My pypi account is fishy: https://pypi.org/user/fishy/
The image is: https://imgur.com/a/vkehdiF On Thu, Jan 18, 2024 at 2:49 PM Jens Geyer <jensge...@hotmail.com> wrote: > Hi, > > > I can't see the picture and I don't have your pypi username. I tried the > email but that did not work. > > > Have fun, > > jensG > > > Am 17.01.2024 um 02:11 schrieb Yuxuan Wang: > > I just logged into my pypi account (I was there to register an > > account, and it turns out I already have one, which I have no memory > > of, and I do not have any projects published there), it seems that > > they actually have an automated way to create the github actions for > > you automatically: > https://protect.checkpoint.com/v2/___https://docs.pypi.org/trusted-publishers/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjoxYjIzOjE1MTU3M2QyZTExNGEzOTE5NjIxYjUzYjgyNDBhNzMxODQzN2U1ZWNmMGQ1MzMzM2EwMTY3NGFlNzk1MDA0YTI6cDpU > > > > But I would assume that might require that I have admin access to the > > github repo (not sure yet, as I don't have any other project to test), > > so if you are fine with that (e.g. add me to the PyPi maintainer list, > > I try to use that approach, if it doesn't work, give me admin access > > to the github repo), I'm fine :) > > > > Also, there's a recent pytorch supply chain attach report > > < > https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjphNDlkOjFkYmFiNzllNjc5NzIxNWQwMjFiZWFhY2JkZjYxNGQ3NTM2OTFlMmUzOTJkYWUyMjkxMTNlYTZmMzllYjNkMDU6cDpU> > > > which will be relevant to us if we choose to use github actions to > > auto publish to pypi, then we probably should follow their suggested > > mitigation > > < > https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/%23mitigations___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjpjNDZkOjhlZjYzM2ZkOGEzNjMyNDk1OTk1OGE2MjBhZWIyNDUzMmU2Mzg4NjYzMDBkODJkNTUxYmViY2JkY2E2MDE1NjU6cDpU>, > > > which is to change to "Require approval for all outside collaborators": > > image.png > > (changing this setting on github also requires admin access, the > > screenshot is taken from a repo I have admin access on) > > > > On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer <jensge...@hotmail.com> > wrote: > > > > > > I can probably add you to the PyPi maintainer list. Would that help? > > > > > > Am 12.01.2024 um 23:19 schrieb Yuxuan Wang: > > > IMHO there are two issues with the pypi publishing problem: > > technical and > > > non-technical. > > > > > > The non-technical issue is the credential/secret required to > > publish to > > > > > > https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU > . > > Any of the technical solution also > > > depends on that being available. > > > > > > Once we have it (in github actions secret store, for example), then > > > technical solution is not the hard part. As I mentioned in the > > jira thread > > > Reddit already has a github action pipeline to publish to pypi > > on git tag > > > we can upstream to thrift project to be used (so whenever a > > maintainer > > > pushes a tag to github, github actions auto publishes to pypi). > > Or others > > > can contribute other solutions. > > > > > > On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer <je...@apache.org> > wrote: > > > > > >> @all, > > >> > > >> I just want to bring up that topic again. There is a rather > > frequent > > >> stream of (absolutely legitimate) questions regarding the PyPi > > packages > > >> not being published. > > >> > > >> So it seems fair to say that there is obviously a certain > > demand within > > >> the community, which is super great. Now on the other hand we > > have no > > >> noteworthy reactions from that very same community to help with > > that topic. > > >> > > >> Let me put it bluntly. This is not your mothers supermarked > > where stock > > >> refills almost like automagically overnight. This is open > > source. It > > >> works as long as there are at least some people spending parts > > of their > > >> valuable time supporting projects. It is about giving & taking. > > >> > > >> Thrift supports about 20+ target languages. So it is fair to > > say that > > >> supporting packages for all of them (where approprate) is quite > > a bit of > > >> work. > > >> > > >> Of course I can only speak for myself, but I personally > > maintain quite a > > >> number of packages after each release. Thanks to the great work > > of other > > >> people (e.g. @JimKing) who spent their time on that topic > > before me, > > >> this became manageable by setting up and documenting a > well-defined > > >> process to follow which also does not eat too much additional > > release time. > > >> > > >> If we can have such a process for PyPi that would be super > awesome. > > >> Right now this is not the case, unfortunately. This is where > > you could > > >> chime in. > > >> > > >> See also > > >> > > > https://protect.checkpoint.com/v2/___https://github.com/apache/thrift/pull/2555___.YzJ1OnJlZGRpdDpjOmc6ZGEyMWNiMjExZDEwMWVjZmIzNGI3MWIzMGFmMmEyZTY6Njo0ZDRjOmIyMTFmOWI4ODI2ZTJmZTIxMTQ0NmNhMmQ4M2I5M2EzNDBhY2VhOTVlOGE2YzVjZDgyNWZlMGVmZmZhMThhOWU6cDpU > > >> > > >> Happy New Year everybody, > > >> JensG > > >> > > >> > > >> > >
