Re: PyPi again

2024-01-18 Thread Yuxuan Wang 
My pypi account is fishy: https://pypi.org/user/fishy/

The image is: https://imgur.com/a/vkehdiF

On Thu, Jan 18, 2024 at 2:49 PM Jens Geyer  wrote:

> Hi,
>
>
> I can't see the picture and I don't have your pypi username. I tried the
> email but that did not work.
>
>
> Have fun,
>
> jensG
>
>
> Am 17.01.2024 um 02:11 schrieb Yuxuan Wang:
> > I just logged into my pypi account (I was there to register an
> > account, and it turns out I already have one, which I have no memory
> > of, and I do not have any projects published there), it seems that
> > they actually have an automated way to create the github actions for
> > you automatically:
> https://protect.checkpoint.com/v2/___https://docs.pypi.org/trusted-publishers/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjoxYjIzOjE1MTU3M2QyZTExNGEzOTE5NjIxYjUzYjgyNDBhNzMxODQzN2U1ZWNmMGQ1MzMzM2EwMTY3NGFlNzk1MDA0YTI6cDpU
> >
> > But I would assume that might require that I have admin access to the
> > github repo (not sure yet, as I don't have any other project to test),
> > so if you are fine with that (e.g. add me to the PyPi maintainer list,
> > I try to use that approach, if it doesn't work, give me admin access
> > to the github repo), I'm fine :)
> >
> > Also, there's a recent pytorch supply chain attach report
> > <
> https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjphNDlkOjFkYmFiNzllNjc5NzIxNWQwMjFiZWFhY2JkZjYxNGQ3NTM2OTFlMmUzOTJkYWUyMjkxMTNlYTZmMzllYjNkMDU6cDpU>
>
> > which will be relevant to us if we choose to use github actions to
> > auto publish to pypi, then we probably should follow their suggested
> > mitigation
> > <
> https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/%23mitigations___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjpjNDZkOjhlZjYzM2ZkOGEzNjMyNDk1OTk1OGE2MjBhZWIyNDUzMmU2Mzg4NjYzMDBkODJkNTUxYmViY2JkY2E2MDE1NjU6cDpU>,
>
> > which is to change to "Require approval for all outside collaborators":
> > image.png
> > (changing this setting on github also requires admin access, the
> > screenshot is taken from a repo I have admin access on)
> >
> > On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer 
> wrote:
> >
> >
> > I can probably add you to the PyPi maintainer list. Would that help?
> >
> >
> > Am 12.01.2024 um 23:19 schrieb Yuxuan Wang:
> > > IMHO there are two issues with the pypi publishing problem:
> > technical and
> > > non-technical.
> > >
> > > The non-technical issue is the credential/secret required to
> > publish to
> > >
> >
> https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU
> .
> > Any of the technical solution also
> > > depends on that being available.
> > >
> > > Once we have it (in github actions secret store, for example), then
> > > technical solution is not the hard part. As I mentioned in the
> > jira thread
> > > Reddit already has a github action pipeline to publish to pypi
> > on git tag
> > > we can upstream to thrift project to be used (so whenever a
> > maintainer
> > > pushes a tag to github, github actions auto publishes to pypi).
> > Or others
> > > can contribute other solutions.
> > >
> > > On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer 
> wrote:
> > >
> > >> @all,
> > >>
> > >> I just want to bring up that topic again. There is a rather
> > frequent
> > >> stream of (absolutely legitimate) questions regarding the PyPi
> > packages
> > >> not being published.
> > >>
> > >> So it seems fair to say that there is obviously a certain
> > demand within
> > >> the community, which is super great. Now on the other hand we
> > have no
> > >> noteworthy reactions from that very same community to help with
> > that topic.
> > >>
> > >> Let me put it bluntly. This is not your mothers supermarked
> > where stock
> > >> refills almost like automagically overnight. This is open
> > source. It
> > >> works as long as there are at least some people spending parts
> > of their
> > >> valuable time supporting projects. It is about giving & taking.
> > >>
> > >> Thrift supports about 20+ target languages. So it is fair to
> > say that
> > >> supporting packages for all of them (where approprate) is quite
> > a bit of
> > >> work.
> > >>
> > >> Of course I can only speak for myself, but I personally
> > maintain quite a
> > >> number of packages after each release. Thanks to the great work
> > of other
> > >>

Re: PyPi again

2024-01-18 Thread Jens Geyer 

Hi,


I can't see the picture and I don't have your pypi username. I tried the 
email but that did not work.



Have fun,

jensG


Am 17.01.2024 um 02:11 schrieb Yuxuan Wang:
I just logged into my pypi account (I was there to register an 
account, and it turns out I already have one, which I have no memory 
of, and I do not have any projects published there), it seems that 
they actually have an automated way to create the github actions for 
you automatically: https://docs.pypi.org/trusted-publishers/


But I would assume that might require that I have admin access to the 
github repo (not sure yet, as I don't have any other project to test), 
so if you are fine with that (e.g. add me to the PyPi maintainer list, 
I try to use that approach, if it doesn't work, give me admin access 
to the github repo), I'm fine :)


Also, there's a recent pytorch supply chain attach report 
 
which will be relevant to us if we choose to use github actions to 
auto publish to pypi, then we probably should follow their suggested 
mitigation 
, 
which is to change to "Require approval for all outside collaborators":

image.png
(changing this setting on github also requires admin access, the 
screenshot is taken from a repo I have admin access on)


On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer  wrote:


I can probably add you to the PyPi maintainer list. Would that help?


Am 12.01.2024 um 23:19 schrieb Yuxuan Wang:
> IMHO there are two issues with the pypi publishing problem:
technical and
> non-technical.
>
> The non-technical issue is the credential/secret required to
publish to
>

https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU.
Any of the technical solution also
> depends on that being available.
>
> Once we have it (in github actions secret store, for example), then
> technical solution is not the hard part. As I mentioned in the
jira thread
> Reddit already has a github action pipeline to publish to pypi
on git tag
> we can upstream to thrift project to be used (so whenever a
maintainer
> pushes a tag to github, github actions auto publishes to pypi).
Or others
> can contribute other solutions.
>
> On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer  wrote:
>
>> @all,
>>
>> I just want to bring up that topic again. There is a rather
frequent
>> stream of (absolutely legitimate) questions regarding the PyPi
packages
>> not being published.
>>
>> So it seems fair to say that there is obviously a certain
demand within
>> the community, which is super great. Now on the other hand we
have no
>> noteworthy reactions from that very same community to help with
that topic.
>>
>> Let me put it bluntly. This is not your mothers supermarked
where stock
>> refills almost like automagically overnight. This is open
source. It
>> works as long as there are at least some people spending parts
of their
>> valuable time supporting projects. It is about giving & taking.
>>
>> Thrift supports about 20+ target languages. So it is fair to
say that
>> supporting packages for all of them (where approprate) is quite
a bit of
>> work.
>>
>> Of course I can only speak for myself, but I personally
maintain quite a
>> number of packages after each release. Thanks to the great work
of other
>> people (e.g. @JimKing) who spent their time on that topic
before me,
>> this became manageable by setting up and documenting a well-defined
>> process to follow which also does not eat too much additional
release time.
>>
>> If we can have such a process for PyPi that would be super awesome.
>> Right now this is not the case, unfortunately. This is where
you could
>> chime in.
>>
>> See also
>>

https://protect.checkpoint.com/v2/___https://github.com/apache/thrift/pull/2555___.YzJ1OnJlZGRpdDpjOmc6ZGEyMWNiMjExZDEwMWVjZmIzNGI3MWIzMGFmMmEyZTY6Njo0ZDRjOmIyMTFmOWI4ODI2ZTJmZTIxMTQ0NmNhMmQ4M2I5M2EzNDBhY2VhOTVlOGE2YzVjZDgyNWZlMGVmZmZhMThhOWU6cDpU
>>
>> Happy New Year everybody,
>> JensG
>>
>>
>>

[jira] [Resolved] (THRIFT-5754) Fix PHP 8.1 deprecates passing null to non-nullable internal function parameters

2024-01-18 Thread Jens Geyer (Jira) 


 [ 
https://issues.apache.org/jira/browse/THRIFT-5754?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jens Geyer resolved THRIFT-5754.

Fix Version/s: 0.20.0
 Assignee: Pavel Kvach
   Resolution: Fixed

> Fix PHP 8.1 deprecates passing null to non-nullable internal function 
> parameters
> 
>
> Key: THRIFT-5754
> URL: https://issues.apache.org/jira/browse/THRIFT-5754
> Project: Thrift
>  Issue Type: Bug
>  Components: PHP - Library
>Reporter: Pavel Kvach
>Assignee: Pavel Kvach
>Priority: Minor
> Fix For: 0.20.0
>
>  Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> PHP 8.1 has deprecated passing null values to non-nullable internal function 
> parameters:
> [https://wiki.php.net/rfc/deprecate_null_to_scalar_internal_arg]
> This can lead to deprecation warnings and potential errors in future versions.
> Example of a deprecation warning:
> {code:java}
> PHP Deprecated: strlen(): Passing null to parameter #1 ($string) of type 
> string is deprecated in Thrift/StringFunc/Core.php on line 38 {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: [PR] THRIFT-5754: Fix PHP 8.1 deprecates passing null to non-nullable internal function parameters [thrift]

2024-01-18 Thread via GitHub 


Jens-G merged PR #2920:
URL: https://github.com/apache/thrift/pull/2920


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@thrift.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org