After the discussions, we've had on the catalog sig, I have updated
the proposal to include comments and clarifications regarding the setup
and it's relationship to the mirror PEP (see the end of the proposal).
While I don't think that the proposal has an influence on whether
or when PEP 381 gets
On Tue, Jun 29, 2010 at 4:39 PM, M.-A. Lemburg m...@egenix.com wrote:
[..]
Competing with PEP 381
--
A few PEP 381 developers have stated that this proposal would limit
the interest in PEP 381 implementations and argue that the proposal
would compete with their proposed
A few notes:
On Tue, Jun 29, 2010 at 9:39 AM, M.-A. Lemburg m...@egenix.com wrote:
In order to maintain its credibility as software repository, to
support the many different projects relying on the PyPI infrastructure
and the many users who rely on the simplified installation process
enabled
* Move the PyPI installation to mod_wsgi (I believe it is using FCGI
now?)
For the latter: correct.
For the former (use mod_wsgi): I had actually implemented it, but needed
to revert to FCGI, because mod_wsgi would cause too many hanging servers.
This is largely work that would have to
I'm surprised, what specific mod_wsgi configuration did you try?
Not sure I understand the question:
WSGIDaemonProcess pypi display-name=wsgi-pypi processes=10 threads=1
maximum-requests=2000
WSGIProcessGroup pypi
WSGIPassAuthorization On
WSGIScriptAlias /pypi /data/pypi/src/pypi/pypi.wsgi
On Sat, Jun 19, 2010 at 8:58 AM, Martin v. Löwis mar...@v.loewis.de wrote:
A simple way to protect against just the issue you mentioned is to
have the clients retrieve the key over HTTPS or distribute the key
with the client.
Ok. I have now enabled https for PyPI
On Thu, Jun 17, 2010 at 6:30 AM, Ian Bicking i...@colorstudy.com wrote:
On Wed, Jun 16, 2010 at 1:37 PM, Martin v. Löwis mar...@v.loewis.de
wrote:
It is likely that some people will setup a mirror and then forget to
take care
about it. Like our buildbots really.
The same can happen to any
On 09:39 pm, ziade.ta...@gmail.com wrote:
On Thu, Jun 17, 2010 at 6:30 AM, Ian Bicking i...@colorstudy.com
wrote:
On Wed, Jun 16, 2010 at 1:37 PM, Martin v. Löwis
mar...@v.loewis.de
wrote:
It is likely that some people will setup a mirror and then forget
to
take care
about it. Like our
On Fri, Jun 18, 2010 at 11:47 PM, exar...@twistedmatrix.com wrote:
[..]
There are (multiple!) open source implementations of the Amazon API. If
Amazon decides to discontinue their cloud services (something I doubt should
really be one of the top ten concerns here), then anyone else can set
I'm not clear on this and the document is a little vague, so perhaps
I should be perusing the source, but if you don't protect against a
serverkey MITM and you are supposed to update the serverkey any
time a signature doesn't match up, couldn't an attacker just MITM
you, produce a known bad
That's true; transmission of the serverkey is not currently protected
against MITM. How would you suggest to fix that?
As for perusing the source: the client behavior is not implemented yet,
so there isn't really any source to check, yet.
Following up to myself: The mirroring protocol doesn't
On Tue, Jun 15, 2010 at 11:09 PM, Martin v. Löwis mar...@v.loewis.de wrote:
I'm not clear on this and the document is a little vague, so perhaps
I should be perusing the source, but if you don't protect against a
serverkey MITM and you are supposed to update the serverkey any
time a signature
Tarek Ziadé ziade.tarek at gmail.com writes:
And we happen to have this network already: lots of people
will host a PyPI mirror as soon as it's easy to set one imho.
You must be careful that the mirrors are properly managed and administered,
though. Having stale/dysfunctioning mirrors is
Antoine Pitrou wrote:
Tarek Ziadé ziade.tarek at gmail.com writes:
And we happen to have this network already: lots of people
will host a PyPI mirror as soon as it's easy to set one imho.
You must be careful that the mirrors are properly managed and administered,
though. Having
On Wed, Jun 16, 2010 at 2:41 AM, Justin Cappos
just...@cs.washington.edu wrote:
On Tue, Jun 15, 2010 at 11:09 PM, Martin v. Löwis mar...@v.loewis.de
wrote:
I'm not clear on this and the document is a little vague, so perhaps
I should be perusing the source, but if you don't protect against a
Am 16.06.2010 13:53, schrieb Antoine Pitrou:
Tarek Ziadéziade.tarekat gmail.com writes:
And we happen to have this network already: lots of people
will host a PyPI mirror as soon as it's easy to set one imho.
You must be careful that the mirrors are properly managed and administered,
On 6/16/2010 8:20 AM, M.-A. Lemburg wrote:
Antoine Pitrou wrote:
Tarek Ziadéziade.tarekat gmail.com writes:
And we happen to have this network already: lots of people
will host a PyPI mirror as soon as it's easy to set one imho.
You must be careful that the mirrors are properly managed
As mentioned, I've been working on a proposal text for the cloud idea.
Here's a first draft. Please have a look and let me know whether I've
missed any important facts. Thanks.
I intend to post the proposal to the PSF board (of which I'm a member,
in case you shouldn't know) and to have it vote
On Tue, Jun 15, 2010 at 7:49 AM, M.-A. Lemburg m...@egenix.com wrote:
As mentioned, I've been working on a proposal text for the cloud idea.
Here's a first draft. Please have a look and let me know whether I've
missed any important facts. Thanks.
What about a set of volunteer mirrors of PyPi
On Tue, 15 Jun 2010 09:49:03 pm M.-A. Lemburg wrote:
As mentioned, I've been working on a proposal text for the cloud
idea. Here's a first draft. Please have a look and let me know
whether I've missed any important facts. Thanks.
I think the most important missed fact is, just how unreliable
Steven D'Aprano wrote:
On Tue, 15 Jun 2010 09:49:03 pm M.-A. Lemburg wrote:
As mentioned, I've been working on a proposal text for the cloud
idea. Here's a first draft. Please have a look and let me know
whether I've missed any important facts. Thanks.
I think the most important missed fact
Alexis Métaireau wrote:
Hello,
Firstly, as Tarek said in another thread, I'm afraid this kill the PEP381
about making a mirroring infrastructure.
Having a infrastructure hosted on a cloud platform may be confortable, and
probably needed to have a 24/7 running system, but
we need to take
Michael Crute wrote:
On Tue, Jun 15, 2010 at 7:49 AM, M.-A. Lemburg m...@egenix.com wrote:
As mentioned, I've been working on a proposal text for the cloud idea.
Here's a first draft. Please have a look and let me know whether I've
missed any important facts. Thanks.
What about a set of
On Tue, Jun 15, 2010 at 6:02 PM, M.-A. Lemburg m...@egenix.com wrote:
Alexis Métaireau wrote:
Hello,
Firstly, as Tarek said in another thread, I'm afraid this kill the PEP381
about making a mirroring infrastructure.
Having a infrastructure hosted on a cloud platform may be confortable, and
On 15 Jun, 2010, at 19:02, Tarek Ziadé wrote:
On Tue, Jun 15, 2010 at 6:02 PM, M.-A. Lemburg m...@egenix.com wrote:
Alexis Métaireau wrote:
Hello,
Firstly, as Tarek said in another thread, I'm afraid this kill the PEP381
about making a mirroring infrastructure.
Having a infrastructure
Tarek Ziadé wrote:
On Tue, Jun 15, 2010 at 6:02 PM, M.-A. Lemburg m...@egenix.com wrote:
Alexis Métaireau wrote:
Hello,
Firstly, as Tarek said in another thread, I'm afraid this kill the PEP381
about making a mirroring infrastructure.
Having a infrastructure hosted on a cloud platform may
Jesus Cea wrote:
On 15/06/10 13:49, M.-A. Lemburg wrote:
Server side: upload cronjobs
Since the /simple index tree is currently being created dynamically,
we'd need to create static copies of it at regular intervals in order
to upload the content to the S3
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 15/06/10 16:33, Steven D'Aprano wrote:
For example, if a single edge server in (say) Australia goes down,
Amazon might not count it as an outage for the purpose of calculating
their 99.99% reliability since the system as a whole is still up,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 15/06/10 19:45, M.-A. Lemburg wrote:
Note that with community servers that only mirror once a day,
you'd have to wait up to a whole day for your package updates
to become visible worldwide.
But TODAY mirror use is voluntary and per-user. That
On Tue, Jun 15, 2010 at 7:34 PM, M.-A. Lemburg m...@egenix.com wrote:
[..]
So I think it would be better to focus on PEP 381, and make those
existing mirrors comply with it. And maybe work on the legal issues
you've mentioned
That can all happen in parallel.
I really doubt it.
You have come
On Tue, Jun 15, 2010 at 8:21 PM, Jesus Cea j...@jcea.es wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 15/06/10 19:45, M.-A. Lemburg wrote:
Note that with community servers that only mirror once a day,
you'd have to wait up to a whole day for your package updates
to become visible
On Tue, Jun 15, 2010 at 7:43 PM, M.-A. Lemburg m...@egenix.com wrote:
Tarek Ziadé wrote:
On Tue, Jun 15, 2010 at 7:15 PM, Ronald Oussoren ronaldousso...@mac.com
wrote:
On 15 Jun, 2010, at 19:02, Tarek Ziadé wrote:
On Tue, Jun 15, 2010 at 6:02 PM, M.-A. Lemburg m...@egenix.com wrote:
Tarek Ziadé wrote:
On Tue, Jun 15, 2010 at 7:34 PM, M.-A. Lemburg m...@egenix.com wrote:
[..]
So I think it would be better to focus on PEP 381, and make those
existing mirrors comply with it. And maybe work on the legal issues
you've mentioned
That can all happen in parallel.
I really
Martin v. Löwis wrote:
I read pep 381 long time ago and I don't remember how/when a mirror
would update, but I do remember it doesn't mandate digital signatures
(signed by pypi central node, verified by setuptoolsfriends). That is a
big gap, in my opinion.
The PEP doesn't explain the
* How will clients be sure that they are getting the correct key ?
They should initially download it from the master server (when that is
online) and cache it.
* What would a client do if the PyPI server is down ?
Isn't that straight-forward?
* How would clients protect their local
Martin v. Löwis wrote:
PyPI itself has in recent months been mostly maintained by one
developer: Martin von Loewis. Projects are underway to enhance PyPI
in various ways, including a proposal to add external mirroring (PEP
381), but these are all far from being finalized or implemented.
Tarek Ziadé wrote:
On Tue, Jun 15, 2010 at 10:14 PM, M.-A. Lemburg m...@egenix.com wrote:
I'm not trying to compete with your mirror PEP, just trying
to solve a problem.
We are trying to solve the same problem, aren't we ?
Sure, but the intent is not to compete with the PEP. Even with
the
* How will clients be sure that they are getting the correct key ?
They should initially download it from the master server (when that is
online) and cache it.
So they'll use HTTPS and check the server certificate
as well ?
No. But they trust that the package contents is untampered when
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 15/06/10 20:52, Tarek Ziadé wrote:
Do you trust the package you are installing more than an official
mirror ? if so, why ?
If a package is signed by the author, I only need to trust the author.
If a package is not signed in PYPI, I must trust
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 15/06/10 21:52, Martin v. Löwis wrote:
As for timeliness: it would be reasonable to setup the mirrors so that
they won't be behind more than one minute (by polling for changes every
minute). On the one hand, some people claim that this would be
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 15/06/10 22:04, Martin v. Löwis wrote:
I read pep 381 long time ago and I don't remember how/when a mirror
would update, but I do remember it doesn't mandate digital signatures
(signed by pypi central node, verified by setuptoolsfriends). That
What's important also, is to make sure z3c.pypimirror includes the
server-side work, so existing mirrors can be upgraded.
Not really. z3c.pypimirror has a completely different function.
Operators providing one of the official PyPI mirrors should use
pep381client instead.
Of course, if
Could I ask pep381 to be updated?.
Sure you can ask. So did I.
Regards,
Martin
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 15/06/10 22:33, M.-A. Lemburg wrote:
* How will clients be sure that they are getting the correct key ?
Err... Download from a HTTPS server, with certificate verification in
the client, would be nice :).
* What would a client do if the PyPI
WebHooks:http://webhooks.pbworks.com/
Exactly so. Still, it requires a non-static web server.
Also, with a push model, it's more difficult for the client to determine
whether the server is current. In a pull model, the client can look at
the last synchronization timestamp, and determine
On Wed, 16 Jun 2010 03:44:05 am Jesus Cea wrote:
2. Packages MUST be digitally signed. Ideally by the owner
-1 on requiring that by the package owner. While digitally signing
packages is a good idea, the state of the art is not yet so simple that
this will be anything but a barrier to entry
On Tue, Jun 15, 2010 at 2:55 PM, Jesus Cea j...@jcea.es wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 15/06/10 20:52, Tarek Ziadé wrote:
Do you trust the package you are installing more than an official
mirror ? if so, why ?
If a package is signed by the author, I only need to
On Tue, Jun 15, 2010 at 11:55 PM, Jesus Cea j...@jcea.es wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 15/06/10 20:52, Tarek Ziadé wrote:
Do you trust the package you are installing more than an official
mirror ? if so, why ?
If a package is signed by the author, I only need to
On Tue, Jun 15, 2010 at 6:24 PM, Steven D'Aprano st...@pearwood.info wrote:
A digital signature is not an MD5 checksum, it may have actual legal
meaning in many countries equivalent to a pen and paper signature.
I would expect that verifying a package was signed by PyPI to mean no more than
2010/6/16 Martin v. Löwis mar...@v.loewis.de:
What's important also, is to make sure z3c.pypimirror includes the
server-side work, so existing mirrors can be upgraded.
Not really. z3c.pypimirror has a completely different function.
It's a mirroring script for PyPI. Why do you say it has a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 16/06/10 00:24, Steven D'Aprano wrote:
I would not be digitally signing anything I didn't create unless I had
good legal advice that it was safe to do so.
The pypi signature certifies that the package has not been tampered
with. It DO NOT
I would not be digitally signing anything I didn't create unless I had
good legal advice that it was safe to do so.
I'm actually not worried about this. In my own country, a valid digital
signature requires much more than invocation of the RSA algorithm. E.g.
available of certain certified
Is the plan to use what is proposed in
http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html in
practice?
You mean, is it implemented and deployed? Sure - just try for yourself.
Is more information available about this?
This is not a very specific question. The answer is
Am 16.06.2010 00:38, schrieb Tarek Ziadé:
2010/6/16 Martin v. Löwismar...@v.loewis.de:
What's important also, is to make sure z3c.pypimirror includes the
server-side work, so existing mirrors can be upgraded.
Not really. z3c.pypimirror has a completely different function.
It's a mirroring
Am 16.06.2010 00:37, schrieb Fred Drake:
On Tue, Jun 15, 2010 at 6:24 PM, Steven D'Apranost...@pearwood.info wrote:
A digital signature is not an MD5 checksum, it may have actual legal
meaning in many countries equivalent to a pen and paper signature.
I would expect that verifying a package
On Tue, Jun 15, 2010 at 3:55 PM, Martin v. Löwis mar...@v.loewis.de wrote:
Is the plan to use what is proposed in
http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html in
practice?
You mean, is it implemented and deployed? Sure - just try for yourself.
Is more information
56 matches
Mail list logo