On Tuesday, March 5, 2013 at 4:01 AM, Donald Stufft wrote:
> On Thursday, February 28, 2013 at 8:35 AM, Donald Stufft wrote:
> > >
> >
> > https://crate.io/externally-hosted/ A list of things that have no files
> > hosted on
> > PyPI but have a release. This doesn't include things that uploads s
On Thursday, February 28, 2013 at 8:35 AM, Donald Stufft wrote:
> >
> >
> >
>
> https://crate.io/externally-hosted/ A list of things that have no files
> hosted on
> PyPI but have a release. This doesn't include things that uploads sometimes
> but not everytime (argparse for example the latest
On Fri, Mar 1, 2013 at 4:24 AM, M.-A. Lemburg wrote:
> On 01.03.2013 10:02, Reinout van Rees wrote:
>> On 28-02-13 21:08, holger krekel wrote:
I have seen that position in this discussion ("I have to upload 120
>files per release, so I won't do that", for instance).
>>
>>> haven't seen t
Marc Andre: I'm cc'ing Van: can you explain why the pypi terms are a bummer so
we can see if there is actually an issue to be resolved or a matter of taste?
We need to protect the foundation while preserving author rights - but I don't
want one user / subset dictating how we evolve the technolog
On 1 March 2013 20:24, M.-A. Lemburg wrote:
> * PyPI doesn't allow us to upload two egg files with the same
> name: we have to provide egg files for UCS2 Python builds and
> UCS4 Python builds, since easy_install/setuptools/pip don't
> differentiate between the two variants. This is the main
On Fri, Mar 01, 2013 at 10:24 +0100, M.-A. Lemburg wrote:
> On 01.03.2013 10:02, Reinout van Rees wrote:
> > On 28-02-13 21:08, holger krekel wrote:
> >>> I have seen that position in this discussion ("I have to upload 120
> >>> >files per release, so I won't do that", for instance).
> >
> >> have
On 01.03.2013 10:02, Reinout van Rees wrote:
> On 28-02-13 21:08, holger krekel wrote:
>>> I have seen that position in this discussion ("I have to upload 120
>>> >files per release, so I won't do that", for instance).
>
>> haven't seen that.
>
> Marc-Andre Lemburg said this, which I took to mean
On Fri, Mar 01, 2013 at 10:02 +0100, Reinout van Rees wrote:
> On 28-02-13 21:08, holger krekel wrote:
> >>I have seen that position in this discussion ("I have to upload 120
> >>>files per release, so I won't do that", for instance).
>
> >haven't seen that.
>
> Marc-Andre Lemburg said this, whic
On 28-02-13 21:08, holger krekel wrote:
I have seen that position in this discussion ("I have to upload 120
>files per release, so I won't do that", for instance).
haven't seen that.
Marc-Andre Lemburg said this, which I took to mean 120 uploads per release:
"""
However, taking our egenix-m
On Thu, Feb 28, 2013 at 8:52 PM, holger krekel wrote:
> There are also packages which have some (older) release files on pypi
> and newer ones outside (e.g. "lockfile" with 78256 downloads from
> code.google.com). You didn't include such in your 2651 emails, or did you?
No, I didn't, I assumed t
On Thu, Feb 28, 2013 at 5:00 PM, Donald Stufft wrote:
> SSL checking on upload should be possible, do you want
> a patch?
If it uses the 'requests' library, yes, I'll accept one. But I don't
want to do any direct implementation of SSL cert checking in
setuptools, at least in the short run (next
On Thursday, February 28, 2013 at 6:31 PM, PJ Eby wrote:
> On Thu, Feb 28, 2013 at 5:00 PM, Donald Stufft (mailto:donald.stu...@gmail.com)> wrote:
> > SSL checking on upload should be possible, do you want
> > a patch?
> >
>
>
> If it uses the 'requests' library, yes, I'll accept one. But I don
On Thursday, February 28, 2013 at 1:23 PM, PJ Eby wrote:
> On Thu, Feb 28, 2013 at 4:08 AM, Nick Coghlan (mailto:ncogh...@gmail.com)> wrote:
> > On Thu, Feb 28, 2013 at 7:00 PM, holger krekel > (mailto:hol...@merlinux.eu)> wrote:
> > > To summarize, having pip/easy_install report red warnings and
On Thu, Feb 28, 2013 at 7:38 PM, PJ Eby wrote:
> I can't speak to pip, but since the relevant bits of distribute are
> 95% the same as setuptools, I think I can say that it will have the
> same technical issues, and that warning based on lack of an
> --allow-hosts will be both simpler to implement
On Thu, Feb 28, 2013 at 13:56 +0100, Reinout van Rees wrote:
> On 28-02-13 10:43, holger krekel wrote:
> >On Thu, Feb 28, 2013 at 06:38 +0100, Andreas Jung wrote:
> >>
> >>I give a shit at the arguments pulled out every time by package
> >>maintainers using PyPI only for listing their packages. I a
On Thu, Feb 28, 2013 at 16:30 +0100, Lennart Regebro wrote:
> On Thu, Feb 28, 2013 at 10:43 AM, Lennart Regebro wrote:
> > On Thu, Feb 28, 2013 at 9:28 AM, Nick Coghlan wrote:
> >> Pissing off the maintainers off packages that currently rely on
> >> external hosting by telling them they have to c
On Thu, Feb 28, 2013 at 4:28 AM, Lennart Regebro wrote:
> My suggestions to move forward on this issue is as follows:
>
> 1. New versions of pip and distribute are released that will start
> warning if they download distributions that are not from PyPI, unless
> explicitly given a URL to download.
On Thu, Feb 28, 2013 at 4:08 AM, Nick Coghlan wrote:
> On Thu, Feb 28, 2013 at 7:00 PM, holger krekel wrote:
>> To summarize, having pip/easy_install report red warnings and requiring
>> to pass a "--htmlscrape=PROJ1,PROJ2" option or so is a good way to
>> communicate, removing the ability is not
On Feb 28, 2013, at 3:43 AM, Nick Coghlan wrote:
> On Thu, Feb 28, 2013 at 6:12 PM, M.-A. Lemburg wrote:
>> On 28.02.2013 07:39, Nick Coghlan wrote:
>>> 1. The next generation metadata infrastructure will NOT support
>>> external hosting of files indexed on PyPI - if you don't upload the
>>> arc
On Thu, Feb 28, 2013 at 10:30 AM, Lennart Regebro wrote:
> On Thu, Feb 28, 2013 at 10:43 AM, Lennart Regebro wrote:
>> On Thu, Feb 28, 2013 at 9:28 AM, Nick Coghlan wrote:
>>> Pissing off the maintainers off packages that currently rely on
>>> external hosting by telling them they have to change
On Thu, Feb 28, 2013 at 10:43 AM, Lennart Regebro wrote:
> On Thu, Feb 28, 2013 at 9:28 AM, Nick Coghlan wrote:
>> Pissing off the maintainers off packages that currently rely on
>> external hosting by telling them they have to change their release
>> processes if they want to keep releasing soft
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Reinout van Rees wrote:
> On 28-02-13 10:43, holger krekel wrote:
>> On Thu, Feb 28, 2013 at 06:38 +0100, Andreas Jung wrote:
>>>
>>> I give a shit at the arguments pulled out every time by package
>>> maintainers using PyPI only for listing their
On Thu, Feb 28, 2013 at 7:43 AM, Reinout van Rees wrote:
> On 27-02-13 16:26, Donald Stufft wrote:
>>
>>2. External links decrease the expected uptime for a particular set
>>of requirements. PyPI itself has become very stable, however
>>the same cannot be said for all of the ho
On Thursday, February 28, 2013 at 7:56 AM, Reinout van Rees wrote:
> On 28-02-13 10:43, holger krekel wrote:
> > On Thu, Feb 28, 2013 at 06:38 +0100, Andreas Jung wrote:
> > >
> > > I give a shit at the arguments pulled out every time by package
> > > maintainers using PyPI only for listing their
On 28-02-13 10:43, holger krekel wrote:
On Thu, Feb 28, 2013 at 06:38 +0100, Andreas Jung wrote:
I give a shit at the arguments pulled out every time by package
maintainers using PyPI only for listing their packages. I am both
annoyed and bothered by these people.
I didn't see such positions
On 27-02-13 16:26, Donald Stufft wrote:
2. External links decrease the expected uptime for a particular set
of requirements. PyPI itself has become very stable, however
the same cannot be said for all of the hosts linked that the
toolchain
processes. Each new host is an ad
On Thursday, February 28, 2013 at 5:29 AM, M.-A. Lemburg wrote:
> On 27.02.2013 19:21, Donald Stufft wrote:
> > On Wednesday, February 27, 2013 at 1:11 PM, M.-A. Lemburg wrote:
> > > On 27.02.2013 18:37, Donald Stufft wrote:
> > > > On Wednesday, February 27, 2013 at 12:10 PM, M.-A. Lemburg wrote:
On 27.02.2013 19:21, Donald Stufft wrote:
> On Wednesday, February 27, 2013 at 1:11 PM, M.-A. Lemburg wrote:
>> On 27.02.2013 18:37, Donald Stufft wrote:
>>> On Wednesday, February 27, 2013 at 12:10 PM, M.-A. Lemburg wrote:
Package installers only need access to the static files in
the /s
no support for UCS2/UCS4 binary distributions, unsupported
distribution file formats (e.g. our prebuilt format),
Not sure why PyPI would even care what charset the package files use,
but if true thats certainly a bug and we can get that fixed. What
file formats do pip/buildout support that PyPI
On 28 February 2013 20:09, holger krekel wrote:
> On Thu, Feb 28, 2013 at 09:48 +1100, Richard Jones wrote:
>> On 28 February 2013 08:31, PJ Eby wrote:
>> > OTOH, I currently make development snapshots of setuptools and other
>> > projects available by dumping them in a directory that's used as a
On Thu, Feb 28, 2013 at 9:28 AM, Nick Coghlan wrote:
> Pissing off the maintainers off packages that currently rely on
> external hosting by telling them they have to change their release
> processes if they want to keep releasing software on PyPI and have
> their users actually be able to downloa
On Thu, Feb 28, 2013 at 06:38 +0100, Andreas Jung wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> +1 for the proposal
>
> The complete discussion on this topic is once again absurd and bizarre.
> We are discussing the issue with externally hosted packages every year
> and the situati
On Thu, Feb 28, 2013 at 12:16 AM, Aaron Meurer wrote:
> And by the way, this hasn't been mentioned, but I really mean *all*
> mentions of Google Code on PyPI. pip crawls Google Code not just
> because Google Code listed as an official site for my package or
> because the latest release is there,
On Thu, Feb 28, 2013 at 09:48 +1100, Richard Jones wrote:
> On 28 February 2013 08:31, PJ Eby wrote:
> > OTOH, I currently make development snapshots of setuptools and other
> > projects available by dumping them in a directory that's used as an
> > external download URL. Replacing that would be
On Thu, Feb 28, 2013 at 7:00 PM, holger krekel wrote:
> To summarize, having pip/easy_install report red warnings and requiring
> to pass a "--htmlscrape=PROJ1,PROJ2" option or so is a good way to
> communicate, removing the ability is not, at this point.
+1
I'm a fan of updating the client side
On Wed, Feb 27, 2013 at 22:04 +0100, Lennart Regebro wrote:
> On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor wrote:
> >> But wouldn't this only be a change in pip/easy_install, not PyPI
> >> itself? I suppose you could explicitly break the external links by
> >> having them point to nothing if you
On Thu, Feb 28, 2013 at 6:12 PM, M.-A. Lemburg wrote:
> On 28.02.2013 07:39, Nick Coghlan wrote:
>> 1. The next generation metadata infrastructure will NOT support
>> external hosting of files indexed on PyPI - if you don't upload the
>> archive files to PyPI, they won't be included in the next ge
On Thu, Feb 28, 2013 at 5:01 PM, Donald Stufft wrote:
> I'm glad the next set of Metadata won't have external links, however
> even if it showed up tomorrow it's going to be a long time until
> people are completely migrated to it. Furthermore you estimate
> months but the first phase will have po
On 28.02.2013 07:39, Nick Coghlan wrote:
> On Thu, Feb 28, 2013 at 6:27 AM, Donald Stufft
> wrote:
>> Sometimes you need to break things. The goal is to do it with ample
>> warning and migration time so that people have a chance to move
>> to the new way of doing things.
>>
>> Again, I am not sug
On Thursday, February 28, 2013 at 1:39 AM, Nick Coghlan wrote:
> On Thu, Feb 28, 2013 at 6:27 AM, Donald Stufft (mailto:donald.stu...@gmail.com)> wrote:
> > Sometimes you need to break things. The goal is to do it with ample
> > warning and migration time so that people have a chance to move
> > t
On Thu, Feb 28, 2013 at 6:27 AM, Donald Stufft wrote:
> Sometimes you need to break things. The goal is to do it with ample
> warning and migration time so that people have a chance to move
> to the new way of doing things.
>
> Again, I am not suggesting we delete all external links immediately, j
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
+1 for the proposal
The complete discussion on this topic is once again absurd and bizarre.
We are discussing the issue with externally hosted packages every year
and the situation has not improved. Especially people using "buildout"
encounter very re
On Wed, Feb 27, 2013 at 4:28 PM, Lennart Regebro wrote:
> That result in the following actions from easy_install, where "Process
> url:" means it looks at the URL to see if it is a distribution
> package, or if it is HTML, if that page possibly contains links that
> could be a distribution package
> maintainers. The way pip works now, every time I do a release
> candidate, pip automatically installs it, even though I only upload it
>
an option to exclude pre-releases (or in reverse, an option to allow them)
does seem overdue.
reasons not to do this? anyone? links to the most relevant
conve
On Wednesday, February 27, 2013 at 8:34 PM, Aaron Meurer wrote:
> On Wed, Feb 27, 2013 at 6:24 PM, Donald Stufft (mailto:donald.stu...@gmail.com)> wrote:
> > On Wednesday, February 27, 2013 at 8:13 PM, PJ Eby wrote:
> >
> > On Wed, Feb 27, 2013 at 7:36 PM, Donald Stufft > (mailto:donald.stu...@g
On Wed, Feb 27, 2013 at 6:24 PM, Donald Stufft wrote:
> On Wednesday, February 27, 2013 at 8:13 PM, PJ Eby wrote:
>
> On Wed, Feb 27, 2013 at 7:36 PM, Donald Stufft
> wrote:
>
> This seems a bit complicated, people in general don't even know
> the external link spidering exists, much less underst
On Wednesday, February 27, 2013 at 8:13 PM, PJ Eby wrote:
> On Wed, Feb 27, 2013 at 7:36 PM, Donald Stufft (mailto:donald.stu...@gmail.com)> wrote:
> > This seems a bit complicated, people in general don't even know
> > the external link spidering exists, much less understand the intricacies
> > o
On Wed, Feb 27, 2013 at 7:36 PM, Donald Stufft wrote:
> This seems a bit complicated, people in general don't even know
> the external link spidering exists, much less understand the intricacies
> of what types of links get spidered when. A simple "After X date no new
> urls will be added and afte
On Wednesday, February 27, 2013 at 7:20 PM, PJ Eby wrote:
> On Wed, Feb 27, 2013 at 4:50 PM, Donald Stufft (mailto:donald.stu...@gmail.com)> wrote:
> > Development snapshots are a use case that i'm not sure makes sense
> > for PyPI, but if they do should require specific opt-in to install them.
>
On Wednesday, February 27, 2013 at 7:08 PM, PJ Eby wrote:
> On Wed, Feb 27, 2013 at 6:16 PM, Aaron Meurer (mailto:asmeu...@gmail.com)> wrote:
> > As far as I'm concerned, this is all about helping package
> > maintainers. The way pip works now, every time I do a release
> > candidate, pip automati
On Wed, Feb 27, 2013 at 4:50 PM, Donald Stufft wrote:
> Development snapshots are a use case that i'm not sure makes sense
> for PyPI, but if they do should require specific opt-in to install them.
> Does easy_install have a command line flag that adds extra links?
*chuckle*. Yes, it's the origi
On Wed, Feb 27, 2013 at 6:16 PM, Aaron Meurer wrote:
> As far as I'm concerned, this is all about helping package
> maintainers. The way pip works now, every time I do a release
> candidate, pip automatically installs it, even though I only upload it
> to Google Code. I don't want it to do this,
On Wed, Feb 27, 2013 at 2:31 PM, PJ Eby wrote:
> On Wed, Feb 27, 2013 at 4:04 PM, Lennart Regebro wrote:
>> On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor wrote:
But wouldn't this only be a change in pip/easy_install, not PyPI
itself? I suppose you could explicitly break the external li
On Wed, Feb 27, 2013 at 11:48 PM, Richard Jones wrote:
> I've advocated us having the upload/register/whatever functionality in
> a separate tool for a while, but that doesn't seem to have gained any
> traction. Of course issues around the complexity introduced by
> setup.py make it much harder.
On 28 February 2013 08:31, PJ Eby wrote:
> OTOH, I currently make development snapshots of setuptools and other
> projects available by dumping them in a directory that's used as an
> external download URL. Replacing that would be a PITA because PyPI
> only lets you upload and register new releas
On Wednesday, February 27, 2013 at 4:31 PM, PJ Eby wrote:
> So far, I don't think anybody's talking to the right "we" for stopping
> it. It's the tools that control this, not PyPI. (PyPI can't actually
> stop the tools from using this information without also making itself
> a lot less useful to *h
On Wed, Feb 27, 2013 at 10:31 PM, PJ Eby wrote:
> Replacing that would be a PITA because PyPI
> only lets you upload and register new releases from distutils' command
> line.
You can upload files, but not create new releases. But that seems like
a pretty minor addition, or?
> Anyway, I'm not see
On 27 lut 2013, at 21:16, holger krekel wrote:
> On Wed, Feb 27, 2013 at 14:49 -0500, Monty Taylor wrote:
>> On 02/27/2013 02:47 PM, Aaron Meurer wrote:
>>
>> If we don't remove the feature from pypi itself, then it won't help the
>> folks for whom its a problem, because there will be no incenti
On Wednesday, February 27, 2013 at 4:17 PM, PJ Eby wrote:
> On Wed, Feb 27, 2013 at 1:34 PM, Lennart Regebro (mailto:rege...@gmail.com)> wrote:
> > On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg > (mailto:m...@egenix.com)> wrote:
> > > I'm not saying that it's not a good idea to host packages on
On Feb 27, 2013, at 1:31 PM, PJ Eby wrote:
> On Wed, Feb 27, 2013 at 4:04 PM, Lennart Regebro wrote:
>> On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor wrote:
But wouldn't this only be a change in pip/easy_install, not PyPI
itself? I suppose you could explicitly break the external links
On Wed, Feb 27, 2013 at 10:17 PM, PJ Eby wrote:
> I haven't seen anybody mention it yet, but checkouts of development
> versions are a use case that can't currently be addressed without
> support for multiple external links. For example, setuptools itself
> offers SVN checkout URLs for two differ
On Wed, Feb 27, 2013 at 4:04 PM, Lennart Regebro wrote:
> On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor wrote:
>>> But wouldn't this only be a change in pip/easy_install, not PyPI
>>> itself? I suppose you could explicitly break the external links by
>>> having them point to nothing if you are wo
On Wed, Feb 27, 2013 at 9:01 PM, Donald Stufft wrote:
> Modify the PyPI software to no longer link to those urls.
Well, I guess we can remove the software home page and the download
URL's from the simple index.
For example, in PIL's case the simple index looks like this:
1.1.5a1 home_page
1.1.5
On Wed, Feb 27, 2013 at 1:34 PM, Lennart Regebro wrote:
> On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg wrote:
>> I'm not saying that it's not a good idea to host packages on PyPI,
>> but forcing the community into doing this is not a good idea.
>
> I still don't understand why not. The only rea
On 02/27/2013 04:04 PM, Lennart Regebro wrote:
> On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor wrote:
>>> But wouldn't this only be a change in pip/easy_install, not PyPI
>>> itself? I suppose you could explicitly break the external links by
>>> having them point to nothing if you are worried ab
On Wed, Feb 27, 2013 at 8:49 PM, Monty Taylor wrote:
>> But wouldn't this only be a change in pip/easy_install, not PyPI
>> itself? I suppose you could explicitly break the external links by
>> having them point to nothing if you are worried about the security or
>> if it's some performance issue
On Wed, Feb 27, 2013 at 3:27 PM, Donald Stufft wrote:
> I'm not asking for this to be shutoff immediately, it will be phased,
> particularly so project maintainers can be made aware that it's
> going away and can upload versions to PyPI to prevent this kind of
> wide spread breakage. Particularly
On Feb 28, 2013 2:26 AM, "Donald Stufft" wrote:
> I propose we deprecate the external links that PyPI has published
> on the /simple/ indexes which exist because of the history of PyPI.
+1
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.
> As far as I'm concerned, pip is broke too, in the sense that the method we
> use to make pip work in Python 3 is a bit of an annoying hack (namely,
> upload a separate tarball for each minor Python 3 version).
>
>
I agree it's a hack.
but only >=1.2 package metadata supports "requires-python" and
On Wednesday, February 27, 2013 at 3:16 PM, holger krekel wrote:
> On Wed, Feb 27, 2013 at 14:49 -0500, Monty Taylor wrote:
> > On 02/27/2013 02:47 PM, Aaron Meurer wrote:
> > > On Wed, Feb 27, 2013 at 11:37 AM, holger krekel > > (mailto:hol...@merlinux.eu)> wrote:
> > > > On Wed, Feb 27, 2013 at
On Feb 27, 2013, at 12:16 PM, holger krekel wrote:
> On Wed, Feb 27, 2013 at 14:49 -0500, Monty Taylor wrote:
>> On 02/27/2013 02:47 PM, Aaron Meurer wrote:
>>> On Wed, Feb 27, 2013 at 11:37 AM, holger krekel wrote:
On Wed, Feb 27, 2013 at 19:34 +0100, Lennart Regebro wrote:
> On Wed, F
On Wed, Feb 27, 2013 at 14:49 -0500, Monty Taylor wrote:
> On 02/27/2013 02:47 PM, Aaron Meurer wrote:
> > On Wed, Feb 27, 2013 at 11:37 AM, holger krekel wrote:
> >> On Wed, Feb 27, 2013 at 19:34 +0100, Lennart Regebro wrote:
> >>> On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg wrote:
> I'm
On Wed, Feb 27, 2013 at 3:08 PM, Aaron Meurer wrote:
> On Feb 27, 2013, at 1:01 PM, Donald Stufft wrote:
>
> On Wednesday, February 27, 2013 at 2:56 PM, Aaron Meurer wrote:
>
> On Wed, Feb 27, 2013 at 12:49 PM, Monty Taylor wrote:
>
>
>
> On 02/27/2013 02:47 PM, Aaron Meurer wrote:
>
> On Wed, F
On Feb 27, 2013, at 1:01 PM, Donald Stufft wrote:
On Wednesday, February 27, 2013 at 2:56 PM, Aaron Meurer wrote:
On Wed, Feb 27, 2013 at 12:49 PM, Monty Taylor wrote:
On 02/27/2013 02:47 PM, Aaron Meurer wrote:
On Wed, Feb 27, 2013 at 11:37 AM, holger krekel wrote:
On Wed, Feb 27, 2013 a
On Wednesday, February 27, 2013 at 2:56 PM, Aaron Meurer wrote:
> On Wed, Feb 27, 2013 at 12:49 PM, Monty Taylor (mailto:mord...@inaugust.com)> wrote:
> >
> >
> > On 02/27/2013 02:47 PM, Aaron Meurer wrote:
> > > On Wed, Feb 27, 2013 at 11:37 AM, holger krekel > > (mailto:hol...@merlinux.eu)> w
Would it be wrong to ask for a /complex API at the same time? The
simple api, with 28k package names on one page, is getting a little
silly.
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
On Wed, Feb 27, 2013 at 12:49 PM, Monty Taylor wrote:
>
>
> On 02/27/2013 02:47 PM, Aaron Meurer wrote:
>> On Wed, Feb 27, 2013 at 11:37 AM, holger krekel wrote:
>>> On Wed, Feb 27, 2013 at 19:34 +0100, Lennart Regebro wrote:
On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg wrote:
> I'm n
On Feb 27, 2013, at 11:47 AM, Lennart Regebro wrote:
> On a general note: It really warms my heart to see that people are
> warming up to the idea of using CDN's and getting rid of external
> downloads. I'm all for that.
Just to be clear on this point
1) Moving PyPI and other PSF properties behi
On Wednesday, February 27, 2013 at 2:47 PM, Lennart Regebro wrote:
> On a general note: It really warms my heart to see that people are
> warming up to the idea of using CDN's and getting rid of external
> downloads. I'm all for that.
Excellent. So it's a date!
__
On 02/27/2013 02:47 PM, Aaron Meurer wrote:
> On Wed, Feb 27, 2013 at 11:37 AM, holger krekel wrote:
>> On Wed, Feb 27, 2013 at 19:34 +0100, Lennart Regebro wrote:
>>> On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg wrote:
I'm not saying that it's not a good idea to host packages on PyPI,
>
On a general note: It really warms my heart to see that people are
warming up to the idea of using CDN's and getting rid of external
downloads. I'm all for that.
//Lennart
___
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman
On Wed, Feb 27, 2013 at 11:37 AM, holger krekel wrote:
> On Wed, Feb 27, 2013 at 19:34 +0100, Lennart Regebro wrote:
>> On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg wrote:
>> > I'm not saying that it's not a good idea to host packages on PyPI,
>> > but forcing the community into doing this is n
On 02/27/2013 01:32 PM, Giovanni Bajo wrote:
> Il giorno 27/feb/2013, alle ore 19:23, Donald Stufft
> mailto:donald.stu...@gmail.com>> ha scritto:
>
>> On Wednesday, February 27, 2013 at 12:44 PM, Donald Stufft wrote:
Why not first have an a good infrastructure and capacity with
p
On Wednesday, February 27, 2013 at 1:33 PM, Donald Stufft wrote:
> On Wednesday, February 27, 2013 at 1:32 PM, Giovanni Bajo wrote:
> > In fact, Python is a big-enough brand name that we could even get a CDN
> > service almost for free in exchange of an acknowledge of the CDN company
> > bein
On Wednesday, February 27, 2013 at 1:34 PM, holger krekel wrote:
> On Wed, Feb 27, 2013 at 13:00 -0500, Jesse Noller wrote:
> > > > 2. External links decrease the expected uptime for a particular set
> > > > of requirements. PyPI itself has become very stable, however
> > > > the same cannot be sai
> I propose we deprecate the external links that PyPI has published
> on the /simple/ indexes which exist because of the history of PyPI.
> Ideally in some number of months (1? 2?) we would turn off adding
> these links from new releases, leaving the existing ones intact and
> then a few months lat
On Wed, Feb 27, 2013 at 19:34 +0100, Lennart Regebro wrote:
> On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg wrote:
> > I'm not saying that it's not a good idea to host packages on PyPI,
> > but forcing the community into doing this is not a good idea.
>
> I still don't understand why not. The on
On Wed, Feb 27, 2013 at 5:34 PM, M.-A. Lemburg wrote:
> I'm not saying that it's not a good idea to host packages on PyPI,
> but forcing the community into doing this is not a good idea.
I still don't understand why not. The only reasons I've seen are
"Because they don't want to" or "because they
On Wed, Feb 27, 2013 at 13:00 -0500, Jesse Noller wrote:
> > > 2. External links decrease the expected uptime for a particular set
> > > of requirements. PyPI itself has become very stable, however
> > > the same cannot be said for all of the hosts linked that the toolchain
> > > processes. Each ne
On Wednesday, February 27, 2013 at 1:32 PM, Giovanni Bajo wrote:
> In fact, Python is a big-enough brand name that we could even get a CDN
> service almost for free in exchange of an acknowledge of the CDN company
> being used.
>
>
As far as I know this has already have been offered in some f
Il giorno 27/feb/2013, alle ore 19:23, Donald Stufft
ha scritto:
> On Wednesday, February 27, 2013 at 12:44 PM, Donald Stufft wrote:
>>>
>>> Why not first have an a good infrastructure and capacity with
>>> pypi.python.org so that people *want* to move their files there?
>> PyPI has had very go
On Wednesday, February 27, 2013 at 12:44 PM, Donald Stufft wrote:
> >
> > Why not first have an a good infrastructure and capacity with
> > pypi.python.org (http://pypi.python.org) so that people *want* to move
> > their files there?
> >
>
> PyPI has had very good uptime since the move to OSL.
On Wednesday, February 27, 2013 at 1:11 PM, M.-A. Lemburg wrote:
> On 27.02.2013 18:37, Donald Stufft wrote:
> > On Wednesday, February 27, 2013 at 12:10 PM, M.-A. Lemburg wrote:
> > > Package installers only need access to the static files in
> > > the /simple/ index. Those can be put behind a CDN
On Feb 27, 2013, at 9:28 AM, M.-A. Lemburg wrote:
> On 27.02.2013 18:05, Noah Kantrowitz wrote:
>>
>>
>> "M.-A. Lemburg" wrote:
I propose we deprecate the external links that PyPI has published
on the /simple/ indexes which exist because of the history of PyPI.
Ideally in some n
On 27.02.2013 18:37, Donald Stufft wrote:
> On Wednesday, February 27, 2013 at 12:10 PM, M.-A. Lemburg wrote:
>> Package installers only need access to the static files in
>> the /simple/ index. Those can be put behind a CDN to increase
>> uptime.
>>
>> PyPI itself doesn't have to be up and running
Which in particular means that metadata needs to come from PyPI itself, not
from the tarball file name.
Aaron Meurer
On Feb 27, 2013, at 11:06 AM, Justin Cappos wrote:
Having different sources for package metadata does pose security concerns,
for example version mismatch attacks by a MITM. Un
Having different sources for package metadata does pose security concerns,
for example version mismatch attacks by a MITM. Unless we co-locate all
package metadata at a single source that is trusted for protecting against
these issues, this will be an issue.(However, possibly not the biggest
> > 2. External links decrease the expected uptime for a particular set
> > of requirements. PyPI itself has become very stable, however
> > the same cannot be said for all of the hosts linked that the toolchain
> > processes. Each new host is an additional SPOF.
> >
> > Ex: I depend on PyPI and 1
On Feb 27, 2013, at 10:22 AM, holger krekel wrote:
> On Wed, Feb 27, 2013 at 10:26 -0500, Donald Stufft wrote:
>> PyPI is now being served with a valid SSL certificate, and the
>> tooling has begun to incorporate SSL verification of PyPI into
>> the process. This is _excellent_ and the parties in
On Wednesday, February 27, 2013 at 12:22 PM, holger krekel wrote:
> The main means of securing against tampering is author-signatures
> and verification by installers. If we have that, the download location
> does not matter (pypi/CDN/google/...).
Again we don't have that yet, It's only 1 layer, a
1 - 100 of 114 matches
Mail list logo