Hello, another pip maintainer here (I think that's 4 of us in here now that
I know of).
I just joined this list, so couldn't respond to the original email, so
just pasted it below. I haven't read all the way though all the messages,
so apologize for redundancies.
This all sounds reasonable to
On Sun, Feb 10, 2013 at 6:56 PM, Marcus Smith qwc...@gmail.com wrote:
For many users, virtualenvs are their user install, and sudo global
installs are pretty rare. So, putting in a lot of work to fix what to many
seems like a rare behavior makes me a little hesitant. But many users
isn't all
On 2/5/2013 5:59 PM, holger krekel wrote:
On Tue, Feb 05, 2013 at 15:54 -0500, Terry Reedy wrote:
On 2/5/2013 11:35 AM, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 5:03 PM, Donald Stufft donald.stu...@gmail.com wrote:
Besides the issues with validating that the package We are mirroring
is
Zitat von Terry Reedy tjre...@udel.edu:
Currently, it similarly (last I knew) requires a explicit license
before accepting and distributing code (as opposed to index info) on
PyPI. That appears to be a conservative, better safe than sorry,
policy recommended by the PSF lawyer.
The
On Tue, Feb 5, 2013 at 8:42 AM, M.-A. Lemburg m...@egenix.com wrote:
On 05.02.2013 02:36, Nick Coghlan wrote:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
the Python community is to run sudo pip with
On 05.02.2013 09:02, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 8:42 AM, M.-A. Lemburg m...@egenix.com wrote:
On 05.02.2013 02:36, Nick Coghlan wrote:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
On Tue, Feb 5, 2013 at 9:11 AM, M.-A. Lemburg m...@egenix.com wrote:
The solution Nick proposed also has another issue: it would
install packages meant for a virtualenv in the user's site
packages dir (outside the virtualenv)... If pip used the user
site packages by default (when running as
On Tue, Feb 5, 2013 at 10:19 AM, Lennart Regebro rege...@gmail.com wrote:
On Tue, Feb 5, 2013 at 9:11 AM, M.-A. Lemburg m...@egenix.com wrote:
Looks like a slippery road if you try to make pip guess
what the right installation dir should be, e.g. by trying
to detect that it's running in a
Il giorno 05/feb/2013, alle ore 02:36, Nick Coghlan ncogh...@gmail.com ha
scritto:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
the Python community is to run sudo pip with unsigned packages
On Tue, Feb 5, 2013 at 10:57 AM, Giovanni Bajo ra...@develer.com wrote:
One meta-question: does this mailing-list have any authority over pip?
Nope. And none over Distribute/Setuptools either.
Are there any pip maintainers here?
Yes, at least one. But the more the merrier as they may have
On Tue, Feb 5, 2013 at 10:16 AM, Lennart Regebro rege...@gmail.com wrote:
We do also have at least one Distribute maintainer on the list. For
Setuptools it would be best if Distribute and Setuptools could be
merged.
+1 on this. On #python we daily get people asking about bugs in setuptools,
On Tue, Feb 5, 2013 at 7:57 PM, Giovanni Bajo ra...@develer.com wrote:
One meta-question: does this mailing-list have any authority over pip? Are
there any pip maintainers here? Because I see that pip development being done
on different channels, so I was wondering what is the workflow to
On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
1. Packages should only be installed from the given package indexes.
No scraping of websites as at least easy_install/buildout does, no
downloading from external download links. A deprecation period for
this of a couple of months,
On Feb 5, 2013, at 7:51 AM, Donald Stufft donald.stu...@gmail.com wrote:
On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
1. Packages should only be installed from the given package indexes.
No scraping of websites as at least easy_install/buildout does, no
downloading from
On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft donald.stu...@gmail.comwrote:
On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
1. Packages should only be installed from the given package indexes.
No scraping of websites as at least easy_install/buildout does, no
downloading
On Feb 5, 2013, at 8:02 AM, Holger Krekel holger.kre...@gmail.com wrote:
On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft donald.stu...@gmail.com wrote:
On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
1. Packages should only be installed from the given package indexes.
No
On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft donald.stu...@gmail.com wrote:
PyPI will need to change for this to happen realistically if I recall. There
is a hard limit on how large of a distribution can be uploaded to PyPI
and there are, if I recall, valid distributions which are larger than
On Tue, Feb 5, 2013 at 2:05 PM, Jesse Noller jnol...@gmail.com wrote:
On Feb 5, 2013, at 8:02 AM, Holger Krekel holger.kre...@gmail.com wrote:
On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft donald.stu...@gmail.comwrote:
On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
1.
On Tuesday, February 5, 2013 at 8:06 AM, Lennart Regebro wrote:
Anyone know which ones? scipy is the largest I know of, at 6-7 MB.
Someone told me once (Richard maybe?) I think the one mentioned was
one of the GUI toolkits? If there is one I'm sure there are others so if that
is a direction
On Tue, Feb 5, 2013 at 2:02 PM, Holger Krekel holger.kre...@gmail.com wrote:
Dropping the crawling over external pages needs _much_ more than just a few
months deprecation warnings, rather years. There are many packages out
there, and it would break people's installations.
No it won't.
On Tuesday, February 5, 2013 at 8:13 AM, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 2:02 PM, Holger Krekel holger.kre...@gmail.com
(mailto:holger.kre...@gmail.com) wrote:
Dropping the crawling over external pages needs _much_ more than just a few
months deprecation warnings, rather
On Tue, Feb 5, 2013 at 2:18 PM, Donald Stufft donald.stu...@gmail.com wrote:
A longer depreciation wouldn't be a bad thing merely because a lot
of people depend on this feature without even realizing it. Crate has
an index you can use that removes all external urls to test your own
projects
On Tuesday, February 5, 2013 at 8:34 AM, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 2:18 PM, Donald Stufft donald.stu...@gmail.com
(mailto:donald.stu...@gmail.com) wrote:
A longer depreciation wouldn't be a bad thing merely because a lot
of people depend on this feature without even
At Tue, 5 Feb 2013 11:36:46 +1000,
Nick Coghlan wrote:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
the Python community is to run sudo pip with unsigned packages
(sometimes on untrusted networks).
On 05.02.2013 14:06, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 1:51 PM, Donald Stufft donald.stu...@gmail.com wrote:
PyPI will need to change for this to happen realistically if I recall. There
is a hard limit on how large of a distribution can be uploaded to PyPI
and there are, if I
On 05.02.2013 14:18, Donald Stufft wrote:
On Tuesday, February 5, 2013 at 8:13 AM, Lennart Regebro wrote:
That will mean that a man in the middle-attack might poison PyPI's
cache. I don't think that's a feasible path forward.
Packages does not need to be cached, as they are not supposed to
On Tue, Feb 5, 2013 at 2:13 PM, Lennart Regebro rege...@gmail.com wrote:
On Tue, Feb 5, 2013 at 2:02 PM, Holger Krekel holger.kre...@gmail.com
wrote:
Dropping the crawling over external pages needs _much_ more than just a
few
months deprecation warnings, rather years. There are many
On Tue, Feb 5, 2013 at 11:55 PM, Jeroen Dekkers jer...@dekkers.ch wrote:
At Tue, 5 Feb 2013 11:36:46 +1000,
Nick Coghlan wrote:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
the Python community is to
On Tue, Feb 5, 2013 at 9:28 AM, Donald Stufft donald.stu...@gmail.comwrote:
On Tuesday, February 5, 2013 at 9:24 AM, Daniel Holth wrote:
As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped
SHA2 hash of the file to be downloaded from an external host would be
enough to
Il giorno 05/feb/2013, alle ore 15:34, Daniel Holth dho...@gmail.com ha
scritto:
On Tue, Feb 5, 2013 at 9:28 AM, Donald Stufft donald.stu...@gmail.com wrote:
On Tuesday, February 5, 2013 at 9:24 AM, Daniel Holth wrote:
As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped
Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel holger.kre...@gmail.com
ha scritto:
In the end, however, none of this prevents MITM attacks between a downloader
and pypi.python.org. Or between the uploader and pypi.python.org (using
basic auth over http often). Signing methods like
On Tue, Feb 5, 2013 at 5:16 AM, Lennart Regebro rege...@gmail.com wrote:
...
1. Packages should only be installed from the given package indexes.
No scraping of websites as at least easy_install/buildout does, no
downloading from external download links. A deprecation period for
this of a
On Tue, Feb 5, 2013 at 2:42 PM, Donald Stufft donald.stu...@gmail.com wrote:
If you break peoples ability to install packages right away they'll refuse
to upgrade.
Good point. We want the problems to be fixed, not avoided.
One thing just struck me: We have the maintainer emails of mots
On Wed, Feb 6, 2013 at 12:46 AM, Giovanni Bajo ra...@develer.com wrote:
Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel
holger.kre...@gmail.com ha scritto:
In the end, however, none of this prevents MITM attacks between a downloader
and pypi.python.org. Or between the uploader and
On Tue, Feb 05, 2013 at 15:46 +0100, Giovanni Bajo wrote:
Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel
holger.kre...@gmail.com ha scritto:
In the end, however, none of this prevents MITM attacks between a
downloader and pypi.python.org. Or between the uploader and
On Wed, Feb 6, 2013 at 12:54 AM, Jim Fulton j...@zope.com wrote:
pip will need to learn to prefer non-final releases.
I was pressed to put buildout alpha and beta releases on a separate site
because of the concern that they'd be installed inadvertently by pip.
FWIW, PEP 426 aims to address
On Tuesday, February 5, 2013 at 9:54 AM, Jim Fulton wrote:
pip will need to learn to prefer non-final releases.
PEP426 states this as part of it's requirements so I expect all package
tools to move that way, and, at the risk of promising time I don't have,
if someone else doesn't make pip do
Il giorno 05/feb/2013, alle ore 15:57, Nick Coghlan ncogh...@gmail.com ha
scritto:
On Wed, Feb 6, 2013 at 12:46 AM, Giovanni Bajo ra...@develer.com wrote:
Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel
holger.kre...@gmail.com ha scritto:
In the end, however, none of this prevents
On Tuesday, February 5, 2013 at 9:53 AM, holger krekel wrote:
Point taken. I guess unless someone sits down and writes a PEP-ish path for
fortification, it's gonna be hard to assess viability and resilience
against the several attack vectors which should be sorted/prioritized.
Or is somebody
On Tue, Feb 5, 2013 at 3:06 PM, Holger Krekel holger.kre...@gmail.com wrote:
I wouldn't assume that maintainers are easily reachable. I've contacted at
least three people of different (1K downloads) packages which never
responded.
We really can't do very much about abandoned packages.
And
On Tuesday, February 5, 2013 at 10:06 AM, Giovanni Bajo wrote:
I do agree; in fact, I'm not the one suggesting to eg. pinning CA
certificates.
What I'm saying is that it's far more important to fix HTTPS in PyPI than to
verify GPG signatures. So when I hear the argument if we just verify
On Wed, Feb 6, 2013 at 1:06 AM, Donald Stufft donald.stu...@gmail.com wrote:
On Tuesday, February 5, 2013 at 9:53 AM, holger krekel wrote:
Point taken. I guess unless someone sits down and writes a PEP-ish path for
fortification, it's gonna be hard to assess viability and resilience
against
On Tue, Feb 5, 2013 at 3:24 PM, Daniel Holth dho...@gmail.com wrote:
As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped
SHA2 hash of the file to be downloaded from an external host would be enough
to detect tampering over time.
Hm. The discussion about signatures of
On Tue, Feb 05, 2013 at 16:07 +0100, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 3:06 PM, Holger Krekel holger.kre...@gmail.com wrote:
I wouldn't assume that maintainers are easily reachable. I've contacted at
least three people of different (1K downloads) packages which never
responded.
On Tuesday, February 5, 2013 at 10:14 AM, holger krekel wrote:
Transporting almost all externally reachable packages to be locally pypi
served is also kind of a low hanging fruit, although probably slightly
higher hanging than SSL :) The point is that we can have some control over
those
On Tue, Feb 5, 2013 at 4:14 PM, holger krekel hol...@merlinux.eu wrote:
Sure, and that's another problem, and the low-hanging fruit there is
using https.
Transporting almost all externally reachable packages to be locally pypi
served is also kind of a low hanging fruit, although probably
On Tue, Feb 05, 2013 at 10:18 -0500, Donald Stufft wrote:
On Tuesday, February 5, 2013 at 10:14 AM, holger krekel wrote:
Transporting almost all externally reachable packages to be locally pypi
served is also kind of a low hanging fruit, although probably slightly
higher hanging than SSL :)
On Tuesday, February 5, 2013 at 10:41 AM, holger krekel wrote:
MITM attacking any of the many world-wide pypi/easy_install downloads
from external sites is much easier than tampering a few one-time
downloads (verified against each other) for pypi.python.org
(http://pypi.python.org)'s
On Tue, Feb 5, 2013 at 5:03 PM, Donald Stufft donald.stu...@gmail.com wrote:
Besides the issues with validating that the package We are mirroring
is the authentic one there's also a legal issue. We don't know for sure
that we have the legal rights to redistribute those files. When you upload
a
Hello,
M.-A. Lemburg mal at egenix.com writes:
If pip used the user site packages by default (when running as anyone
other than root), that dangerous UI flow wouldn't happen. Even when
pip was run outside a virtualenv, it would just work from the users
perspective. It also has the
On 2/5/2013 11:35 AM, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 5:03 PM, Donald Stufft donald.stu...@gmail.com wrote:
Besides the issues with validating that the package We are mirroring
is the authentic one there's also a legal issue. We don't know for sure
that we have the legal rights to
On 2/5/2013 8:02 AM, Jesse Noller wrote:
On Feb 5, 2013, at 7:51 AM, Donald Stufft donald.stu...@gmail.com
mailto:donald.stu...@gmail.com wrote:
On Tuesday, February 5, 2013 at 5:16 AM, Lennart Regebro wrote:
1. Packages should only be installed from the given package indexes.
No scraping
On Tuesday, February 5, 2013 at 4:02 PM, Terry Reedy wrote:
On 2/5/2013 8:02 AM, Jesse Noller wrote:
On Feb 5, 2013, at 7:51 AM, Donald Stufft donald.stu...@gmail.com
(mailto:donald.stu...@gmail.com)
mailto:donald.stu...@gmail.com wrote:
On Tuesday, February 5, 2013 at 5:16
On Tuesday, February 5, 2013 at 4:04 PM, Donald Stufft wrote:
On Tuesday, February 5, 2013 at 4:02 PM, Terry Reedy wrote:
Why is downloading form
code.google.com (http://code.google.com), for instance, worse than from
pypi.python.org (http://pypi.python.org)?
On Tuesday, February 5, 2013 at 4:02 PM, Terry Reedy wrote:
Why is downloading form
code.google.com (http://code.google.com), for instance, worse than from
pypi.python.org (http://pypi.python.org)?
http://prettytable.googlecode.com/files/prettytable-0.6.tar.gz
^ What secures that (totally
On Tue, Feb 5, 2013 at 9:54 PM, Terry Reedy tjre...@udel.edu wrote:
The last I read (and I cannot find the seemingly hidden page) the author (or
rights-holder) of code must grant PSF something more than just
redistribution rights before uploading it. The same must also certify some
mumbo-jumbo
On Tue, Feb 05, 2013 at 15:54 -0500, Terry Reedy wrote:
On 2/5/2013 11:35 AM, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 5:03 PM, Donald Stufft donald.stu...@gmail.com
wrote:
Besides the issues with validating that the package We are mirroring
is the authentic one there's also a legal
On 6 February 2013 00:09, Donald Stufft donald.stu...@gmail.com wrote:
On Tuesday, February 5, 2013 at 8:06 AM, Lennart Regebro wrote:
Anyone know which ones? scipy is the largest I know of, at 6-7 MB.
Someone told me once (Richard maybe?) I think the one mentioned was
one of the GUI
On 5 February 2013 12:36, Nick Coghlan ncogh...@gmail.com wrote:
[snip sudo pip common bad]
If pip used the user site packages by default (when running as anyone
other than root), that dangerous UI flow wouldn't happen.
Thoughts?
I think it's a great idea.
Perhaps also having pip warn
On Monday, February 4, 2013 at 9:40 PM, Richard Jones wrote:
On 5 February 2013 12:36, Nick Coghlan ncogh...@gmail.com
(mailto:ncogh...@gmail.com) wrote:
[snip sudo pip common bad]
If pip used the user site packages by default (when running as anyone
other than root), that dangerous
On 02/04/2013 07:42 PM, Donald Stufft wrote:
I think the biggest problem with this idea is going to be backwards
compatibility. It's a good idea but it might need to be done as
a if we don't have permissions to write to the site-packages directory
fail with a good error message and recommend
On 5 February 2013 13:45, Carl Meyer c...@oddbird.net wrote:
On 02/04/2013 07:42 PM, Donald Stufft wrote:
I think the biggest problem with this idea is going to be backwards
compatibility. It's a good idea but it might need to be done as
a if we don't have permissions to write to the
On Tue, Feb 5, 2013 at 3:36 AM, Nick Coghlan ncogh...@gmail.com wrote:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
the Python community is to run sudo pip with unsigned packages
(sometimes on
On Tue, Feb 5, 2013 at 3:20 PM, Yuval Greenfield ubershme...@gmail.com wrote:
Excellent idea.
I've been using sudo pip install since forever for the exact reason you
mention. I don't even know how to install anything with pip and no sudo.
If you're not inside a virtualenv, then pip install
On 05.02.2013 02:36, Nick Coghlan wrote:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
the Python community is to run sudo pip with unsigned packages
(sometimes on untrusted networks).
To my mind,
65 matches
Mail list logo