+1 to a allow_fallback_metadata flag in appropriate PyPI APIs, -1
on exposing the legacy data directly.
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http
based on Ronald's comments later in this
thread, though.
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
site directory
when it can't write to the system one. At the moment, I think it's the
same as install - it complains it can't write to the system directory,
even if the package is present in the user directory.
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
into the
habit of running pip with elevated privileges.
Regards,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
On Tue, Feb 5, 2013 at 11:55 PM, Jeroen Dekkers jer...@dekkers.ch wrote:
At Tue, 5 Feb 2013 11:36:46 +1000,
Nick Coghlan wrote:
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
the Python community
.
Regards,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
this by expressly requiring that all
pre-releases (dev, alpha, beta, release candidate) be excluded from
version specifiers by default, unless a pre-release is explicitly
mentioned as part of the specifier.
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
herring IMO.
The background discussions Holger mentioned earlier are actually aimed
at picking some of those low hanging front (a lot of it related to the
general provision of the PSF infrastructure at OSU/OSL and making it
easier to improve PyPI's handling of HTTPS).
Cheers,
Nick.
--
Nick Coghlan
.
For those that are able to make it, I look forward to meeting you in
person in March :)
Regards,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman
subdomains (e.g. six.pythonhosted.org, in addition to
pythonhosted.org/six)
Even longer term: PyPI offers the option to set up a project's
pythonhosted subdomain as a ReadTheDocs reference (using the existing
subdomain delegation feature of RTFD)
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com
worked out.
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
On Thu, Feb 7, 2013 at 12:35 PM, Nick Coghlan ncogh...@gmail.com wrote:
In the meantime, it's probably easiest if Richard, Noah and I have an
offline discussion to get the mechanics of the delegation worked out.
As a quick update - DNS authority for pythonhosted.org has now been
delegated
On 8 Feb 2013 02:43, Giovanni Bajo ra...@develer.com wrote:
Il giorno 07/feb/2013, alle ore 17:21, Donald Stufft
donald.stu...@gmail.com ha scritto:
On Thursday, February 7, 2013 at 10:50 AM, Giovanni Bajo wrote:
1. If we're going to implicitly trust PyPI when it says that key X is
valid
the question Why are some people still using
setuptools rather than the alternatives?.
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman
infrastructure on TUF (which
already has many of the more difficult security aspects covered),
along with devising a migration path from our existing distribution
infrastructure, than I do in our ability to come up with something
completely new.
Regards,
Nick.
--
Nick Coghlan | ncogh
://mail.python.org/mailman/listinfo/catalog-sig
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
On Sun, Feb 10, 2013 at 10:36 PM, Jannis Leidel jan...@leidel.info wrote:
On 10.02.2013, at 05:44, Nick Coghlan ncogh...@gmail.com wrote:
On Sun, Feb 10, 2013 at 7:23 AM, Giovanni Bajo ra...@develer.com wrote:
Hello,
my proposal for fixing PyPI and pip security is here:
https
scheme at all.
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
On 12 Feb 2013 07:56, Alessandro Dentella san...@e-den.it wrote:
On Mon, Feb 11, 2013 at 04:11:38PM -0500, PJ Eby wrote:
On Mon, Feb 11, 2013 at 11:40 AM, Alessandro Dentella san...@e-den.it
wrote:
I believe that this issue belongs to this list, please let me know if
I'm
wrong.
it may
end up here if it involves PyPI code changes.
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
On Wed, Feb 13, 2013 at 2:27 AM, Giovanni Bajo ra...@develer.com wrote:
Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan ncogh...@gmail.com ha
scritto:
On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo ra...@develer.com wrote:
Hello Nick,
I've added the initial Requirements and Thread
On Wed, Feb 13, 2013 at 7:58 PM, Giovanni Bajo ra...@develer.com wrote:
Il giorno 13/feb/2013, alle ore 04:31, Nick Coghlan ncogh...@gmail.com ha
scritto:
TUF's target delegation is thus in direct competition to the trusted
keys file in your design. TUF specifically aims to take care
On 14 Feb 2013 03:59, Donald Stufft donald.stu...@gmail.com wrote:
On Wednesday, February 13, 2013 at 5:29 AM, Robert Collins wrote:
On 13 February 2013 15:12, Giovanni Bajo ra...@develer.com wrote:
Yes, that's correct. GPG chain-of-trust concept is not used in my
proposal,
because I don't
On Thu, Feb 14, 2013 at 6:46 PM, Ronald Oussoren ronaldousso...@mac.com wrote:
On 13 Feb, 2013, at 15:21, Nick Coghlan ncogh...@gmail.com wrote:
For now, though, we would probably start off with
release/target/timestamp roles sharing a key, all threshold values set
to 1, and just doing
On 15 Feb 2013 05:50, Tarek Ziadé ta...@ziade.org wrote:
On 2/14/13 8:37 PM, Donald Stufft wrote:
On Thursday, February 14, 2013 at 2:28 PM, Tarek Ziadé wrote:
Hello
Some tools (setuptools, distribute, zope, pip) use bootstrap files to
get installed,
In order to have a more secured
On 15 Feb 2013 08:38, Donald Stufft donald.stu...@gmail.com wrote:
On Thursday, February 14, 2013 at 5:34 PM, M.-A. Lemburg wrote:
I don't follow the reasoning here. What's the difference between
uploading a .py file and a .tar.gz file ?
AFAIK, the only reason why the file extensions are
,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
it. It would be good to have PyPI calling
distributions by that name in the UI, though.
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo
On Tue, Feb 19, 2013 at 1:35 PM, Daniel Holth dho...@gmail.com wrote:
Who will remember the distinction without a glossary?
Creating and publishing a glossary is on the list... (actually pretty
high on the list now that PEP 426 is in mostly done status)
Cheers,
Nick.
--
Nick Coghlan
(and accept a long lead time to actual impact), or
I suggesting getting in touch with Benjamin Petersen and Georg Brandl
ASAP (e.g. through a release blocker for 2.7 and 3.3 on the issue
tracker), as Python 2.7.4 and Python 3.3.1 are planned for this month.
Regards,
Nick.
--
Nick Coghlan | ncogh
On 21 Feb 2013 06:57, Donald Stufft donald.stu...@gmail.com wrote:
On Wednesday, February 20, 2013 at 3:50 PM, Daniel Holth wrote:
Bikeshed detected.
Basically.
We basically can't use any of the properties of the various signing techs
besides
their ability to sign documents so the choice
by default. (although the thread does raise an interesting question of
whether or not you can cleanly specify dual Python 2 3 support given
the current state of PEP 426)
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
).
Regards,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
On Thu, Feb 28, 2013 at 6:12 PM, M.-A. Lemburg m...@egenix.com wrote:
On 28.02.2013 07:39, Nick Coghlan wrote:
1. The next generation metadata infrastructure will NOT support
external hosting of files indexed on PyPI - if you don't upload the
archive files to PyPI, they won't be included
pronunciation argument
(Pie-pee-arr vs Pie-per) to corresponding with the existing one,
though (Pie-pee-eye vs Pie-pie)
Hell, the next generation of PyPI is going to have a different enough
architecture for metadata distribution that a name change may be
entirely appropriate :)
Cheers,
Nick.
--
Nick
That looks pretty good to me. My only comment is that qualifiers like new
don't age well in an API. The explicit nocrawlhomepage and
nocrawldownload might be a better choice.
Cheers,
Nick.
___
Catalog-SIG mailing list
Catalog-SIG@python.org
be a simple-v3, so this is really overengineering the proposed
change.
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
uploading to PyPI. It may even mean the initial iteration
allows projects to rely on a PyPI provided signing key for their TUF
metadata, using the existing upload mechanisms to add the files to
PyPI.
Regards,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
On Wed, Mar 13, 2013 at 1:23 AM, M.-A. Lemburg m...@egenix.com wrote:
On 13.03.2013 07:28, Nick Coghlan wrote:
On Tue, Mar 12, 2013 at 12:59 PM, M.-A. Lemburg m...@egenix.com wrote:
I think we should establish a versioned API like that for PyPI
to make progress easier. All major web APIs use
On Wed, Mar 13, 2013 at 11:19 PM, Nick Coghlan ncogh...@gmail.com wrote:
On Wed, Mar 13, 2013 at 1:23 AM, M.-A. Lemburg m...@egenix.com wrote:
On 13.03.2013 07:28, Nick Coghlan wrote:
On Tue, Mar 12, 2013 at 12:59 PM, M.-A. Lemburg m...@egenix.com wrote:
I think we should establish a versioned
to *near term* improvement, as a parallel effort to
the more complex proposals.
The /simple/ index will also be around for a long time for backwards
compatibility reasons, regardless of any other changes that happen in
the overall distribution ecosystem.
Cheers,
Nick.
--
Nick Coghlan | ncogh
list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog
, and
would be able to go directly to downloading the release files. That's
a longer term idea, though and we may even decide it isn't worth the
hassle if PKG-INFO is made available through /simple.
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
*, because the addition of new platform support needs to happen in
a more timely fashion than language releases. The incorporation of pip
bootstrapping into 3.4 will also make it a lot easier to recommend
more readily upgraded alternatives.
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com
,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
45 matches
Mail list logo