On 12.03.2013 12:38, holger krekel wrote:
Hi all,
below is the new PEP pre-submit version (V2) which incorporates the
latest suggestions and aims at a rapidly deployable solution. Thanks in
particular to Philip, Donald and Marc-Andre. I also added a few notes
on how installers should
On 12.03.2013 16:42, Jacob Kaplan-Moss wrote:
On Tue, Mar 12, 2013 at 10:38 AM, PJ Eby p...@telecommunity.com wrote:
I'll ask it again: why should *thousands* of projects be censored or
made to change their release processes, because *you* can't be
bothered to cache the distributions of the
On 12.03.2013 17:29, Jacob Kaplan-Moss wrote:
On Tue, Mar 12, 2013 at 11:19 AM, M.-A. Lemburg m...@egenix.com wrote:
So let's do this carefully and find a good solution before
jumping to conclusions.
Completely agreed; rushing is a bad idea.
But so is not starting. What I'm seeing
Just a quick note (more later, if time permits)...
On 12.03.2013 18:05, holger krekel wrote:
Hi Marc-Andre, all,
- Prepare PYPI implementation to allow a per-project hosting mode,
effectively enabling or disabling external crawling. When enabled
nothing changes from the current
I've run into a weird issue with easy_install, that I'm trying to solve:
If I place two files named
egenix_mxodbc_connect_client-2.0.2-py2.6.egg
egenix-mxodbc-connect-client-2.0.2.win32-py2.6.prebuilt.zip
into the same directory and let easy_install running on Linux
scan this, it considers the
On 12.03.2013 20:17, holger krekel wrote:
On Tue, Mar 12, 2013 at 19:07 +0100, M.-A. Lemburg wrote:
Just a quick note (more later, if time permits)...
On 12.03.2013 18:05, holger krekel wrote:
Hi Marc-Andre, all,
- Prepare PYPI implementation to allow a per-project hosting mode
On 12.03.2013 20:46, PJ Eby wrote:
On Tue, Mar 12, 2013 at 2:07 PM, M.-A. Lemburg m...@egenix.com wrote:
Just a quick note (more later, if time permits)...
On 12.03.2013 18:05, holger krekel wrote:
Hi Marc-Andre, all,
- Prepare PYPI implementation to allow a per-project hosting mode
On 12.03.2013 19:15, M.-A. Lemburg wrote:
I've run into a weird issue with easy_install, that I'm trying to solve:
If I place two files named
egenix_mxodbc_connect_client-2.0.2-py2.6.egg
egenix-mxodbc-connect-client-2.0.2.win32-py2.6.prebuilt.zip
into the same directory and let
On 11.03.2013 09:18, Lennart Regebro wrote:
On Mon, Mar 11, 2013 at 9:06 AM, Ronald Oussoren ronaldousso...@mac.com
wrote:
But this isn't necessarily true, there is another solution: mirror your
requirements locally.
I do that. This is not a solution, because your requirements yesterday
On 12.03.2013 00:39, Donald Stufft wrote:
On Mar 11, 2013, at 7:04 PM, PJ Eby p...@telecommunity.com wrote:
Just a thought, but...
If 90% of PyPI projects do not have any external files to download,
then, wouldn't it make sense to:
To be accurate it's 90% don't have any files/release
On 12.03.2013 01:23, Donald Stufft wrote:
On Mar 11, 2013, at 8:12 PM, PJ Eby p...@telecommunity.com wrote:
On Mon, Mar 11, 2013 at 7:39 PM, Donald Stufft don...@stufft.io wrote:
On Mar 11, 2013, at 7:04 PM, PJ Eby p...@telecommunity.com wrote:
Just a thought, but...
If 90% of PyPI
[Discussion about MD5]
I think there's not much point in discussing MD5 in this context.
When creating new designs, you should always use the current
best and most widely deployed algorithm, IMO.
For Python, this is the SHA-2 family at the moment, since SHA-3 is
not supported by Python's
On 08.03.2013 13:15, Christian Heimes wrote:
Am 08.03.2013 12:49, schrieb M.-A. Lemburg:
Together with the added hash tag on the download file URLs (*),
this would solve the availability and the security aspects.
Instead of deprecating external links altogether, we could then
deprecate non
On 08.03.2013 14:09, Donald Stufft wrote:
Accidentally sent this to only MAL so resending!
On Mar 8, 2013, at 7:50 AM, M.-A. Lemburg m...@egenix.com wrote:
On 08.03.2013 13:15, Christian Heimes wrote:
Am 08.03.2013 12:49, schrieb M.-A. Lemburg:
Together with the added hash tag
On 08.03.2013 13:50, M.-A. Lemburg wrote:
On 08.03.2013 13:15, Christian Heimes wrote:
I like to propose query string-like
key/value pairs. key/value pairs are more flexible and allow us to
add/remove new information in the future.
Good idea. I'll add that as extension mechanism.
I also
On 08.03.2013 20:52, Noah Kantrowitz wrote:
On Mar 8, 2013, at 4:50 AM, M.-A. Lemburg wrote:
On 08.03.2013 13:15, Christian Heimes wrote:
Am 08.03.2013 12:49, schrieb M.-A. Lemburg:
Together with the added hash tag on the download file URLs (*),
this would solve the availability
On 08.03.2013 20:16, PJ Eby wrote:
On Fri, Mar 8, 2013 at 7:50 AM, M.-A. Lemburg m...@egenix.com wrote:
After the feedback I got from Holger and Phillip, I'm currently
writing a new version, which drops some of the unneeded
requirements and spells out a few more things.
Here's a very short
On 08.03.2013 20:16, PJ Eby wrote:
On Fri, Mar 8, 2013 at 7:50 AM, M.-A. Lemburg m...@egenix.com wrote:
So far the only practical problem I've found with the approach
is that the download page may not contain dynamic data, e.g.
a date or timestamp, since that causes the hash tag not to
verify
On 08.03.2013 22:47, Donald Stufft wrote:
On Mar 8, 2013, at 4:45 PM, M.-A. Lemburg m...@egenix.com wrote:
On 08.03.2013 22:33, Donald Stufft wrote:
On Mar 8, 2013, at 4:28 PM, M.-A. Lemburg m...@egenix.com wrote:
BTW: If we go with the CDN caching model for external files, we'd
pull
On 05.03.2013 12:10, Chris Withers wrote:
On 05/03/2013 11:09, Giovanni Bajo wrote:
Il giorno 05/mar/2013, alle ore 11:19, Chris Withersch...@simplistix.co.uk
ha scritto:
On 05/03/2013 10:18, Donald Stufft wrote:
On Tuesday, March 5, 2013 at 4:51 AM, Chris Withers wrote:
When I go to PyPI
On 01.03.2013 10:02, Reinout van Rees wrote:
On 28-02-13 21:08, holger krekel wrote:
I have seen that position in this discussion (I have to upload 120
files per release, so I won't do that, for instance).
haven't seen that.
Marc-Andre Lemburg said this, which I took to mean 120 uploads
On 01.03.2013 11:19, holger krekel wrote:
Hi Richard, all,
somewhere deep in the threads i mentioned i wrote a little cleanpypi.py
script which takes a project name as an argument and then goes to
pypi.python.org and removes all homepage/download metadata entries for
this project. This
the suitable
place for these discussions.
Jesse
On Mar 1, 2013, at 4:24 AM, M.-A. Lemburg m...@egenix.com wrote:
On 01.03.2013 10:02, Reinout van Rees wrote:
On 28-02-13 21:08, holger krekel wrote:
I have seen that position in this discussion (I have to upload 120
files per release, so I won't
On 01.03.2013 13:18, Jesse Noller wrote:
I am subscribed: I made the list. We're both board directors too. Changes to
the tos should come from legal counsel, and the board
Van and all others who are interested as well ?
On Mar 1, 2013, at 6:47 AM, M.-A. Lemburg m...@egenix.com wrote
On 01.03.2013 12:47, M.-A. Lemburg wrote:
On 01.03.2013 12:30, Jesse Noller wrote:
Marc Andre: I'm cc'ing Van: can you explain why the pypi terms are a bummer
so we can see if there is actually an issue to be resolved or a matter of
taste?
We need to protect the foundation while preserving
On 01.03.2013 15:02, Jesse Noller wrote:
Okie doke. So we can move on to putting up the CDN and deprecating external
links for now?
I don't think anyone is against putting up a CDN. It should meet
the same security requirements we have for the pypi server itself,
ie. HTTPS all the way, proper
Hi Van,
please read my long posting to the python-legal list. This explains the
concerns and makes suggestions on how to improve things in a way
that is compatible with what PyPI is and how it is used today:
http://mail.python.org/pipermail/python-legal-sig/2013-March/00.html
PS: I'd prefer
1, 2013 at 6:04 AM, M.-A. Lemburg wrote:
On 01.03.2013 11:19, holger krekel wrote:
Hi Richard, all,
somewhere deep in the threads i mentioned i wrote a little cleanpypi.py
script which takes a project name as an argument and then goes to
pypi.python.org (http://pypi.python.org) and removes all
On 01.03.2013 23:50, Lennart Regebro wrote:
On Fri, Mar 1, 2013 at 8:31 PM, M.-A. Lemburg m...@egenix.com wrote:
Hmm, then why not remove links that don't match the above from
the /simple/ index pages ?
I think we can do that, but if we *start* with that, we will just
suddenly
On 28.02.2013 09:43, Nick Coghlan wrote:
On Thu, Feb 28, 2013 at 6:12 PM, M.-A. Lemburg m...@egenix.com wrote:
On 28.02.2013 07:39, Nick Coghlan wrote:
1. The next generation metadata infrastructure will NOT support
external hosting of files indexed on PyPI - if you don't upload the
archive
On 27.02.2013 19:11, Noah Kantrowitz wrote:
On Feb 27, 2013, at 9:28 AM, M.-A. Lemburg wrote:
On 27.02.2013 18:05, Noah Kantrowitz wrote:
M.-A. Lemburg m...@egenix.com wrote:
I propose we deprecate the external links that PyPI has published
on the /simple/ indexes which exist because
On 27.02.2013 19:11, Noah Kantrowitz wrote:
On Feb 27, 2013, at 9:28 AM, M.-A. Lemburg wrote:
[reasons for not hosting distribution files on PyPI]
* giving up control
This is the point of running a package server, the author gives up control
over distribution in order to reap
On 28.02.2013 13:43, Jesse Noller wrote:
Can we please actually look at the free offers we are being given versus
paying for something for once
Sure. This is just for testing.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Feb 28 2013)
Python
front-page using the CDN. The package links all
have pypi.python.org hardcoded, though, so don't work on the CDN.
On Thursday, February 28, 2013 at 7:53 AM, Donald Stufft wrote:
On Thursday, February 28, 2013 at 7:49 AM, M.-A. Lemburg wrote:
There you go:
https://d1t66zoqn9vlte.cloudfront.net
On 28.02.2013 15:02, M.-A. Lemburg wrote:
On 28.02.2013 14:37, Giovanni Bajo wrote:
Il giorno 28/feb/2013, alle ore 13:53, Donald Stufft
donald.stu...@gmail.com ha scritto:
On Thursday, February 28, 2013 at 7:49 AM, M.-A. Lemburg wrote:
There you go:
https://d1t66zoqn9vlte.cloudfront.net
On 28.02.2013 17:27, Ronald Oussoren wrote:
On 28 Feb, 2013, at 14:41, holger krekel hol...@merlinux.eu wrote:
That's the #2 thing I hate about some packages: removed releases
that I faithfully pinned in my buildout (or requirements.txt).
Removing releases is, imho, irresponsible.
it's
I've added the proposal to the wiki to keep collecting comments
and updates:
http://wiki.python.org/moin/PyPI/DownloadMetaDataProposal
On 28.02.2013 12:55, M.-A. Lemburg wrote:
On 28.02.2013 12:45, Donald Stufft wrote:
On Thursday, February 28, 2013 at 5:55 AM, M.-A. Lemburg wrote:
I think we
I've created a wiki page with the CloudFront setup description:
http://wiki.python.org/moin/CloudPyPI/ExampleCDN
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Feb 28 2013)
Python Projects, Consulting and Support ... http://www.egenix.com/
On 28.02.2013 18:44, Noah Kantrowitz wrote:
On Feb 28, 2013, at 2:22 AM, M.-A. Lemburg wrote:
BTW: I've never seen a hosting website require agreeing to
giving users of the website the same distribution rights
as the owner of the website.
You should read terms of service more closely
the real thing is live or I run out of
budget for this (whichever comes first ;-)).
On Feb 28, 2013, at 9:19 AM, M.-A. Lemburg wrote:
I've created a wiki page with the CloudFront setup description:
http://wiki.python.org/moin/CloudPyPI/ExampleCDN
--
Marc-Andre Lemburg
eGenix.com
On 27.02.2013 16:26, Donald Stufft wrote:
PyPI is now being served with a valid SSL certificate, and the
tooling has begun to incorporate SSL verification of PyPI into
the process. This is _excellent_ and the parties involved should
all be thanked. However there is still another massive area
On 27.02.2013 17:43, Donald Stufft wrote:
On Wednesday, February 27, 2013 at 11:34 AM, M.-A. Lemburg wrote:
On 27.02.2013 16:42, Donald Stufft wrote:
On Wednesday, February 27, 2013 at 10:39 AM, M.-A. Lemburg wrote:
-1.
There are many reasons for not hosting packages and distributions
On 20.02.2013 21:03, Donald Stufft wrote:
On Wednesday, February 20, 2013 at 3:02 PM, Daniel Holth wrote:
You know how to do S/MIME; how much harder would it be to use X.509
signatures as are supported with openssl and bundled GUI cert managers on
all OSs?
Signing tech doesn't really
On 20.02.2013 21:12, M.-A. Lemburg wrote:
On 20.02.2013 21:03, Donald Stufft wrote:
On Wednesday, February 20, 2013 at 3:02 PM, Daniel Holth wrote:
You know how to do S/MIME; how much harder would it be to use X.509
signatures as are supported with openssl and bundled GUI cert managers
On 20.02.2013 21:18, Christian Heimes wrote:
Am 20.02.2013 21:12, schrieb M.-A. Lemburg:
On 20.02.2013 21:03, Donald Stufft wrote:
On Wednesday, February 20, 2013 at 3:02 PM, Daniel Holth wrote:
You know how to do S/MIME; how much harder would it be to use X.509
signatures as are supported
On 19.02.2013 14:23, Giovanni Bajo wrote:
Il giorno 19/feb/2013, alle ore 06:13, Richard Jones r1chardj0...@gmail.com
ha scritto:
Hi all,
I've just altered the nginx configuration to promote (ie. redirect to)
HTTPS for all GET/HEAD requests. This includes HSTS, but I've set the
lifetime
On 19.02.2013 14:47, M.-A. Lemburg wrote:
On 19.02.2013 14:23, Giovanni Bajo wrote:
Il giorno 19/feb/2013, alle ore 06:13, Richard Jones
r1chardj0...@gmail.com ha scritto:
Hi all,
I've just altered the nginx configuration to promote (ie. redirect to)
HTTPS for all GET/HEAD requests
Same here. The web interface got really slow after the switch.
On 19.02.2013 14:55, Andreas Jung wrote:
Hi there,
since the switch to https:// I have massive problems running larger
buildouts. After every second or third pulled package I receive a
connection reset by peer error.
Andreas
I wanted to switch to the HTTPS address of PyPI today, but the change
in my .pypirc did not result in the expected seemless upgrade ;-)
Here's my working .pypirc (fairly standard):
[distutils]
index-servers =
pypi
[pypi]
repository = http://pypi.python.org/pypi
username = xyz
password =
On 14.02.2013 00:17, Richard Jones wrote:
On 13 February 2013 22:32, Giovanni Bajo ra...@develer.com wrote:
Il giorno 13/feb/2013, alle ore 12:14, Richard Jones rich...@python.org ha
scritto:
2. fix the email password reset debacle (mostly written, not tested),
Is this committed anywhere I
On 14.02.2013 20:28, Tarek Ziadé wrote:
Hello
Some tools (setuptools, distribute, zope, pip) use bootstrap files to get
installed,
In order to have a more secured installation process, we'd like to be able
to push those files on
PyPI so people can download them through https using the
On 14.02.2013 23:10, Nick Coghlan wrote:
On 15 Feb 2013 05:50, Tarek Ziadé ta...@ziade.org wrote:
On 2/14/13 8:37 PM, Donald Stufft wrote:
On Thursday, February 14, 2013 at 2:28 PM, Tarek Ziadé wrote:
Hello
Some tools (setuptools, distribute, zope, pip) use bootstrap files to
get
On 14.02.2013 23:38, Donald Stufft wrote:
On Thursday, February 14, 2013 at 5:34 PM, M.-A. Lemburg wrote:
I don't follow the reasoning here. What's the difference between
uploading a .py file and a .tar.gz file ?
AFAIK, the only reason why the file extensions are restricted is to
prevent
we had to make the same
decision a while ago and decided against doing emails.
On Feb 13, 2013, at 7:27 AM, M.-A. Lemburg m...@egenix.com wrote:
On 13.02.2013 13:13, Antoine Pitrou wrote:
Richard Jones richard at python.org writes:
3. send email to all registered users indicating that all
Hi Richard,
On 13.02.2013 12:14, Richard Jones wrote:
My intention is to:
2. fix the email password reset debacle (mostly written, not tested),
Could you post a description of the new procedure ?
Not that I wouldn't trust your capabilities :-) ... I just think more
eyes would be good to make
Richard Jones wrote:
Given the discussion on the pull request I think I'll hold off. There
seems to be some question regarding its appropriateness which I'm not
really in a position to judge.
FWIW, the DoS problem with the multi-round hash algorithms was also
an issue for moin. They chose to
Giovanni Bajo wrote:
Il giorno 11/feb/2013, alle ore 13:25, Jesse Noller jnol...@gmail.com ha
scritto:
Actually I was thinking about this in the shower: the likelihood that pypi
users used the same passwords as they did on the wiki is probably much
higher than any of us assume.
Given
On 11.02.2013 14:49, Christian Heimes wrote:
Am 11.02.2013 14:38, schrieb Donald Stufft:
On Monday, February 11, 2013 at 8:15 AM, M.-A. Lemburg wrote:
Giovanni Bajo wrote:
Il giorno 11/feb/2013, alle ore 13:25, Jesse Noller
jnol...@gmail.com mailto:jnol...@gmail.com ha scritto:
Actually I
On 11.02.2013 20:41, Antoine Pitrou wrote:
M.-A. Lemburg mal at egenix.com writes:
Let's please not get paranoid over all this. As long as the parameters
remain configurable, we can approach these things in small steps and
don't need to get all tied up in discussions about how to turn
PyPI
Giovanni Bajo wrote:
Il giorno 10/feb/2013, alle ore 00:43, M.-A. Lemburg m...@egenix.com ha
scritto:
On 10.02.2013 00:13, Stephen Thorne wrote:
Hello,
One of my concerns with the recent pip dramas that have seen some excellent
and timely action from catalog-sig and others
On 10.02.2013 18:00, Antoine Pitrou wrote:
$ curl -I
http://pypi.python.org/packages/source/z/zope.interface/zope.interface-4.0.3.tar.gz
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Sun, 10 Feb 2013 16:59:29 GMT
Content-Type: application/octet-stream
Content-Length: 140124
Last-Modified:
On 10.02.2013 18:11, Antoine Pitrou wrote:
M.-A. Lemburg mal at egenix.com writes:
On 10.02.2013 18:00, Antoine Pitrou wrote:
$ curl -I
http://pypi.python.org/packages/source/z/zope.interface/zope.interface-4.0.3.tar.gz
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Sun, 10 Feb 2013 16:59:29
On 10.02.2013 00:13, Stephen Thorne wrote:
Hello,
One of my concerns with the recent pip dramas that have seen some excellent
and timely action from catalog-sig and others, is that 'setuptools' is
still widely distributed and used instead of distribute/pip.
Just as data point: distribute
On 07.02.2013 12:49, Giovanni Bajo wrote:
Il giorno 07/feb/2013, alle ore 11:59, M.-A. Lemburg m...@egenix.com ha
scritto:
Sorry, if this has already been mentioned, but we could make GPG
signing very user friendly for the PyPI users by:
- having the PyPI server verify the uploaded file
On 07.02.2013 15:13, Giovanni Bajo wrote:
Il giorno 07/feb/2013, alle ore 12:55, M.-A. Lemburg m...@egenix.com ha
scritto:
Can you please describe an attack that can be mounted against PyPI/pip that
is prevented by having this additional signature?
This is not about preventing some kind
On 07.02.2013 16:04, Giovanni Bajo wrote:
Il giorno 07/feb/2013, alle ore 15:35, M.-A. Lemburg m...@egenix.com ha
scritto:
On 07.02.2013 15:13, Giovanni Bajo wrote:
Il giorno 07/feb/2013, alle ore 12:55, M.-A. Lemburg m...@egenix.com ha
scritto:
Can you please describe an attack that can
On 06.02.2013 21:33, Donald Stufft wrote:
On Wednesday, February 6, 2013 at 3:31 PM, Vinay Sajip wrote:
Donald Stufft donald.stufft at gmail.com (http://gmail.com) writes:
* Do we have bindings to GPG that we can use?
There's python-gnupg [1][2] which I maintain. I test it on Linux, Mac OS X
On 06.02.2013 22:05, Jesse Noller wrote:
On Wednesday, February 6, 2013 at 4:02 PM, Donald Stufft wrote:
On Wednesday, February 6, 2013 at 4:01 PM, Vinay Sajip wrote:
M.-A. Lemburg mal at egenix.com (http://egenix.com) writes:
Try gnupg-w32cli which is really easy to install and doesn't
On 05.02.2013 09:02, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 8:42 AM, M.-A. Lemburg m...@egenix.com wrote:
On 05.02.2013 02:36, Nick Coghlan wrote:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices
On 05.02.2013 14:06, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft donald.stu...@gmail.com wrote:
PyPI will need to change for this to happen realistically if I recall. There
is a hard limit on how large of a distribution can be uploaded to PyPI
and there are, if I
On 05.02.2013 14:18, Donald Stufft wrote:
On Tuesday, February 5, 2013 at 8:13 AM, Lennart Regebro wrote:
That will mean that a man in the middle-attack might poison PyPI's
cache. I don't think that's a feasible path forward.
Packages does not need to be cached, as they are not supposed to
On 05.02.2013 02:36, Nick Coghlan wrote:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
the Python community is to run sudo pip with unsigned packages
(sometimes on untrusted networks).
To my mind,
On 18.12.2012 15:54, Holger Krekel wrote:
Hi Richard, hi all,
While reading the pypi main and other sources i wondered how we could
switch off serving links from description_html, at least on a per-project
basis. It's really annoying that when you start to add some links to a
On 18.12.2012 18:54, Holger Krekel wrote:
On Tue, Dec 18, 2012 at 5:46 PM, M.-A. Lemburg m...@egenix.com wrote:
On 18.12.2012 15:54, Holger Krekel wrote:
Hi Richard, hi all,
While reading the pypi main and other sources i wondered how we could
switch off serving links from description_html
On 30.11.2012 10:05, Holger Krekel wrote:
Hello,
The http://wiki.python.org/moin/CheeseShopDev page mentioned that the repo
is undergoing migration. Is there some (even intermediate) url which i
could pull today?
AFAIK, this is still the current repo:
https://bitbucket.org/loewis/pypi
1 - 100 of 226 matches
Mail list logo
