Re: PyPi again

Jens Geyer Fri, 19 Jan 2024 14:21:26 -0800

Hi,

> The image is:

I see. Not sure if I can do this, since I have no access to projectsettings. Maybe INFRA can.


Have fun,

JensG



Am 18.01.2024 um 23:58 schrieb Yuxuan Wang:

My pypi account is fishy:https://pypi.org/user/fishy/

The image is:https://imgur.com/a/vkehdiF

On Thu, Jan 18, 2024 at 2:49 PM Jens Geyer<jensge...@hotmail.com>  wrote:

Hi,


I can't see the picture and I don't have your pypi username. I tried the
email but that did not work.


Have fun,

jensG


Am 17.01.2024 um 02:11 schrieb Yuxuan Wang:

I just logged into my pypi account (I was there to register an
account, and it turns out I already have one, which I have no memory
of, and I do not have any projects published there), it seems that
they actually have an automated way to create the github actions for
you automatically:

https://protect.checkpoint.com/v2/___https://docs.pypi.org/trusted-publishers/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjoxYjIzOjE1MTU3M2QyZTExNGEzOTE5NjIxYjUzYjgyNDBhNzMxODQzN2U1ZWNmMGQ1MzMzM2EwMTY3NGFlNzk1MDA0YTI6cDpU

But I would assume that might require that I have admin access to the
github repo (not sure yet, as I don't have any other project to test),
so if you are fine with that (e.g. add me to the PyPi maintainer list,
I try to use that approach, if it doesn't work, give me admin access
to the github repo), I'm fine :)

Also, there's a recent pytorch supply chain attach report
<

https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjphNDlkOjFkYmFiNzllNjc5NzIxNWQwMjFiZWFhY2JkZjYxNGQ3NTM2OTFlMmUzOTJkYWUyMjkxMTNlYTZmMzllYjNkMDU6cDpU>

which will be relevant to us if we choose to use github actions to
auto publish to pypi, then we probably should follow their suggested
mitigation
<

https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/%23mitigations___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjpjNDZkOjhlZjYzM2ZkOGEzNjMyNDk1OTk1OGE2MjBhZWIyNDUzMmU2Mzg4NjYzMDBkODJkNTUxYmViY2JkY2E2MDE1NjU6cDpU>,

which is to change to "Require approval for all outside collaborators":
image.png
(changing this setting on github also requires admin access, the
screenshot is taken from a repo I have admin access on)

On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer<jensge...@hotmail.com>

wrote:


     I can probably add you to the PyPi maintainer list. Would that help?


     Am 12.01.2024 um 23:19 schrieb Yuxuan Wang:
     > IMHO there are two issues with the pypi publishing problem:
     technical and
     > non-technical.
     >
     > The non-technical issue is the credential/secret required to
     publish to
     >

https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU
.

     Any of the technical solution also
     > depends on that being available.
     >
     > Once we have it (in github actions secret store, for example), then
     > technical solution is not the hard part. As I mentioned in the
     jira thread
     > Reddit already has a github action pipeline to publish to pypi
     on git tag
     > we can upstream to thrift project to be used (so whenever a
     maintainer
     > pushes a tag to github, github actions auto publishes to pypi).
     Or others
     > can contribute other solutions.
     >
     > On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer<je...@apache.org>

wrote:

     >
     >> @all,
     >>
     >> I just want to bring up that topic again. There is a rather
     frequent
     >> stream of (absolutely legitimate) questions regarding the PyPi
     packages
     >> not being published.
     >>
     >> So it seems fair to say that there is obviously a certain
     demand within
     >> the community, which is super great. Now on the other hand we
     have no
     >> noteworthy reactions from that very same community to help with
     that topic.
     >>
     >> Let me put it bluntly. This is not your mothers supermarked
     where stock
     >> refills almost like automagically overnight. This is open
     source. It
     >> works as long as there are at least some people spending parts
     of their
     >> valuable time supporting projects. It is about giving & taking.
     >>
     >> Thrift supports about 20+ target languages. So it is fair to
     say that
     >> supporting packages for all of them (where approprate) is quite
     a bit of
     >> work.
     >>
     >> Of course I can only speak for myself, but I personally
     maintain quite a
     >> number of packages after each release. Thanks to the great work
     of other
     >> people (e.g. @JimKing) who spent their time on that topic
     before me,
     >> this became manageable by setting up and documenting a

well-defined

     >> process to follow which also does not eat too much additional
     release time.
     >>
     >> If we can have such a process for PyPi that would be super

awesome.

     >> Right now this is not the case, unfortunately. This is where
     you could
     >> chime in.
     >>
     >> See also
     >>

https://protect.checkpoint.com/v2/___https://github.com/apache/thrift/pull/2555___.YzJ1OnJlZGRpdDpjOmc6ZGEyMWNiMjExZDEwMWVjZmIzNGI3MWIzMGFmMmEyZTY6Njo0ZDRjOmIyMTFmOWI4ODI2ZTJmZTIxMTQ0NmNhMmQ4M2I5M2EzNDBhY2VhOTVlOGE2YzVjZDgyNWZlMGVmZmZhMThhOWU6cDpU

     >>
     >> Happy New Year everybody,
     >> JensG
     >>
     >>
     >>

Re: PyPi again

Reply via email to