On Sun, Mar 31, 2013 at 6:13 PM, James Carpenter nawk...@gmail.com wrote:
Do you have a module/function/line number in easy_install I should use? I'm
sure I can dig it out myself but it sounds like you might just be able to
put your finger on it in only a minute or two.
It's the install_eggs()
, 2013 at 3:36 PM, PJ Eby p...@telecommunity.com wrote:
On Thu, Mar 28, 2013 at 3:57 PM, James Carpenter nawk...@gmail.com
wrote:
Is there an easy way to programmatically tell if an archive (tar.gz,
zip,
etc.) in the dist directory is a binary or sdist? I would like to
post-process
On Thu, Mar 28, 2013 at 3:14 PM, Fred Drake f...@fdrake.net wrote:
On Thu, Mar 28, 2013 at 2:22 PM, Donald Stufft don...@stufft.io wrote:
Is there much point in keeping catalog-sig and distutils-sig separate?
No.
The last time this was brought up, there were objections, but I don't
remember
On Thu, Mar 28, 2013 at 3:43 PM, Donald Stufft don...@stufft.io wrote:
On Mar 28, 2013, at 3:39 PM, PJ Eby p...@telecommunity.com wrote:
Can we do it by just dropping catalog-sig and keeping distutils-sig?
I'm afraid we might lose some important distutils-sig population if
the process involves
On Thu, Mar 28, 2013 at 3:57 PM, James Carpenter nawk...@gmail.com wrote:
Is there an easy way to programmatically tell if an archive (tar.gz, zip,
etc.) in the dist directory is a binary or sdist? I would like to
post-process the contents of a dist directory and classify each build
artifact
On Thu, Mar 28, 2013 at 5:15 PM, Jacob Kaplan-Moss ja...@jacobian.org wrote:
C'mon, folks, we're arguing about a name. That's about as close to
literal bikeshedding as we could get.
I'm not arguing about the *name*. I just don't see the point in
making everybody subscribe to a new list and
On Thu, Mar 21, 2013 at 8:06 AM, Christian Heimes christ...@python.org wrote:
Hi,
the message is slightly off-topic but it might be interesting for pip,
setuptools and other developers that are working on HTTPS for PyPI.
I while ago I found C++ example code that shows how to dump CA and CRL
On Sat, Mar 16, 2013 at 3:15 AM, Nick Coghlan ncogh...@gmail.com wrote:
On 15 Mar 2013 16:16, Carl Meyer c...@oddbird.net wrote:
tl;dr: I see your points, we'll change the PEP to allow clients to use
hostnames instead of the rel attributes if they prefer.
I will veto any such change.
On Mon, Mar 18, 2013 at 1:22 PM, PJ Eby p...@telecommunity.com wrote:
Actually, setuptools trusts redirects, so that mechanism is available
for splitting the hosted files to another domain.
As it stands, though, I don't see a way to support this without
introducing confusion.
Oops
Do we even need the internal/external rel info? I was planning to
just use the URL hostname.
i.e., are there any use cases for designating an externally-hosted
file internal, or an internally-hosted file external? If not, it
seems the rel= is redundant.
It's also more work to implement, vs.
On Fri, Mar 15, 2013 at 12:07 PM, Carl Meyer c...@oddbird.net wrote:
On 03/15/2013 09:15 AM, PJ Eby wrote:
Do we even need the internal/external rel info? I was planning to
just use the URL hostname.
i.e., are there any use cases for designating an externally-hosted
file internal
On Fri, Mar 15, 2013 at 1:39 PM, Carl Meyer c...@oddbird.net wrote:
up to you whether you also want to use rel=internal as a hint for
implicitly (perhaps with warning) adding to --allow-hosts,
That's the bit I don't like. The security model is that if it's not
allowed by allowed-hosts, it's
On Fri, Mar 15, 2013 at 7:16 PM, Carl Meyer c...@oddbird.net wrote:
Ok, pending agreement from Holger I'll make a change in the PEP to
explicitly allow clients to make decisions based on either the rel
attributes or based on hostnames. Would that be sufficient to address
your concerns?
Yes.
On Thu, Mar 14, 2013 at 6:07 AM, M.-A. Lemburg m...@egenix.com wrote:
On 12.03.2013 22:26, PJ Eby wrote:
On Tue, Mar 12, 2013 at 3:59 PM, M.-A. Lemburg m...@egenix.com wrote:
On 12.03.2013 19:15, M.-A. Lemburg wrote:
I've run into a weird issue with easy_install, that I'm trying to solve
On Thu, Mar 14, 2013 at 2:11 PM, M.-A. Lemburg m...@egenix.com wrote:
Is there any way to have 0.13.1.1.0.1.5-something sort before
0.13.1.1.0.1.5 ? (e.g. like is done for release candidates)
Make it 0.13.1.1.0.1.5-devsomething, and it'll have lower
precedence than both 0.13.1.1.0.1.5 and
On Wed, Mar 13, 2013 at 7:21 AM, holger krekel hol...@merlinux.eu wrote:
Hi all,
after some more discussions and hours spend by Carl Meyer (who is now
co-authoring the PEP) and me, here is a new V3 pre-submit draft.
It is now more ambitious than the previous draft as should be obvious
from
On Tue, Mar 12, 2013 at 5:50 AM, M.-A. Lemburg m...@egenix.com wrote:
Not hard to do: we'd just need to keep the old index in place
using a different URL, e.g. /simple-v1/.
That's not necessary: the XML-RPC API lets you query those URLs
directly. They're part of the metadata standard, after
On Tue, Mar 12, 2013 at 1:25 AM, Lennart Regebro rege...@gmail.com wrote:
Externally hosted files are a real world actual problem.
You're leaving out some important words from that sentence. Words
like, for some people and who choose to depend on projects using
them.
PyPI isn't your private
On Tue, Mar 12, 2013 at 7:38 AM, holger krekel hol...@merlinux.eu wrote:
In addition, maintainers of installation tools are asked to release
two updates. The first one shall provide clear warnings if external
crawling needs to happen,
A clarification here: needs to happen is not
On Tue, Mar 12, 2013 at 12:29 PM, Jacob Kaplan-Moss ja...@jacobian.org wrote:
On Tue, Mar 12, 2013 at 11:19 AM, M.-A. Lemburg m...@egenix.com wrote:
So let's do this carefully and find a good solution before
jumping to conclusions.
Completely agreed; rushing is a bad idea.
But so is not
On Tue, Mar 12, 2013 at 1:33 PM, Jesse Noller jnol...@gmail.com wrote:
There's not much to understand: external hosting of packages is *actively
harmful*, period. End users of easy_install and pip *don't even realize* 99%
of the time that these tools are following links off of PyPi and
On Tue, Mar 12, 2013 at 2:18 PM, Carl Meyer c...@oddbird.net wrote:
It seems to me that there's a remarkable level of consensus developing
here (though it may not look like it), and a small set of remaining open
questions.
The consensus (as I see it):
- Migrate away from scraping external
On Tue, Mar 12, 2013 at 2:43 PM, Robert Collins
robe...@robertcollins.net wrote:
This takes an age when each new web host to talk to is a new DNS
lookup (say 0.3 seconds) + HTTP request (0.6 seconds) with possible
HTTPS setup in there too (up to 1.2 seconds). A project with dozens of
On Tue, Mar 12, 2013 at 2:07 PM, M.-A. Lemburg m...@egenix.com wrote:
Just a quick note (more later, if time permits)...
On 12.03.2013 18:05, holger krekel wrote:
Hi Marc-Andre, all,
- Prepare PYPI implementation to allow a per-project hosting mode,
effectively enabling or disabling
On Tue, Mar 12, 2013 at 3:36 PM, Jacob Kaplan-Moss ja...@jacobian.org wrote:
On Tue, Mar 12, 2013 at 2:21 PM, PJ Eby p...@telecommunity.com wrote:
The *only* thing I object to is the part where some people want to ban
external links from /simple, always and forever, regardless of the
package
On Tue, Mar 12, 2013 at 4:14 PM, Carl Meyer c...@oddbird.net wrote:
You say below that nobody has proposed a 'trust everything' flag. If
there is no trust everything flag, then it seems to me that with
either option A or option B the user needs to specify what they intend
to trust. I.e. if you
On Tue, Mar 12, 2013 at 3:59 PM, M.-A. Lemburg m...@egenix.com wrote:
On 12.03.2013 19:15, M.-A. Lemburg wrote:
I've run into a weird issue with easy_install, that I'm trying to solve:
If I place two files named
egenix_mxodbc_connect_client-2.0.2-py2.6.egg
On Sun, Mar 10, 2013 at 8:25 PM, Donald Stufft don...@stufft.io wrote:
I don't think anyone is bad here, nor am I arguing against any particular
person or group of people. I'm arguing against a practice and a system.
You're going out of your way to find excuses to throw all sorts of stop
On Mon, Mar 11, 2013 at 7:14 AM, Donald Stufft don...@stufft.io wrote:
1) Proof of what? That it's insecure? That it harms uptime? That it violates
people's privacy?
That any of those things apply to anybody who *isn't using those packages*.
Without this, you are only providing a reason to
On Mon, Mar 11, 2013 at 12:45 PM, Lennart Regebro rege...@gmail.com wrote:
On Mon, Mar 11, 2013 at 5:12 PM, PJ Eby p...@telecommunity.com wrote:
On Mon, Mar 11, 2013 at 7:14 AM, Donald Stufft don...@stufft.io wrote:
1) Proof of what? That it's insecure? That it harms uptime? That it
violates
On Mon, Mar 11, 2013 at 1:45 PM, Lennart Regebro rege...@gmail.com wrote:
So, we should not remove the links for external packages until
somebody traverses those links? But as soon as somebody asks for those
links, we should remove them? In fact before we give them the link?
I'm saying that if
On Mon, Mar 11, 2013 at 4:07 PM, Carl Meyer c...@oddbird.net wrote:
On 03/11/2013 01:57 PM, PJ Eby wrote:
I'm saying that if someone objects to the presence of links they
don't actually use, they are speaking nonsense. Might as well ask to
ban all packages from PyPI that they don't
Just a thought, but...
If 90% of PyPI projects do not have any external files to download,
then, wouldn't it make sense to:
1. Add a project-level option to enable or disable the adding of the
rel= attribute to /simple links (but not affecting the links in any
other way)
2. Default it to
On Mon, Mar 11, 2013 at 7:39 PM, Donald Stufft don...@stufft.io wrote:
On Mar 11, 2013, at 7:04 PM, PJ Eby p...@telecommunity.com wrote:
Just a thought, but...
If 90% of PyPI projects do not have any external files to download,
then, wouldn't it make sense to:
To be accurate it's 90
On Mon, Mar 11, 2013 at 8:28 PM, M.-A. Lemburg m...@egenix.com wrote:
On 12.03.2013 00:39, Donald Stufft wrote:
On Mar 11, 2013, at 7:04 PM, PJ Eby p...@telecommunity.com wrote:
Just a thought, but...
If 90% of PyPI projects do not have any external files to download,
then, wouldn't
On Sun, Mar 10, 2013 at 11:07 AM, holger krekel hol...@merlinux.eu wrote:
Philip, Marc-Andre, Richard (Jones), Nick and catalog-sig/distutils-sig:
scrutiny and feedback welcome.
Hi Holger. I'm having some difficulty interpreting your proposal
because it is leaving out some things, and in other
On Sun, Mar 10, 2013 at 4:23 AM, Richard Jones r1chardj0...@gmail.com wrote:
This might solve the AGI problem and could probably produce good results
using the current ranking algorithm. Not sure. Google's search
algorithms are far advanced ;-)
Heh. This just gave me a bit of a chuckle, taken
On Sun, Mar 10, 2013 at 5:16 PM, Donald Stufft don...@stufft.io wrote:
If someones release process forces PyPI to have security, uptime, and privacy
issues then I'm very sorry but their release process is going to need to
change. It's not fun, it's a shitty situation, but trying to bend over
On Fri, Mar 8, 2013 at 7:50 AM, M.-A. Lemburg m...@egenix.com wrote:
After the feedback I got from Holger and Phillip, I'm currently
writing a new version, which drops some of the unneeded
requirements and spells out a few more things.
Here's a very short version...
Installers are modified:
On Fri, Mar 8, 2013 at 8:13 AM, Donald Stufft don...@stufft.io wrote:
It does solve the backwards compatibility issue of killing external urls
immediately so I'm not flat out against it, but there may be legal issues
involved too?
I've mentioned this in the other thread as well, but the best
On Fri, Mar 8, 2013 at 2:52 PM, Noah Kantrowitz n...@coderanger.net wrote:
MD5 is _not_ acceptable for anything security related and we shouldn't be
adding anything that increases our dependence on it. MD5's only use in the
packaging world is to make people who forget that TCP has its own
On Fri, Mar 8, 2013 at 4:17 PM, M.-A. Lemburg m...@egenix.com wrote:
On 08.03.2013 20:16, PJ Eby wrote:
There is, as I said before, a MUCH simpler way to do this, that works
right now: put direct #md5 download links in your description, and
phase out the rel= attributes altogether
On Fri, Mar 8, 2013 at 4:26 PM, Donald Stufft don...@stufft.io wrote:
On Mar 8, 2013, at 4:12 PM, PJ Eby p...@telecommunity.com wrote:
On Fri, Mar 8, 2013 at 2:52 PM, Noah Kantrowitz n...@coderanger.net wrote:
MD5 is _not_ acceptable for anything security related and we shouldn't be
adding
On Fri, Mar 8, 2013 at 4:28 PM, M.-A. Lemburg m...@egenix.com wrote:
On 08.03.2013 20:16, PJ Eby wrote:
So, since the page only contains links, might as well put the links
straight on PyPI, or at most have an option/tool to load the links
from an external source.
I don't follow you. We only
On Fri, Mar 8, 2013 at 4:32 PM, Donald Stufft don...@stufft.io wrote:
Here's some more information pulled straight from Wikiepdia:
Trust me, I've read a LOT of Wikipedia (and even more from other
sites, including at least the conclusions of a number of cryptography
papers) about hashing attacks
On Fri, Mar 1, 2013 at 6:17 AM, holger krekel hol...@merlinux.eu wrote:
On Fri, Mar 01, 2013 at 06:09 -0500, Donald Stufft wrote:
On Friday, March 1, 2013 at 6:04 AM, M.-A. Lemburg wrote:
On 01.03.2013 11:19, holger krekel wrote:
Hi Richard, all,
somewhere deep in the threads i
On Fri, Mar 1, 2013 at 4:24 AM, M.-A. Lemburg m...@egenix.com wrote:
On 01.03.2013 10:02, Reinout van Rees wrote:
On 28-02-13 21:08, holger krekel wrote:
I have seen that position in this discussion (I have to upload 120
files per release, so I won't do that, for instance).
haven't seen
On Fri, Mar 1, 2013 at 2:31 PM, M.-A. Lemburg m...@egenix.com wrote:
Hmm, then why not remove links that don't match the above from
the /simple/ index pages ?
PyPI provides the links uninterpreted since the tools' interpretations
have evolved over time.
Note that it's easily possible to make
On Thu, Feb 28, 2013 at 4:31 AM, M.-A. Lemburg m...@egenix.com wrote:
In order for this to work out, you will need to get the
support of people hosting packages externally and address
their concerns.
The current discussion has been too dogmatic for my taste.
A more pragmatic approach would
On Thu, Feb 28, 2013 at 5:55 AM, M.-A. Lemburg m...@egenix.com wrote:
I think we all agree that scanning arbitrary HTML pages
for download links is not a good idea and we need to
transition away from this towards a more reliable system.
Here's an approach that would work to start the
On Thu, Feb 28, 2013 at 5:00 PM, Donald Stufft donald.stu...@gmail.com wrote:
SSL checking on upload should be possible, do you want
a patch?
If it uses the 'requests' library, yes, I'll accept one. But I don't
want to do any direct implementation of SSL cert checking in
setuptools, at least
On Wed, Feb 27, 2013 at 1:34 PM, Lennart Regebro rege...@gmail.com wrote:
On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg m...@egenix.com wrote:
I'm not saying that it's not a good idea to host packages on PyPI,
but forcing the community into doing this is not a good idea.
I still don't
On Wed, Feb 27, 2013 at 4:04 PM, Lennart Regebro rege...@gmail.com wrote:
On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor mord...@inaugust.com wrote:
But wouldn't this only be a change in pip/easy_install, not PyPI
itself? I suppose you could explicitly break the external links by
having them
On Wed, Feb 27, 2013 at 4:50 PM, Donald Stufft donald.stu...@gmail.com wrote:
Development snapshots are a use case that i'm not sure makes sense
for PyPI, but if they do should require specific opt-in to install them.
Does easy_install have a command line flag that adds extra links?
*chuckle*.
On Tue, Feb 19, 2013 at 12:13 AM, Richard Jones r1chardj0...@gmail.com wrote:
2. incorporate some monkey-patching into distribute and setuptools and
promote those,
This is actually on my radar to do for setuptools, as soon as the dust
has settled enough on what it is the monkey-patching needs
On Tue, Feb 19, 2013 at 8:35 AM, Giovanni Bajo ra...@develer.com wrote:
I would be OK with redirecting for browsers (matching the user agent for
instance), but I would try to disable for tools as much as possible.
Matching paths is an option, too: the /simple index is intended for
tools, and
On Tue, Feb 19, 2013 at 1:31 PM, Marcus Smith qwc...@gmail.com wrote:
looking on the bright side, it made us aware that we had a leak to pypi
in our build. we were trying to be local. so thanks.
Had to go update our .pydistutils.cfg file
Marcus
FYI, easy_install's --allow-hosts option can
On Mon, Feb 18, 2013 at 9:55 AM, Alex Clark acl...@aclark.net wrote:
aclark@Alexs-MacBook-Pro:~/Developer/aclark/resume/ vanity pydstat
pydstat-1.0.0.tar.gz 2012-08-152,216
pydstat-1.0.1.tar.gz 2012-08-234,367
pydstat has been
On Thu, Feb 14, 2013 at 6:31 PM, Richard Jones rich...@python.org wrote:
The bootstrap.py file would most likely have to be omitted from the
usual files listing mechanisms as they are used to determine
installable release packages.
I would feel more comfortable with the proposed mechanism if
On Fri, Feb 15, 2013 at 8:10 AM, Nick Coghlan ncogh...@gmail.com wrote:
On Fri, Feb 15, 2013 at 10:25 PM, Tarek Ziadé ta...@ziade.org wrote:
Anyways: I am withdrawing my proposal - if we're special-casing a few
projects, why bother creating a new API in the first place ?
That's why I asked
On Thu, Feb 14, 2013 at 5:10 PM, Nick Coghlan ncogh...@gmail.com wrote:
I'm more concerned about phishing style attacks. I don't want the PyPI
admins to have to start scanning for hostile names like distirbute.
I'm not sure what you mean. These things exist only for the
corresponding package
On Sat, Feb 9, 2013 at 6:43 PM, M.-A. Lemburg m...@egenix.com wrote:
* distutils config files:
http://docs.python.org/2/install/index.html#inst-config-files
* setuptools:
http://peak.telecommunity.com/DevCenter/EasyInstall#configuration-files
On Mon, Feb 11, 2013 at 2:55 AM, Marcus Smith qwc...@gmail.com wrote:
As for then making Distribute the default in virtualenv's (or the only
option), there is a virtualenv issue for that.
https://github.com/pypa/virtualenv/issues/217
apparently there's an issue with UAC elevation on windows.
On Tue, Feb 12, 2013 at 2:11 PM, Giovanni Bajo ra...@develer.com wrote:
Il giorno 12/feb/2013, alle ore 19:36, PJ Eby p...@telecommunity.com ha
scritto:
On Sat, Feb 9, 2013 at 7:54 PM, Giovanni Bajo ra...@develer.com wrote:
The problem with this approach is that Python standard library does
On Mon, Feb 11, 2013 at 11:40 AM, Alessandro Dentella san...@e-den.it wrote:
I believe that this issue belongs to this list, please let me know if I'm
wrong.
Suppose I have 2 packages:
jmb.foo
jmb.bar
distributed separately. Each has in jmb's __init__ a standard:
On Mon, Feb 11, 2013 at 4:56 PM, Alessandro Dentella san...@e-den.it wrote:
thanks for the answer but this way I need to really import jmb while
imp.find_module doesn't really import it.
If you want to know whether the module 'jmb' exists, you can certainly
do that by using
On Tue, Dec 18, 2012 at 11:46 AM, M.-A. Lemburg m...@egenix.com wrote:
AFAIK, setuptools/distribute only looks at links with rel=homepage
or rel=download attributes, not all links on the PyPI project page.
The links from the description don't receive such attributes.
Those are the only links
On Fri, Jun 22, 2012 at 8:21 PM, Aaron Meurer asmeu...@gmail.com wrote:
Hi.
I'm following up on a discussion on the pip mailing list
(
https://groups.google.com/forum/#!topic/python-virtualenv/PZNj9pC6aKA/discussion
),
where I was directed here.
Would it be possible to add some kind of a
On Mon, Feb 6, 2012 at 3:17 PM, Andreas Jung li...@zopyx.com wrote:
My point about this: if a person does not want
to host its package on PyPi than it should stay away from PyPI. Package
hygiene and a certain level of professional package repository is more
important and personal reasons for
On Tue, Feb 7, 2012 at 11:18 AM, Martijn Faassen faas...@startifact.comwrote:
On 02/07/2012 07:18 AM, Kai Diefenbach wrote:
If a listed package is not available (because an external server is
down) the index is broken.
That's an interesting observation. I would think 'broken' is strong
On Tue, Feb 7, 2012 at 12:06 PM, Donald Stufft donald.stu...@gmail.comwrote:
On Tuesday, February 7, 2012 at 12:02 PM, PJ Eby wrote:
On Mon, Feb 6, 2012 at 3:17 PM, Andreas Jung li...@zopyx.com wrote:
My point about this: if a person does not want
to host its package on PyPi than it should
On Mon, Feb 6, 2012 at 12:19 PM, Alex Clark acl...@aclark.net wrote:
What do pip/easy_install/etc do when they encounter both a .zip and a
.tar.gz, for example?
IIRC, easy_install will take the longer filename in preference to the
shorter one, all else being equal; that's its final tiebreaker
On Wed, Feb 1, 2012 at 6:06 AM, Yuval Greenfield ubershme...@gmail.comwrote:
Does the setup.py/cfg allow me to require a specific hash on SQLAlchemy
when automatically resolving dependencies in pip/easy_install?
Yes, at least for easy_install. You tack on #md5= to your find_links
URLs,
73 matches
Mail list logo
