On Tuesday, March 5, 2013 at 4:01 AM, Donald Stufft wrote:
On Thursday, February 28, 2013 at 8:35 AM, Donald Stufft wrote:
https://crate.io/externally-hosted/ A list of things that have no files
hosted on
PyPI but have a release. This doesn't include things that uploads sometimes
On Fri, Mar 01, 2013 at 10:02 +0100, Reinout van Rees wrote:
On 28-02-13 21:08, holger krekel wrote:
I have seen that position in this discussion (I have to upload 120
files per release, so I won't do that, for instance).
haven't seen that.
Marc-Andre Lemburg said this, which I took to
On 01.03.2013 10:02, Reinout van Rees wrote:
On 28-02-13 21:08, holger krekel wrote:
I have seen that position in this discussion (I have to upload 120
files per release, so I won't do that, for instance).
haven't seen that.
Marc-Andre Lemburg said this, which I took to mean 120 uploads
On Fri, Mar 01, 2013 at 10:24 +0100, M.-A. Lemburg wrote:
On 01.03.2013 10:02, Reinout van Rees wrote:
On 28-02-13 21:08, holger krekel wrote:
I have seen that position in this discussion (I have to upload 120
files per release, so I won't do that, for instance).
haven't seen that.
Marc Andre: I'm cc'ing Van: can you explain why the pypi terms are a bummer so
we can see if there is actually an issue to be resolved or a matter of taste?
We need to protect the foundation while preserving author rights - but I don't
want one user / subset dictating how we evolve the
On Fri, Mar 1, 2013 at 4:24 AM, M.-A. Lemburg m...@egenix.com wrote:
On 01.03.2013 10:02, Reinout van Rees wrote:
On 28-02-13 21:08, holger krekel wrote:
I have seen that position in this discussion (I have to upload 120
files per release, so I won't do that, for instance).
haven't seen
On Thu, Feb 28, 2013 at 5:01 PM, Donald Stufft donald.stu...@gmail.com wrote:
I'm glad the next set of Metadata won't have external links, however
even if it showed up tomorrow it's going to be a long time until
people are completely migrated to it. Furthermore you estimate
months but the
On Thu, Feb 28, 2013 at 6:12 PM, M.-A. Lemburg m...@egenix.com wrote:
On 28.02.2013 07:39, Nick Coghlan wrote:
1. The next generation metadata infrastructure will NOT support
external hosting of files indexed on PyPI - if you don't upload the
archive files to PyPI, they won't be included in
On Wed, Feb 27, 2013 at 22:04 +0100, Lennart Regebro wrote:
On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor mord...@inaugust.com wrote:
But wouldn't this only be a change in pip/easy_install, not PyPI
itself? I suppose you could explicitly break the external links by
having them point to
On Thu, Feb 28, 2013 at 09:48 +1100, Richard Jones wrote:
On 28 February 2013 08:31, PJ Eby p...@telecommunity.com wrote:
OTOH, I currently make development snapshots of setuptools and other
projects available by dumping them in a directory that's used as an
external download URL.
On Thu, Feb 28, 2013 at 06:38 +0100, Andreas Jung wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
+1 for the proposal
The complete discussion on this topic is once again absurd and bizarre.
We are discussing the issue with externally hosted packages every year
and the situation has
On 28 February 2013 20:09, holger krekel hol...@merlinux.eu wrote:
On Thu, Feb 28, 2013 at 09:48 +1100, Richard Jones wrote:
On 28 February 2013 08:31, PJ Eby p...@telecommunity.com wrote:
OTOH, I currently make development snapshots of setuptools and other
projects available by dumping them
no support for UCS2/UCS4 binary distributions, unsupported
distribution file formats (e.g. our prebuilt format),
Not sure why PyPI would even care what charset the package files use,
but if true thats certainly a bug and we can get that fixed. What
file formats do pip/buildout support that PyPI
On Thursday, February 28, 2013 at 5:29 AM, M.-A. Lemburg wrote:
On 27.02.2013 19:21, Donald Stufft wrote:
On Wednesday, February 27, 2013 at 1:11 PM, M.-A. Lemburg wrote:
On 27.02.2013 18:37, Donald Stufft wrote:
On Wednesday, February 27, 2013 at 12:10 PM, M.-A. Lemburg wrote:
On Thursday, February 28, 2013 at 7:56 AM, Reinout van Rees wrote:
On 28-02-13 10:43, holger krekel wrote:
On Thu, Feb 28, 2013 at 06:38 +0100, Andreas Jung wrote:
I give a shit at the arguments pulled out every time by package
maintainers using PyPI only for listing their packages. I
On Thu, Feb 28, 2013 at 7:43 AM, Reinout van Rees rein...@vanrees.org wrote:
On 27-02-13 16:26, Donald Stufft wrote:
2. External links decrease the expected uptime for a particular set
of requirements. PyPI itself has become very stable, however
the same cannot be said for
On Thu, Feb 28, 2013 at 10:30 AM, Lennart Regebro rege...@gmail.com wrote:
On Thu, Feb 28, 2013 at 10:43 AM, Lennart Regebro rege...@gmail.com wrote:
On Thu, Feb 28, 2013 at 9:28 AM, Nick Coghlan ncogh...@gmail.com wrote:
Pissing off the maintainers off packages that currently rely on
external
On Feb 28, 2013, at 3:43 AM, Nick Coghlan wrote:
On Thu, Feb 28, 2013 at 6:12 PM, M.-A. Lemburg m...@egenix.com wrote:
On 28.02.2013 07:39, Nick Coghlan wrote:
1. The next generation metadata infrastructure will NOT support
external hosting of files indexed on PyPI - if you don't upload the
On Thu, Feb 28, 2013 at 16:30 +0100, Lennart Regebro wrote:
On Thu, Feb 28, 2013 at 10:43 AM, Lennart Regebro rege...@gmail.com wrote:
On Thu, Feb 28, 2013 at 9:28 AM, Nick Coghlan ncogh...@gmail.com wrote:
Pissing off the maintainers off packages that currently rely on
external hosting by
On Thu, Feb 28, 2013 at 13:56 +0100, Reinout van Rees wrote:
On 28-02-13 10:43, holger krekel wrote:
On Thu, Feb 28, 2013 at 06:38 +0100, Andreas Jung wrote:
I give a shit at the arguments pulled out every time by package
maintainers using PyPI only for listing their packages. I am both
On Thursday, February 28, 2013 at 1:23 PM, PJ Eby wrote:
On Thu, Feb 28, 2013 at 4:08 AM, Nick Coghlan ncogh...@gmail.com
(mailto:ncogh...@gmail.com) wrote:
On Thu, Feb 28, 2013 at 7:00 PM, holger krekel hol...@merlinux.eu
(mailto:hol...@merlinux.eu) wrote:
To summarize, having
On Thursday, February 28, 2013 at 6:31 PM, PJ Eby wrote:
On Thu, Feb 28, 2013 at 5:00 PM, Donald Stufft donald.stu...@gmail.com
(mailto:donald.stu...@gmail.com) wrote:
SSL checking on upload should be possible, do you want
a patch?
If it uses the 'requests' library, yes, I'll accept
On Thu, Feb 28, 2013 at 5:00 PM, Donald Stufft donald.stu...@gmail.com wrote:
SSL checking on upload should be possible, do you want
a patch?
If it uses the 'requests' library, yes, I'll accept one. But I don't
want to do any direct implementation of SSL cert checking in
setuptools, at least
On Thu, Feb 28, 2013 at 8:52 PM, holger krekel hol...@merlinux.eu wrote:
There are also packages which have some (older) release files on pypi
and newer ones outside (e.g. lockfile with 78256 downloads from
code.google.com). You didn't include such in your 2651 emails, or did you?
No, I
On Wednesday, February 27, 2013 at 10:26 AM, Donald Stufft wrote:
PyPI is now being served with a valid SSL certificate, and the
tooling has begun to incorporate SSL verification of PyPI into
the process. This is _excellent_ and the parties involved should
all be thanked. However there is
On 27.02.2013 16:26, Donald Stufft wrote:
PyPI is now being served with a valid SSL certificate, and the
tooling has begun to incorporate SSL verification of PyPI into
the process. This is _excellent_ and the parties involved should
all be thanked. However there is still another massive area
On Wednesday, February 27, 2013 at 10:39 AM, M.-A. Lemburg wrote:
-1.
There are many reasons for not hosting packages and distributions
on PyPI itself.
If you use and trust a package, you also have to know and trust its
dependencies, no matter where they are hosted, so you're not gaining
On Wed, Feb 27, 2013 at 8:26 AM, Donald Stufft donald.stu...@gmail.com wrote:
PyPI is now being served with a valid SSL certificate, and the
tooling has begun to incorporate SSL verification of PyPI into
the process. This is _excellent_ and the parties involved should
all be thanked. However
On 27 Feb, 2013, at 16:42, Donald Stufft donald.stu...@gmail.com wrote:
On Wednesday, February 27, 2013 at 10:39 AM, M.-A. Lemburg wrote:
-1.
There are many reasons for not hosting packages and distributions
on PyPI itself.
If you use and trust a package, you also have to know and trust
pip/easy_install into installing the right thing by version number
naming (which is completely broken btw. It's impossible to name
separate Python 2 and Python 3 packages so that both pip and
easy_install will do the right thing in every case. See
On Wednesday, February 27, 2013 at 11:34 AM, M.-A. Lemburg wrote:
On 27.02.2013 16:42, Donald Stufft wrote:
On Wednesday, February 27, 2013 at 10:39 AM, M.-A. Lemburg wrote:
-1.
There are many reasons for not hosting packages and distributions
on PyPI itself.
If you use and
On 27.02.2013 17:43, Donald Stufft wrote:
On Wednesday, February 27, 2013 at 11:34 AM, M.-A. Lemburg wrote:
On 27.02.2013 16:42, Donald Stufft wrote:
On Wednesday, February 27, 2013 at 10:39 AM, M.-A. Lemburg wrote:
-1.
There are many reasons for not hosting packages and distributions
on
On Wednesday, February 27, 2013 at 12:10 PM, M.-A. Lemburg wrote:
Package installers only need access to the static files in
the /simple/ index. Those can be put behind a CDN to increase
uptime.
PyPI itself doesn't have to be up and running if you just want
to download the files
On Wednesday, February 27, 2013 at 12:22 PM, holger krekel wrote:
The main means of securing against tampering is author-signatures
and verification by installers. If we have that, the download location
does not matter (pypi/CDN/google/...).
Again we don't have that yet, It's only 1 layer, and
On Feb 27, 2013, at 10:22 AM, holger krekel hol...@merlinux.eu wrote:
On Wed, Feb 27, 2013 at 10:26 -0500, Donald Stufft wrote:
PyPI is now being served with a valid SSL certificate, and the
tooling has begun to incorporate SSL verification of PyPI into
the process. This is _excellent_ and
2. External links decrease the expected uptime for a particular set
of requirements. PyPI itself has become very stable, however
the same cannot be said for all of the hosts linked that the toolchain
processes. Each new host is an additional SPOF.
Ex: I depend on PyPI and 10 other
Having different sources for package metadata does pose security concerns,
for example version mismatch attacks by a MITM. Unless we co-locate all
package metadata at a single source that is trusted for protecting against
these issues, this will be an issue.(However, possibly not the biggest
Which in particular means that metadata needs to come from PyPI itself, not
from the tarball file name.
Aaron Meurer
On Feb 27, 2013, at 11:06 AM, Justin Cappos jcap...@poly.edu wrote:
Having different sources for package metadata does pose security concerns,
for example version mismatch
On Feb 27, 2013, at 9:28 AM, M.-A. Lemburg wrote:
On 27.02.2013 18:05, Noah Kantrowitz wrote:
M.-A. Lemburg m...@egenix.com wrote:
I propose we deprecate the external links that PyPI has published
on the /simple/ indexes which exist because of the history of PyPI.
Ideally in some number
Il giorno 27/feb/2013, alle ore 19:23, Donald Stufft donald.stu...@gmail.com
ha scritto:
On Wednesday, February 27, 2013 at 12:44 PM, Donald Stufft wrote:
Why not first have an a good infrastructure and capacity with
pypi.python.org so that people *want* to move their files there?
PyPI has
On Wednesday, February 27, 2013 at 1:32 PM, Giovanni Bajo wrote:
In fact, Python is a big-enough brand name that we could even get a CDN
service almost for free in exchange of an acknowledge of the CDN company
being used.
As far as I know this has already have been offered in some form
On Wednesday, February 27, 2013 at 1:34 PM, holger krekel wrote:
On Wed, Feb 27, 2013 at 13:00 -0500, Jesse Noller wrote:
2. External links decrease the expected uptime for a particular set
of requirements. PyPI itself has become very stable, however
the same cannot be said for all of
On Wednesday, February 27, 2013 at 1:33 PM, Donald Stufft wrote:
On Wednesday, February 27, 2013 at 1:32 PM, Giovanni Bajo wrote:
In fact, Python is a big-enough brand name that we could even get a CDN
service almost for free in exchange of an acknowledge of the CDN company
being
On Wed, Feb 27, 2013 at 11:37 AM, holger krekel hol...@merlinux.eu wrote:
On Wed, Feb 27, 2013 at 19:34 +0100, Lennart Regebro wrote:
On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg m...@egenix.com wrote:
I'm not saying that it's not a good idea to host packages on PyPI,
but forcing the
On a general note: It really warms my heart to see that people are
warming up to the idea of using CDN's and getting rid of external
downloads. I'm all for that.
//Lennart
___
Catalog-SIG mailing list
Catalog-SIG@python.org
On Wednesday, February 27, 2013 at 2:47 PM, Lennart Regebro wrote:
On a general note: It really warms my heart to see that people are
warming up to the idea of using CDN's and getting rid of external
downloads. I'm all for that.
Excellent. So it's a date!
On Feb 27, 2013, at 11:47 AM, Lennart Regebro wrote:
On a general note: It really warms my heart to see that people are
warming up to the idea of using CDN's and getting rid of external
downloads. I'm all for that.
Just to be clear on this point
1) Moving PyPI and other PSF properties behind
Would it be wrong to ask for a /complex API at the same time? The
simple api, with 28k package names on one page, is getting a little
silly.
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
On Wednesday, February 27, 2013 at 2:56 PM, Aaron Meurer wrote:
On Wed, Feb 27, 2013 at 12:49 PM, Monty Taylor mord...@inaugust.com
(mailto:mord...@inaugust.com) wrote:
On 02/27/2013 02:47 PM, Aaron Meurer wrote:
On Wed, Feb 27, 2013 at 11:37 AM, holger krekel hol...@merlinux.eu
On Feb 27, 2013, at 1:01 PM, Donald Stufft donald.stu...@gmail.com wrote:
On Wednesday, February 27, 2013 at 2:56 PM, Aaron Meurer wrote:
On Wed, Feb 27, 2013 at 12:49 PM, Monty Taylor mord...@inaugust.com wrote:
On 02/27/2013 02:47 PM, Aaron Meurer wrote:
On Wed, Feb 27, 2013 at 11:37 AM,
On Wed, Feb 27, 2013 at 3:08 PM, Aaron Meurer asmeu...@gmail.com wrote:
On Feb 27, 2013, at 1:01 PM, Donald Stufft donald.stu...@gmail.com wrote:
On Wednesday, February 27, 2013 at 2:56 PM, Aaron Meurer wrote:
On Wed, Feb 27, 2013 at 12:49 PM, Monty Taylor mord...@inaugust.com wrote:
On
On Wed, Feb 27, 2013 at 14:49 -0500, Monty Taylor wrote:
On 02/27/2013 02:47 PM, Aaron Meurer wrote:
On Wed, Feb 27, 2013 at 11:37 AM, holger krekel hol...@merlinux.eu wrote:
On Wed, Feb 27, 2013 at 19:34 +0100, Lennart Regebro wrote:
On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg
On Feb 27, 2013, at 12:16 PM, holger krekel wrote:
On Wed, Feb 27, 2013 at 14:49 -0500, Monty Taylor wrote:
On 02/27/2013 02:47 PM, Aaron Meurer wrote:
On Wed, Feb 27, 2013 at 11:37 AM, holger krekel hol...@merlinux.eu wrote:
On Wed, Feb 27, 2013 at 19:34 +0100, Lennart Regebro wrote:
On
As far as I'm concerned, pip is broke too, in the sense that the method we
use to make pip work in Python 3 is a bit of an annoying hack (namely,
upload a separate tarball for each minor Python 3 version).
I agree it's a hack.
but only =1.2 package metadata supports requires-python and
On Feb 28, 2013 2:26 AM, Donald Stufft donald.stu...@gmail.com wrote:
I propose we deprecate the external links that PyPI has published
on the /simple/ indexes which exist because of the history of PyPI.
+1
___
Catalog-SIG mailing list
On Wed, Feb 27, 2013 at 3:27 PM, Donald Stufft donald.stu...@gmail.comwrote:
I'm not asking for this to be shutoff immediately, it will be phased,
particularly so project maintainers can be made aware that it's
going away and can upload versions to PyPI to prevent this kind of
wide spread
On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor mord...@inaugust.com wrote:
But wouldn't this only be a change in pip/easy_install, not PyPI
itself? I suppose you could explicitly break the external links by
having them point to nothing if you are worried about the security or
if it's some
On 02/27/2013 04:04 PM, Lennart Regebro wrote:
On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor mord...@inaugust.com wrote:
But wouldn't this only be a change in pip/easy_install, not PyPI
itself? I suppose you could explicitly break the external links by
having them point to nothing if you are
On Wed, Feb 27, 2013 at 1:34 PM, Lennart Regebro rege...@gmail.com wrote:
On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg m...@egenix.com wrote:
I'm not saying that it's not a good idea to host packages on PyPI,
but forcing the community into doing this is not a good idea.
I still don't
On Wed, Feb 27, 2013 at 9:01 PM, Donald Stufft donald.stu...@gmail.com wrote:
Modify the PyPI software to no longer link to those urls.
Well, I guess we can remove the software home page and the download
URL's from the simple index.
For example, in PIL's case the simple index looks like this:
On Wed, Feb 27, 2013 at 4:04 PM, Lennart Regebro rege...@gmail.com wrote:
On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor mord...@inaugust.com wrote:
But wouldn't this only be a change in pip/easy_install, not PyPI
itself? I suppose you could explicitly break the external links by
having them
On Wed, Feb 27, 2013 at 10:17 PM, PJ Eby p...@telecommunity.com wrote:
I haven't seen anybody mention it yet, but checkouts of development
versions are a use case that can't currently be addressed without
support for multiple external links. For example, setuptools itself
offers SVN checkout
On Feb 27, 2013, at 1:31 PM, PJ Eby wrote:
On Wed, Feb 27, 2013 at 4:04 PM, Lennart Regebro rege...@gmail.com wrote:
On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor mord...@inaugust.com wrote:
But wouldn't this only be a change in pip/easy_install, not PyPI
itself? I suppose you could
On Wednesday, February 27, 2013 at 4:17 PM, PJ Eby wrote:
On Wed, Feb 27, 2013 at 1:34 PM, Lennart Regebro rege...@gmail.com
(mailto:rege...@gmail.com) wrote:
On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg m...@egenix.com
(mailto:m...@egenix.com) wrote:
I'm not saying that it's not a
On 27 lut 2013, at 21:16, holger krekel hol...@merlinux.eu wrote:
On Wed, Feb 27, 2013 at 14:49 -0500, Monty Taylor wrote:
On 02/27/2013 02:47 PM, Aaron Meurer wrote:
If we don't remove the feature from pypi itself, then it won't help the
folks for whom its a problem, because there will be
On Wed, Feb 27, 2013 at 10:31 PM, PJ Eby p...@telecommunity.com wrote:
Replacing that would be a PITA because PyPI
only lets you upload and register new releases from distutils' command
line.
You can upload files, but not create new releases. But that seems like
a pretty minor addition, or?
On Wednesday, February 27, 2013 at 4:31 PM, PJ Eby wrote:
So far, I don't think anybody's talking to the right we for stopping
it. It's the tools that control this, not PyPI. (PyPI can't actually
stop the tools from using this information without also making itself
a lot less useful to
On 28 February 2013 08:31, PJ Eby p...@telecommunity.com wrote:
OTOH, I currently make development snapshots of setuptools and other
projects available by dumping them in a directory that's used as an
external download URL. Replacing that would be a PITA because PyPI
only lets you upload and
On Wed, Feb 27, 2013 at 11:48 PM, Richard Jones rich...@python.org wrote:
I've advocated us having the upload/register/whatever functionality in
a separate tool for a while, but that doesn't seem to have gained any
traction. Of course issues around the complexity introduced by
setup.py make it
On Wed, Feb 27, 2013 at 2:31 PM, PJ Eby p...@telecommunity.com wrote:
On Wed, Feb 27, 2013 at 4:04 PM, Lennart Regebro rege...@gmail.com wrote:
On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor mord...@inaugust.com wrote:
But wouldn't this only be a change in pip/easy_install, not PyPI
itself? I
On Wed, Feb 27, 2013 at 4:50 PM, Donald Stufft donald.stu...@gmail.com wrote:
Development snapshots are a use case that i'm not sure makes sense
for PyPI, but if they do should require specific opt-in to install them.
Does easy_install have a command line flag that adds extra links?
*chuckle*.
On Wednesday, February 27, 2013 at 7:08 PM, PJ Eby wrote:
On Wed, Feb 27, 2013 at 6:16 PM, Aaron Meurer asmeu...@gmail.com
(mailto:asmeu...@gmail.com) wrote:
As far as I'm concerned, this is all about helping package
maintainers. The way pip works now, every time I do a release
candidate,
On Wed, Feb 27, 2013 at 6:24 PM, Donald Stufft donald.stu...@gmail.com wrote:
On Wednesday, February 27, 2013 at 8:13 PM, PJ Eby wrote:
On Wed, Feb 27, 2013 at 7:36 PM, Donald Stufft donald.stu...@gmail.com
wrote:
This seems a bit complicated, people in general don't even know
the external
On Wednesday, February 27, 2013 at 8:34 PM, Aaron Meurer wrote:
On Wed, Feb 27, 2013 at 6:24 PM, Donald Stufft donald.stu...@gmail.com
(mailto:donald.stu...@gmail.com) wrote:
On Wednesday, February 27, 2013 at 8:13 PM, PJ Eby wrote:
On Wed, Feb 27, 2013 at 7:36 PM, Donald Stufft
maintainers. The way pip works now, every time I do a release
candidate, pip automatically installs it, even though I only upload it
an option to exclude pre-releases (or in reverse, an option to allow them)
does seem overdue.
reasons not to do this? anyone? links to the most relevant
On Thu, Feb 28, 2013 at 6:27 AM, Donald Stufft donald.stu...@gmail.com wrote:
Sometimes you need to break things. The goal is to do it with ample
warning and migration time so that people have a chance to move
to the new way of doing things.
Again, I am not suggesting we delete all external
On Thursday, February 28, 2013 at 1:39 AM, Nick Coghlan wrote:
On Thu, Feb 28, 2013 at 6:27 AM, Donald Stufft donald.stu...@gmail.com
(mailto:donald.stu...@gmail.com) wrote:
Sometimes you need to break things. The goal is to do it with ample
warning and migration time so that people have a
77 matches
Mail list logo