Re: Determining what to retrieve from pypi and/or devpi-server

2019-08-22 Thread Chris Jerdonek 
On Thu, Aug 22, 2019 at 9:23 AM Michael Felt  wrote:

>   ...

  creating build/bdist.aix-6.1/wheel/cffi-1.12.3.dist-info/WHEEL
>   creating '/tmp/pip-wheel-u4xy3jit/cffi-1.12.3-cp37-cp37m-aix_6_1.whl'
>

It looks like this is where the wheel package creates the file name:
https://github.com/pypa/wheel/blob/b227ddd5beaba49294017d061d501f6d433393b0/wheel/bdist_wheel.py#L230-L231
(by calling the bdist_wheel.get_tag() method)

--Chris


>

-- 
You received this message because you are subscribed to the Google Groups 
"pypa-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pypa-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pypa-dev/CAOTb1wfyChySUaMeshNzJ9bVSXLeUTES_PcuzFjNdsZYGXPupQ%40mail.gmail.com.

Re: Determining what to retrieve from pypi and/or devpi-server

2019-08-22 Thread Chris Jerdonek 
On Wed, Aug 21, 2019 at 3:36 PM Michael Felt aka aixtools <
aixto...@gmail.com> wrote:

> And, e.g., for cffi, it creates a wheel with this file name:
> cffi-1.12.3-cp37-cp37m-aix_6_1.whl
> ...
> Sadly, the name of the wheels it creates have not changed. I have not had
> any success (or luck) finding the logic that generates the filename for a
> new wheel.
>

How are you generating your wheels? You might want to read this:
https://pip.pypa.io/en/stable/user_guide/#installing-from-wheels
I'm not 100% sure, but the code for that might be here:
https://github.com/pypa/wheel
That project also has a copy of pip's pep425tags.py file.

--Chris





>
> Some pointers would be greatly appreciated.
>
> Michael
>
>
> On Friday, August 16, 2019 at 4:06:35 PM UTC+1, Michael Felt aka aixtools
> wrote:
>>
>> On 16/08/2019 13:08, Chris Jerdonek wrote:
>> > On Fri, Aug 16, 2019 at 3:53 AM Chris Jerdonek
>> > wrote:
>> Thanks for both replies. I'll dig further (later).
>> >> On Fri, Aug 16, 2019 at 2:30 AM Michael Felt aka aixtools <
>> >> wrote:
>> >>
>> >>> From my playing with devpi-server I expect it goes something like
>> what
>> >>> the devpi(-client) list command does - to see what is available, and
>> from
>> >>> that chooses something.
>> >>>
>> >>> Does pip depend on the CPython get_platform(), or is there a "pip
>> owned
>> >>> and managed" version that basically overrules the distutils (and
>> >>> sys.get_platform()) implementations?
>> >>>
>> >> I'm sure others will chime in with more info. But quickly, on the
>> second
>> >> part, the function that pip uses to generate the list of compatible
>> tags
>> >> (for choosing among wheels) is the get_supported() function in pip's
>> >> pep425tags.py:
>> >>
>> https://github.com/pypa/pip/blob/76ae377d7e38b5df8587d63b52464a08471eb1d1/src/pip/_internal/pep425tags.py#L279
>> >>
>> >> The latest version of pip has a new "pip debug" command that displays,
>> >> along with other info, the resulting list of tags for the environment
>> under
>> >> which the command is run (by calling that function).
>> >>
>> > Also, I believe the plan is for pep425tags.py to be replaced by this
>> module
>> > (but it's not incorporated into pip yet):
>> > https://github.com/pypa/packaging/blob/master/packaging/tags.py
>> >
>> > --Chris
>> >
>> >
>> >
>> >> --Chris
>> >>
>> >>
>> >>> Thanks.
>> >>>
>> >>> --
>> >>> You received this message because you are subscribed to the Google
>> Groups
>> >>> "pypa-dev" group.
>> >>> To unsubscribe from this group and stop receiving emails from it,
>> send an
>> >>> email to pypa-dev+unsubscr...@googlegroups.com.
>> >>> To view this discussion on the web visit
>> >>>
>> https://groups.google.com/d/msgid/pypa-dev/826d4a1e-73a7-46cd-bed0-572b202ad4e6%40googlegroups.com
>> >>> <
>> https://groups.google.com/d/msgid/pypa-dev/826d4a1e-73a7-46cd-bed0-572b202ad4e6%40googlegroups.com?utm_medium=email_source=footer>
>>
>> >>> .
>> >>>
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "pypa-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pypa-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/pypa-dev/66e12809-de41-4a41-ab9d-51c259987594%40googlegroups.com
> <https://groups.google.com/d/msgid/pypa-dev/66e12809-de41-4a41-ab9d-51c259987594%40googlegroups.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"pypa-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pypa-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pypa-dev/CAOTb1weAKioqNRx%3DWxS4fU5ww%3DjHRSXNWbeUP5ct4LnL32JkfQ%40mail.gmail.com.

Re: Determining what to retrieve from pypi and/or devpi-server

2019-08-16 Thread Chris Jerdonek 
On Fri, Aug 16, 2019 at 3:53 AM Chris Jerdonek 
wrote:

> On Fri, Aug 16, 2019 at 2:30 AM Michael Felt aka aixtools <
> aixto...@gmail.com> wrote:
>
>> From my playing with devpi-server I expect it goes something like what
>> the devpi(-client) list command does - to see what is available, and from
>> that chooses something.
>>
>> Does pip depend on the CPython get_platform(), or is there a "pip owned
>> and managed" version that basically overrules the distutils (and
>> sys.get_platform()) implementations?
>>
>
> I'm sure others will chime in with more info. But quickly, on the second
> part, the function that pip uses to generate the list of compatible tags
> (for choosing among wheels) is the get_supported() function in pip's
> pep425tags.py:
> https://github.com/pypa/pip/blob/76ae377d7e38b5df8587d63b52464a08471eb1d1/src/pip/_internal/pep425tags.py#L279
>
> The latest version of pip has a new "pip debug" command that displays,
> along with other info, the resulting list of tags for the environment under
> which the command is run (by calling that function).
>

Also, I believe the plan is for pep425tags.py to be replaced by this module
(but it's not incorporated into pip yet):
https://github.com/pypa/packaging/blob/master/packaging/tags.py

--Chris



>
> --Chris
>
>
>>
>> Thanks.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "pypa-dev" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to pypa-dev+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/pypa-dev/826d4a1e-73a7-46cd-bed0-572b202ad4e6%40googlegroups.com
>> <https://groups.google.com/d/msgid/pypa-dev/826d4a1e-73a7-46cd-bed0-572b202ad4e6%40googlegroups.com?utm_medium=email_source=footer>
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"pypa-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pypa-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pypa-dev/CAOTb1wfKTALi6V6OFDpbYw73DtRaJ6uA7pFzd%3Dm0QZxmSjcN_g%40mail.gmail.com.

Re: Determining what to retrieve from pypi and/or devpi-server

2019-08-16 Thread Chris Jerdonek 
On Fri, Aug 16, 2019 at 2:30 AM Michael Felt aka aixtools <
aixto...@gmail.com> wrote:

> From my playing with devpi-server I expect it goes something like what the
> devpi(-client) list command does - to see what is available, and from that
> chooses something.
>
> Does pip depend on the CPython get_platform(), or is there a "pip owned
> and managed" version that basically overrules the distutils (and
> sys.get_platform()) implementations?
>

I'm sure others will chime in with more info. But quickly, on the second
part, the function that pip uses to generate the list of compatible tags
(for choosing among wheels) is the get_supported() function in pip's
pep425tags.py:
https://github.com/pypa/pip/blob/76ae377d7e38b5df8587d63b52464a08471eb1d1/src/pip/_internal/pep425tags.py#L279

The latest version of pip has a new "pip debug" command that displays,
along with other info, the resulting list of tags for the environment under
which the command is run (by calling that function).

--Chris


>
> Thanks.
>
> --
> You received this message because you are subscribed to the Google Groups
> "pypa-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pypa-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/pypa-dev/826d4a1e-73a7-46cd-bed0-572b202ad4e6%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"pypa-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pypa-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pypa-dev/CAOTb1wcoejyY80wz_-25EJoQ-Ed0wfX3%3DcwZ1n%2BToNu%2BFZ0b%3DA%40mail.gmail.com.

Re: package verification

2019-07-27 Thread Chris Jerdonek 
On Fri, Jul 26, 2019 at 4:57 AM Ioakim Ioakim  wrote:

> I am not sure. I am just looking to find where in the source code a
> package gets verified before being installed on a client's machine
>

If you're using pip with e.g. --require-hashes, it looks like these (after
a quick search) are the two main places in pip's code where pip checks the
hashes of downloaded files:

* in _download_url():
https://github.com/pypa/pip/blob/2e51624bbb42c83ac3ec5898f71657ea5186a784/src/pip/_internal/download.py#L858-L859
* in unpack_file_url():
https://github.com/pypa/pip/blob/2e51624bbb42c83ac3ec5898f71657ea5186a784/src/pip/_internal/download.py#L959-L965

--Chris

-- 
You received this message because you are subscribed to the Google Groups 
"pypa-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pypa-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pypa-dev/CAOTb1we3mg9Z%3DKOF5AsKPPo%2BpAkyq60JfCNkjXu4xRmBMJkJFg%40mail.gmail.com.

Re: Impending silent breakage of pip / macOS likely to cause severe confusion

2018-04-09 Thread Chris Jerdonek 
On Mon, Apr 9, 2018 at 11:28 AM Donald Stufft <don...@stufft.io> wrote:

>
> > On Apr 9, 2018, at 1:33 PM, Erik Bray <erik.m.b...@gmail.com> wrote:
> >
> > On Fri, Apr 6, 2018 at 11:36 PM, Chris Jerdonek
> > <chris.jerdo...@gmail.com> wrote:
> >>
> >> On Fri, Apr 6, 2018 at 11:21 AM Donald Stufft <don...@stufft.io> wrote:
> >>>
> >>> No, there’s not. pip makes HTTP requests and there’s no place for extra
> >>> metadata attached those requests except in the HTTP status code (which
> as
> >>> you noted, pip swallows by default because historically we didn’t know
> if
> >>> the URL was expected to work or not). The simple API wasn’t really
> designed,
> >>> it evolved out of the primordial ooze.
> >>
> >>
> >> Would it make sense to open an issue for future versions of pip to allow
> >> such metadata to be attached and displayed, or is there already such an
> >> issue?
> >
> > I was going to suggest the same--while it would be too late to help in
> > this particular case (and as Donald already convincingly it explained
> > it probably won't have huge impact), this case, others I can think of
> > before it, and others that are likely to occur in the future would
> > have been well-served by the ability of PyPI administrators to set
> > arbitrary broadcast messages (a MotD if you will) to send along with
> > HTTP responses from PyPI (they could even go in an HTTP header,
> > perhaps).
> >
> > Best,
> > E
>
> It wouldn’t be a pip issue, it’d be a distutils-sig discussion and an
> amendment to PEP 503. The primary concern would be that as we move to a
> world where metadata is signed to prevent a malicious repository from
> attacking users, that this is another avenue that an attacker could take to
> trick end users (imagine a MOTD that says to pip install malicious-package).
>
> That doesn’t make it impossible, or a bad idea though! It just is
> something to consider, and the best avenue is distutils-sig.


I raised this suggestion on distutils-sig, FYI:
https://mail.python.org/pipermail/distutils-sig/2018-April/032141.html

—Chris

Re: Impending silent breakage of pip / macOS likely to cause severe confusion

2018-04-06 Thread Chris Jerdonek 
On Fri, Apr 6, 2018 at 11:21 AM Donald Stufft  wrote:

> No, there’s not. pip makes HTTP requests and there’s no place for extra
> metadata attached those requests except in the HTTP status code (which as
> you noted, pip swallows by default because historically we didn’t know if
> the URL was expected to work or not). The simple API wasn’t really
> designed, it evolved out of the primordial ooze.
>
>
Would it make sense to open an issue for future versions of pip to allow
such metadata to be attached and displayed, or is there already such an
issue?

—Chris





>

Re: New pip core developer: Pradyun Gedam

2017-10-06 Thread Chris Jerdonek 
Congrats, Pradyun! As a contributor to pip, I definitely appreciate all of
Pradyun's efforts on the tracker, including his reviews, triaging, and
general friendliness and helpfulness. :) Well-deserved!

--Chris



On Thu, Oct 5, 2017 at 1:55 PM, Xavier Fernandez 
wrote:

> Welcome Pradyun !
>
> Glad to have you onboard :)
>
> On Thu, Oct 5, 2017 at 10:51 PM, Paul Moore  wrote:
>
>> Many of you will have seen the work Pradyun has been doing on the pip
>> tracker recently. He's been doing a fantastic job, and as a result,
>> we've offered him core developer status - and I'm pleased to say that
>> he's accepted :-)
>>
>> Welcome, Pradyun - thanks for all the work you've been doing, and
>> here's to plenty more ;-)
>>
>> Paul
>>
>
>