-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/12/2013 03:57 PM, holger krekel wrote:
Nobody should be lead to think that PYPI is a trusted or reviewed
source of software even if we got rid of external hosting completely.
Amen. I still boggle at the amount of sky is falling stuff here
On Mar 13, 2013, at 12:54 PM, Tres Seaver tsea...@palladion.com wrote:
Signed PGP part
On 03/12/2013 03:57 PM, holger krekel wrote:
Nobody should be lead to think that PYPI is a trusted or reviewed
source of software even if we got rid of external hosting completely.
Amen. I still
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/13/2013 01:06 PM, Donald Stufft wrote:
Really now? Let's see I can easily protect against malicous uploads
by only installing from trusted authors
How do you know who to trust? What if an author you trust adds a
dependency to a package to an
On Mar 13, 2013, at 1:21 PM, Tres Seaver tsea...@palladion.com wrote:
Signed PGP part
On 03/13/2013 01:06 PM, Donald Stufft wrote:
Really now? Let's see I can easily protect against malicous uploads
by only installing from trusted authors
How do you know who to trust? What if an author
On 14 March 2013 05:54, Tres Seaver tsea...@palladion.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/12/2013 03:57 PM, holger krekel wrote:
Nobody should be lead to think that PYPI is a trusted or reviewed
source of software even if we got rid of external hosting completely.
On Mar 12, 2013, at 1:25 AM, Lennart Regebro rege...@gmail.com wrote:
On Mon, Mar 11, 2013 at 8:57 PM, PJ Eby p...@telecommunity.com wrote:
On Mon, Mar 11, 2013 at 1:45 PM, Lennart Regebro rege...@gmail.com wrote:
So, we should not remove the links for external packages until
somebody
On Tue, Mar 12, 2013 at 1:25 AM, Lennart Regebro rege...@gmail.com wrote:
Externally hosted files are a real world actual problem.
You're leaving out some important words from that sentence. Words
like, for some people and who choose to depend on projects using
them.
PyPI isn't your private
On Tue, Mar 12, 2013 at 10:38 AM, PJ Eby p...@telecommunity.com wrote:
I'll ask it again: why should *thousands* of projects be censored or
made to change their release processes, because *you* can't be
bothered to cache the distributions of the projects you depend on?
Because
On Tue, Mar 12, 2013 at 10:38 AM, PJ Eby p...@telecommunity.com wrote:
AFAICT, you're the ones stopping things moving forward here,
filibustering against every possible compromise.
Sorry, one more thing: I'm interested in what your comprise would be.
Can you write up a counter-proposal to
On 12.03.2013 16:42, Jacob Kaplan-Moss wrote:
On Tue, Mar 12, 2013 at 10:38 AM, PJ Eby p...@telecommunity.com wrote:
I'll ask it again: why should *thousands* of projects be censored or
made to change their release processes, because *you* can't be
bothered to cache the distributions of the
On Tue, Mar 12, 2013 at 11:19 AM, M.-A. Lemburg m...@egenix.com wrote:
So let's do this carefully and find a good solution before
jumping to conclusions.
Completely agreed; rushing is a bad idea.
But so is not starting. What I'm seeing — as a total outsider, a user
of these tools, not someone
On 12.03.2013 17:29, Jacob Kaplan-Moss wrote:
On Tue, Mar 12, 2013 at 11:19 AM, M.-A. Lemburg m...@egenix.com wrote:
So let's do this carefully and find a good solution before
jumping to conclusions.
Completely agreed; rushing is a bad idea.
But so is not starting. What I'm seeing — as a
On Tue, Mar 12, 2013 at 12:29 PM, Jacob Kaplan-Moss ja...@jacobian.org wrote:
On Tue, Mar 12, 2013 at 11:19 AM, M.-A. Lemburg m...@egenix.com wrote:
So let's do this carefully and find a good solution before
jumping to conclusions.
Completely agreed; rushing is a bad idea.
But so is not
On Tue, Mar 12, 2013 at 13:18 -0400, PJ Eby wrote:
On Tue, Mar 12, 2013 at 12:29 PM, Jacob Kaplan-Moss ja...@jacobian.org
wrote:
On Tue, Mar 12, 2013 at 11:19 AM, M.-A. Lemburg m...@egenix.com wrote:
So let's do this carefully and find a good solution before
jumping to conclusions.
And I've put multiple compromise proposals out there to begin
mitigating the problem *now* (i.e. for non-updated versions of
setuptools), and every time, the objection is, no, we need to ban it
all now, no discussion, no re-evaluation, no personal choice, everyone
must do as we say, no
On Tue, Mar 12, 2013 at 1:33 PM, Jesse Noller jnol...@gmail.com wrote:
There's not much to understand: external hosting of packages is *actively
harmful*, period. End users of easy_install and pip *don't even realize* 99%
of the time that these tools are following links off of PyPi and
On Mar 12, 2013, at 12:41 PM, M.-A. Lemburg m...@egenix.com wrote:
On 12.03.2013 17:29, Jacob Kaplan-Moss wrote:
On Tue, Mar 12, 2013 at 11:19 AM, M.-A. Lemburg m...@egenix.com wrote:
So let's do this carefully and find a good solution before
jumping to conclusions.
Completely agreed;
It seems to me that there's a remarkable level of consensus developing
here (though it may not look like it), and a small set of remaining open
questions.
The consensus (as I see it):
- Migrate away from scraping external HTML pages, with package owners in
control of the migration but a deadline
On 13 March 2013 07:18, Carl Meyer c...@oddbird.net wrote:
It seems to me that there's a remarkable level of consensus developing
here (though it may not look like it), and a small set of remaining open
questions.
The consensus (as I see it):
I think that is a fair summary.
One thing I'd
On Tue, Mar 12, 2013 at 12:54 PM, PJ Eby p...@telecommunity.com wrote:
This is a rationale for secure defaults for various options, like the
ones I outlined in the portions of my post that you *didn't* quote.
It's not a rationale for removing the options themselves.
Exactly; thanks for saying
On Tue, Mar 12, 2013 at 1:00 PM, M.-A. Lemburg m...@egenix.com wrote:
The whole Python package eco-system works based on trust and
injecting fear into this system is not helpful, IMO.
I'm sorry if my words came across that way; I'm not trying to scare
anyone. I'm trying to emphasize that this
On Tuesday, March 12, 2013 at 2:56 PM, Jacob Kaplan-Moss wrote:
On Tue, Mar 12, 2013 at 1:00 PM, M.-A. Lemburg m...@egenix.com
(mailto:m...@egenix.com) wrote:
The whole Python package eco-system works based on trust and
injecting fear into this system is not helpful, IMO.
I'm
On Tue, Mar 12, 2013 at 1:58 PM, Jesse Noller jnol...@gmail.com wrote:
Nah, that was me injecting fear. I call dibs on that one.
Aw, man!
Can I have Uncertainty and Doubt then?
Jacob
___
Catalog-SIG mailing list
Catalog-SIG@python.org
On Tuesday, March 12, 2013 at 2:59 PM, Jacob Kaplan-Moss wrote:
On Tue, Mar 12, 2013 at 1:58 PM, Jesse Noller jnol...@gmail.com
(mailto:jnol...@gmail.com) wrote:
Nah, that was me injecting fear. I call dibs on that one.
Aw, man!
Can I have Uncertainty and Doubt then?
Jacob
On 03/12/2013 11:00 AM, M.-A. Lemburg wrote:
On 12.03.2013 18:33, Jesse Noller wrote:
And I've put multiple compromise proposals out there to begin
mitigating the problem *now* (i.e. for non-updated versions of
setuptools), and every time, the objection is, no, we need to ban it
all now,
On Tue, Mar 12, 2013 at 12:18 -0600, Carl Meyer wrote:
It seems to me that there's a remarkable level of consensus developing
here (though it may not look like it), and a small set of remaining open
questions.
The consensus (as I see it):
- Migrate away from scraping external HTML pages,
On Tue, Mar 12, 2013 at 2:18 PM, Carl Meyer c...@oddbird.net wrote:
It seems to me that there's a remarkable level of consensus developing
here (though it may not look like it), and a small set of remaining open
questions.
The consensus (as I see it):
- Migrate away from scraping external
On Tue, Mar 12, 2013 at 2:43 PM, Robert Collins
robe...@robertcollins.net wrote:
This takes an age when each new web host to talk to is a new DNS
lookup (say 0.3 seconds) + HTTP request (0.6 seconds) with possible
HTTPS setup in there too (up to 1.2 seconds). A project with dozens of
On Tue, Mar 12, 2013 at 2:21 PM, PJ Eby p...@telecommunity.com wrote:
The *only* thing I object to is the part where some people want to ban
external links from /simple, always and forever, regardless of the
package authors' choice in the matter.
Here's the thing though, there are already a
On Tue, Mar 12, 2013 at 14:36 -0500, Jacob Kaplan-Moss wrote:
On Tue, Mar 12, 2013 at 2:21 PM, PJ Eby p...@telecommunity.com wrote:
The *only* thing I object to is the part where some people want to ban
external links from /simple, always and forever, regardless of the
package authors'
On Tue, Mar 12, 2013 at 15:21 -0400, PJ Eby wrote:
On Tue, Mar 12, 2013 at 2:18 PM, Carl Meyer c...@oddbird.net wrote:
It seems to me that there's a remarkable level of consensus developing
here (though it may not look like it), and a small set of remaining open
questions.
The consensus
On Tue, Mar 12, 2013 at 3:36 PM, Jacob Kaplan-Moss ja...@jacobian.org wrote:
On Tue, Mar 12, 2013 at 2:21 PM, PJ Eby p...@telecommunity.com wrote:
The *only* thing I object to is the part where some people want to ban
external links from /simple, always and forever, regardless of the
package
On Mar 12, 2013, at 4:14 PM, Carl Meyer c...@oddbird.net wrote:
On 03/12/2013 01:21 PM, PJ Eby wrote:
- In some way, migrate to a situation where the popular installer tools
install only release files from PyPI by default, but are capable of
installing from other locations if the user
On Tue, Mar 12, 2013 at 3:16 PM, PJ Eby p...@telecommunity.com wrote:
I'm confused by this statement. never access an external host is
not consistent with have the option to specify what hosts you trust,
while still keeping PyPI as a universal index of Python software.
Sorry to be confusing!
On Tue, Mar 12, 2013 at 3:30 PM, Jacob Kaplan-Moss ja...@jacobian.org wrote:
As I've said, the implementation details aren't of a concern to me;
the result is.
You know what though, I kinda lied.
While I don't care about the implementation, I *do* care about keeping
this process moving
On Tue, Mar 12, 2013 at 4:14 PM, Carl Meyer c...@oddbird.net wrote:
You say below that nobody has proposed a 'trust everything' flag. If
there is no trust everything flag, then it seems to me that with
either option A or option B the user needs to specify what they intend
to trust. I.e. if you
Hello Jacob,
Good to hear from you! Thanks for stating your concerns so clearly, and
we do understand them. We agree that inertia is important to maintain.
In fact, we are excited to show this in person to the PyPI community on
Friday.
We expect to release a design document and a demo in a
On 11-03-13 11:44, Lennart Regebro wrote:
That's now all the energy I'm willing to spend on discussing this
topic. Third-party hosting needs to go. I believe there is a broad
consensus on this. Let's instead discuss*how* to implement it.
Hear hear!
I'm so fed up with other people's non-pypi
On 12-03-13 16:38, PJ Eby wrote:
I'll ask it again: why should*thousands* of projects be censored or
made to change their release processes, because*you* can't be
bothered to cache the distributions of the projects you depend on?
So... everyone that uses pypi should be *forced* to use their
On Sun, Mar 10, 2013 at 8:25 PM, Donald Stufft don...@stufft.io wrote:
I don't think anyone is bad here, nor am I arguing against any particular
person or group of people. I'm arguing against a practice and a system.
You're going out of your way to find excuses to throw all sorts of stop
On Mon, Mar 11, 2013 at 7:09 AM, PJ Eby p...@telecommunity.com wrote:
I think you've got things backwards here. It's you who's been arguing
that the solution to the problem of improved uptime and security is
best implemented by ban all non-PyPI hosting.
The uptime problem is *only* solvable
On 11 Mar, 2013, at 7:23, Lennart Regebro rege...@gmail.com wrote:
On Mon, Mar 11, 2013 at 7:09 AM, PJ Eby p...@telecommunity.com wrote:
I think you've got things backwards here. It's you who's been arguing
that the solution to the problem of improved uptime and security is
best implemented
On 10 Mar, 2013, at 22:16, Donald Stufft don...@stufft.io wrote:
There isn't a good middle ground here, any externally hosted or spidered file
leads us back to at least 2 of the 3 major issues I outlined. The end goal
*needs* to be that all external links are removed from PyPI's simple
On Mon, Mar 11, 2013 at 9:06 AM, Ronald Oussoren ronaldousso...@mac.com wrote:
But this isn't necessarily true, there is another solution: mirror your
requirements locally.
I do that. This is not a solution, because your requirements yesterday
is not your requirements tomorrow.
Is it even
On 11 Mar, 2013, at 9:18, Lennart Regebro rege...@gmail.com wrote:
On Mon, Mar 11, 2013 at 9:06 AM, Ronald Oussoren ronaldousso...@mac.com
wrote:
But this isn't necessarily true, there is another solution: mirror your
requirements locally.
I do that. This is not a solution, because your
On 11.03.2013 09:18, Lennart Regebro wrote:
On Mon, Mar 11, 2013 at 9:06 AM, Ronald Oussoren ronaldousso...@mac.com
wrote:
But this isn't necessarily true, there is another solution: mirror your
requirements locally.
I do that. This is not a solution, because your requirements yesterday
On Mon, Mar 11, 2013 at 9:33 AM, Ronald Oussoren ronaldousso...@mac.com wrote:
On 11 Mar, 2013, at 9:18, Lennart Regebro rege...@gmail.com wrote:
On Mon, Mar 11, 2013 at 9:06 AM, Ronald Oussoren ronaldousso...@mac.com
wrote:
But this isn't necessarily true, there is another solution: mirror
On 11 Mar, 2013, at 10:31, Lennart Regebro rege...@gmail.com wrote:
On Mon, Mar 11, 2013 at 9:33 AM, Ronald Oussoren ronaldousso...@mac.com
wrote:
On 11 Mar, 2013, at 9:18, Lennart Regebro rege...@gmail.com wrote:
On Mon, Mar 11, 2013 at 9:06 AM, Ronald Oussoren ronaldousso...@mac.com
Hi Philip,
thanks for your helpful review, almost all makes sense to me ...
some more inlined comments below. Up front, i am open to you
co-authoring the PEP if you like and share the goal to find a minimum
viable approach to speed up and simplify the interactions for installers.
On Sun, Mar
On Mon, Mar 11, 2013 at 10:56 AM, Ronald Oussoren
ronaldousso...@mac.com wrote:
Now I'm confused. You want to change a dependency without testing it before
hand?
How do you test a dependency without changing it? How do you test a
dependency that is unreachable?
It seems to me you are
On Mar 11, 2013, at 2:09 AM, PJ Eby p...@telecommunity.com wrote:
On Sun, Mar 10, 2013 at 8:25 PM, Donald Stufft don...@stufft.io wrote:
I don't think anyone is bad here, nor am I arguing against any particular
person or group of people. I'm arguing against a practice and a system.
You're
On Mar 11, 2013, at 5:23 AM, M.-A. Lemburg m...@egenix.com wrote:
On 11.03.2013 09:18, Lennart Regebro wrote:
On Mon, Mar 11, 2013 at 9:06 AM, Ronald Oussoren ronaldousso...@mac.com
wrote:
But this isn't necessarily true, there is another solution: mirror your
requirements locally.
I
Couldn't have said it better Donald. +1
On Mar 11, 2013, at 7:14 AM, Donald Stufft don...@stufft.io wrote:
On Mar 11, 2013, at 2:09 AM, PJ Eby p...@telecommunity.com wrote:
On Sun, Mar 10, 2013 at 8:25 PM, Donald Stufft don...@stufft.io wrote:
I don't think anyone is bad here, nor am I
On Mon, Mar 11, 2013 at 9:32 PM, Donald Stufft don...@stufft.io wrote:
I know your joking but if this is an actual limiting factor my next proposal
will be to change the name :].
PyPR would not only be more accurate, it would actually get rid of the
confusion with PyPy. We'd get a new
Hi again,
A correction on one point of my last mail to you,
On Mon, Mar 11, 2013 at 10:02 +, holger krekel wrote:
My suggestion would be to do two things:
First, make the state a boolean: crawl external links, with the
current state yes and the future state no, with no simply
On Mon, Mar 11, 2013 at 12:55 PM, Nick Coghlan ncogh...@gmail.com wrote:
On Mon, Mar 11, 2013 at 9:32 PM, Donald Stufft don...@stufft.io wrote:
I know your joking but if this is an actual limiting factor my next proposal
will be to change the name :].
PyPR would not only be more accurate, it
It will probably wind up working more like every other package manager
I'm familiar with, where you have a sources.d that lists the
repositories you would like to search. Use Plone, add their repository
to the list.
We also seem to be making good progress on contact the central
repository much
On Mon, Mar 11, 2013 at 7:14 AM, Donald Stufft don...@stufft.io wrote:
1) Proof of what? That it's insecure? That it harms uptime? That it violates
people's privacy?
That any of those things apply to anybody who *isn't using those packages*.
Without this, you are only providing a reason to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/11/2013 02:23 AM, Lennart Regebro wrote:
The uptime problem is *only* solvable by minimizing the number of
hosts involved. The minimum number of hosts is one. That means we
should get all releases onto PyPI.
Uptime for *production* use is
On Mon, Mar 11, 2013 at 5:12 PM, PJ Eby p...@telecommunity.com wrote:
On Mon, Mar 11, 2013 at 7:14 AM, Donald Stufft don...@stufft.io wrote:
1) Proof of what? That it's insecure? That it harms uptime? That it violates
people's privacy?
That any of those things apply to anybody who *isn't
On Mon, Mar 11, 2013 at 12:45 PM, Lennart Regebro rege...@gmail.com wrote:
On Mon, Mar 11, 2013 at 5:12 PM, PJ Eby p...@telecommunity.com wrote:
On Mon, Mar 11, 2013 at 7:14 AM, Donald Stufft don...@stufft.io wrote:
1) Proof of what? That it's insecure? That it harms uptime? That it
violates
On Mon, Mar 11, 2013 at 6:42 PM, PJ Eby p...@telecommunity.com wrote:
On Mon, Mar 11, 2013 at 12:45 PM, Lennart Regebro rege...@gmail.com wrote:
On Mon, Mar 11, 2013 at 5:12 PM, PJ Eby p...@telecommunity.com wrote:
On Mon, Mar 11, 2013 at 7:14 AM, Donald Stufft don...@stufft.io wrote:
1) Proof
On Mon, Mar 11, 2013 at 1:45 PM, Lennart Regebro rege...@gmail.com wrote:
So, we should not remove the links for external packages until
somebody traverses those links? But as soon as somebody asks for those
links, we should remove them? In fact before we give them the link?
I'm saying that if
On 03/11/2013 01:57 PM, PJ Eby wrote:
I'm saying that if someone objects to the presence of links they
don't actually use, they are speaking nonsense. Might as well ask to
ban all packages from PyPI that they don't personally like -- it's the
same request. Nobody is forcing you to depend on
On Mon, Mar 11, 2013 at 4:07 PM, Carl Meyer c...@oddbird.net wrote:
On 03/11/2013 01:57 PM, PJ Eby wrote:
I'm saying that if someone objects to the presence of links they
don't actually use, they are speaking nonsense. Might as well ask to
ban all packages from PyPI that they don't
On Mar 11, 2013, at 4:07 PM, Carl Meyer c...@oddbird.net wrote:
On 03/11/2013 01:57 PM, PJ Eby wrote:
I'm saying that if someone objects to the presence of links they
don't actually use, they are speaking nonsense. Might as well ask to
ban all packages from PyPI that they don't personally
On Mon, Mar 11, 2013 at 8:57 PM, PJ Eby p...@telecommunity.com wrote:
On Mon, Mar 11, 2013 at 1:45 PM, Lennart Regebro rege...@gmail.com wrote:
So, we should not remove the links for external packages until
somebody traverses those links? But as soon as somebody asks for those
links, we should
Hi Donald, Richard, Nick, Philip, Marc-Andre, all,
after some more thinking i wrote a simplified PEP draft for
transitioning hosting of release files to pypi.python.org. A PEP is
warranted IMO because the according changes will affect all python
package maintainers and the Python packaging
On Mar 10, 2013, at 11:07 AM, holger krekel hol...@merlinux.eu wrote:
Hi Donald, Richard, Nick, Philip, Marc-Andre, all,
after some more thinking i wrote a simplified PEP draft for
transitioning hosting of release files to pypi.python.org. A PEP is
warranted IMO because the according
+1
On Mar 10, 2013, at 1:35 PM, Donald Stufft don...@stufft.io wrote:
On Mar 10, 2013, at 11:07 AM, holger krekel hol...@merlinux.eu wrote:
Hi Donald, Richard, Nick, Philip, Marc-Andre, all,
after some more thinking i wrote a simplified PEP draft for
transitioning hosting of release
On Sun, Mar 10, 2013 at 13:35 -0400, Donald Stufft wrote:
On Mar 10, 2013, at 11:07 AM, holger krekel hol...@merlinux.eu wrote:
[...]
Transitioning to pypi-cache mode
-
When transitioning from the currently implicit pypi-ext mode to
pypi-cache for
On Mar 10, 2013, at 12:29 PM, Donald Stufft don...@stufft.io wrote:
On Mar 10, 2013, at 2:18 PM, holger krekel hol...@merlinux.eu wrote:
On Sun, Mar 10, 2013 at 13:35 -0400, Donald Stufft wrote:
On Mar 10, 2013, at 11:07 AM, holger krekel hol...@merlinux.eu wrote:
[...]
Transitioning to
On Sun, Mar 10, 2013 at 11:07 AM, holger krekel hol...@merlinux.eu wrote:
Philip, Marc-Andre, Richard (Jones), Nick and catalog-sig/distutils-sig:
scrutiny and feedback welcome.
Hi Holger. I'm having some difficulty interpreting your proposal
because it is leaving out some things, and in other
On Sun, Mar 10, 2013 at 14:29 -0400, Donald Stufft wrote:
On Mar 10, 2013, at 2:18 PM, holger krekel hol...@merlinux.eu wrote:
On Sun, Mar 10, 2013 at 13:35 -0400, Donald Stufft wrote:
On Mar 10, 2013, at 11:07 AM, holger krekel hol...@merlinux.eu wrote:
[...]
Transitioning to
I said that before we talked to a lawyer
On Mar 10, 2013, at 3:54 PM, holger krekel hol...@merlinux.eu wrote:
On Sun, Mar 10, 2013 at 14:29 -0400, Donald Stufft wrote:
On Mar 10, 2013, at 2:18 PM, holger krekel hol...@merlinux.eu wrote:
On Sun, Mar 10, 2013 at 13:35 -0400, Donald Stufft
On Mar 10, 2013, at 3:41 PM, PJ Eby p...@telecommunity.com wrote:
On Sun, Mar 10, 2013 at 11:07 AM, holger krekel hol...@merlinux.eu wrote:
Philip, Marc-Andre, Richard (Jones), Nick and catalog-sig/distutils-sig:
scrutiny and feedback welcome.
Hi Holger. I'm having some difficulty
On Mar 10, 2013, at 3:54 PM, holger krekel hol...@merlinux.eu wrote:
On Sun, Mar 10, 2013 at 14:29 -0400, Donald Stufft wrote:
On Mar 10, 2013, at 2:18 PM, holger krekel hol...@merlinux.eu wrote:
On Sun, Mar 10, 2013 at 13:35 -0400, Donald Stufft wrote:
On Mar 10, 2013, at 11:07 AM,
On Sun, Mar 10, 2013 at 5:16 PM, Donald Stufft don...@stufft.io wrote:
If someones release process forces PyPI to have security, uptime, and privacy
issues then I'm very sorry but their release process is going to need to
change. It's not fun, it's a shitty situation, but trying to bend over
On Mar 10, 2013, at 6:41 PM, PJ Eby p...@telecommunity.com wrote:
On Sun, Mar 10, 2013 at 5:16 PM, Donald Stufft don...@stufft.io wrote:
If someones release process forces PyPI to have security, uptime, and
privacy issues then I'm very sorry but their release process is going to
need to
79 matches
Mail list logo
