Re: PyPi again

2024-02-11 Thread Jens Geyer 

Hi,

Did that last week or so.

Have fun,

JensG



Am 06.02.2024 um 23:28 schrieb Yuxuan Wang:

Hi Jens, can you also add me to the test pypi project:
https://test.pypi.org/project/thrift/? My username is
https://test.pypi.org/user/fishy/

With how pypi works, I will need to test it on test pypi first before doing
it for the real pypi.

On Fri, Jan 19, 2024 at 2:21 PM Jens Geyer  wrote:


Hi,

  > The image is:

I see. Not sure if I can do this, since I have no access to project
settings. Maybe INFRA can.

Have fun,

JensG



Am 18.01.2024 um 23:58 schrieb Yuxuan Wang:

My pypi account is fishy:

https://protect.checkpoint.com/v2/___https://pypi.org/user/fishy/___.YzJ1OnJlZGRpdDpjOmc6MDg0MmRmZjE0YjI0MDBkNWY4YTk5ZDM2MjAzMDExY2E6NjpkZGNjOjM3OWQyYjk2NDgzZjk0MWVhZDdiMmMwMDY1MDA5ZTQzZDM5YWJiNDk4NjVjMWJjZThjY2FiMjE1YzA0ZWM4NmQ6cDpU

The image is:

https://protect.checkpoint.com/v2/___https://imgur.com/a/vkehdiF___.YzJ1OnJlZGRpdDpjOmc6MDg0MmRmZjE0YjI0MDBkNWY4YTk5ZDM2MjAzMDExY2E6NjpkMTcxOjJlNjRkOTc3NTQ1NDAzNTU5YmQ4MmQ4NzliYzU4YWQyOWFiMGRiNzc4ZTE0YTNjNWQ4YzlkOWFmZjRkNjczNWY6cDpU

On Thu, Jan 18, 2024 at 2:49 PM Jens Geyer

wrote:

Hi,


I can't see the picture and I don't have your pypi username. I tried the
email but that did not work.


Have fun,

jensG


Am 17.01.2024 um 02:11 schrieb Yuxuan Wang:

I just logged into my pypi account (I was there to register an
account, and it turns out I already have one, which I have no memory
of, and I do not have any projects published there), it seems that
they actually have an automated way to create the github actions for
you automatically:

https://protect.checkpoint.com/v2/___https://docs.pypi.org/trusted-publishers/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjoxYjIzOjE1MTU3M2QyZTExNGEzOTE5NjIxYjUzYjgyNDBhNzMxODQzN2U1ZWNmMGQ1MzMzM2EwMTY3NGFlNzk1MDA0YTI6cDpU

But I would assume that might require that I have admin access to the
github repo (not sure yet, as I don't have any other project to test),
so if you are fine with that (e.g. add me to the PyPi maintainer list,
I try to use that approach, if it doesn't work, give me admin access
to the github repo), I'm fine :)

Also, there's a recent pytorch supply chain attach report
<

https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjphNDlkOjFkYmFiNzllNjc5NzIxNWQwMjFiZWFhY2JkZjYxNGQ3NTM2OTFlMmUzOTJkYWUyMjkxMTNlYTZmMzllYjNkMDU6cDpU

which will be relevant to us if we choose to use github actions to
auto publish to pypi, then we probably should follow their suggested
mitigation
<

https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/%23mitigations___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjpjNDZkOjhlZjYzM2ZkOGEzNjMyNDk1OTk1OGE2MjBhZWIyNDUzMmU2Mzg4NjYzMDBkODJkNTUxYmViY2JkY2E2MDE1NjU6cDpU

,

which is to change to "Require approval for all outside collaborators":
image.png
(changing this setting on github also requires admin access, the
screenshot is taken from a repo I have admin access on)

On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer

wrote:

  I can probably add you to the PyPi maintainer list. Would that

help?


  Am 12.01.2024 um 23:19 schrieb Yuxuan Wang:
  > IMHO there are two issues with the pypi publishing problem:
  technical and
  > non-technical.
  >
  > The non-technical issue is the credential/secret required to
  publish to
  >


https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU

.

  Any of the technical solution also
  > depends on that being available.
  >
  > Once we have it (in github actions secret store, for example),

then

  > technical solution is not the hard part. As I mentioned in the
  jira thread
  > Reddit already has a github action pipeline to publish to pypi
  on git tag
  > we can upstream to thrift project to be used (so whenever a
  maintainer
  > pushes a tag to github, github actions auto publishes to pypi).
  Or others
  > can contribute other solutions.
  >
  > On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer

wrote:

  >
  >> @all,
  >>
  >> I just want to bring up that topic again. There is a rather
  frequent
  >> stream of (absolutely legitimate) questions regarding the PyPi
  packages
  >> not being published.
  >>
  >> So it seems fair to say that there is obviously a certain
  demand within
  >> the community, which is super great. Now on the other hand we
  have no
  >> noteworthy reactions from that very same community to help with
  that

Re: PyPi again

2024-02-06 Thread Yuxuan Wang 
Hi Jens, can you also add me to the test pypi project:
https://test.pypi.org/project/thrift/? My username is
https://test.pypi.org/user/fishy/

With how pypi works, I will need to test it on test pypi first before doing
it for the real pypi.

On Fri, Jan 19, 2024 at 2:21 PM Jens Geyer  wrote:

> Hi,
>
>  > The image is:
>
> I see. Not sure if I can do this, since I have no access to project
> settings. Maybe INFRA can.
>
> Have fun,
>
> JensG
>
>
>
> Am 18.01.2024 um 23:58 schrieb Yuxuan Wang:
> > My pypi account is fishy:
> https://protect.checkpoint.com/v2/___https://pypi.org/user/fishy/___.YzJ1OnJlZGRpdDpjOmc6MDg0MmRmZjE0YjI0MDBkNWY4YTk5ZDM2MjAzMDExY2E6NjpkZGNjOjM3OWQyYjk2NDgzZjk0MWVhZDdiMmMwMDY1MDA5ZTQzZDM5YWJiNDk4NjVjMWJjZThjY2FiMjE1YzA0ZWM4NmQ6cDpU
> >
> > The image is:
> https://protect.checkpoint.com/v2/___https://imgur.com/a/vkehdiF___.YzJ1OnJlZGRpdDpjOmc6MDg0MmRmZjE0YjI0MDBkNWY4YTk5ZDM2MjAzMDExY2E6NjpkMTcxOjJlNjRkOTc3NTQ1NDAzNTU5YmQ4MmQ4NzliYzU4YWQyOWFiMGRiNzc4ZTE0YTNjNWQ4YzlkOWFmZjRkNjczNWY6cDpU
> >
> > On Thu, Jan 18, 2024 at 2:49 PM Jens Geyer
> wrote:
> >
> >> Hi,
> >>
> >>
> >> I can't see the picture and I don't have your pypi username. I tried the
> >> email but that did not work.
> >>
> >>
> >> Have fun,
> >>
> >> jensG
> >>
> >>
> >> Am 17.01.2024 um 02:11 schrieb Yuxuan Wang:
> >>> I just logged into my pypi account (I was there to register an
> >>> account, and it turns out I already have one, which I have no memory
> >>> of, and I do not have any projects published there), it seems that
> >>> they actually have an automated way to create the github actions for
> >>> you automatically:
> >>
> https://protect.checkpoint.com/v2/___https://docs.pypi.org/trusted-publishers/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjoxYjIzOjE1MTU3M2QyZTExNGEzOTE5NjIxYjUzYjgyNDBhNzMxODQzN2U1ZWNmMGQ1MzMzM2EwMTY3NGFlNzk1MDA0YTI6cDpU
> >>> But I would assume that might require that I have admin access to the
> >>> github repo (not sure yet, as I don't have any other project to test),
> >>> so if you are fine with that (e.g. add me to the PyPi maintainer list,
> >>> I try to use that approach, if it doesn't work, give me admin access
> >>> to the github repo), I'm fine :)
> >>>
> >>> Also, there's a recent pytorch supply chain attach report
> >>> <
> >>
> https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjphNDlkOjFkYmFiNzllNjc5NzIxNWQwMjFiZWFhY2JkZjYxNGQ3NTM2OTFlMmUzOTJkYWUyMjkxMTNlYTZmMzllYjNkMDU6cDpU
> >
> >>
> >>> which will be relevant to us if we choose to use github actions to
> >>> auto publish to pypi, then we probably should follow their suggested
> >>> mitigation
> >>> <
> >>
> https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/%23mitigations___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjpjNDZkOjhlZjYzM2ZkOGEzNjMyNDk1OTk1OGE2MjBhZWIyNDUzMmU2Mzg4NjYzMDBkODJkNTUxYmViY2JkY2E2MDE1NjU6cDpU
> >,
> >>
> >>> which is to change to "Require approval for all outside collaborators":
> >>> image.png
> >>> (changing this setting on github also requires admin access, the
> >>> screenshot is taken from a repo I have admin access on)
> >>>
> >>> On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer
> >> wrote:
> >>>
> >>>  I can probably add you to the PyPi maintainer list. Would that
> help?
> >>>
> >>>
> >>>  Am 12.01.2024 um 23:19 schrieb Yuxuan Wang:
> >>>  > IMHO there are two issues with the pypi publishing problem:
> >>>  technical and
> >>>  > non-technical.
> >>>  >
> >>>  > The non-technical issue is the credential/secret required to
> >>>  publish to
> >>>  >
> >>>
> >>
> https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU
> >> .
> >>>  Any of the technical solution also
> >>>  > depends on that being available.
> >>>  >
> >>>  > Once we have it (in github actions secret store, for example),
> then
> >>>  > technical solution is not the hard part. As I mentioned in the
> >>>  jira thread
> >>>  > Reddit already has a github action pipeline to publish to pypi
> >>>  on git tag
> >>>  > we can upstream to thrift project to be used (so whenever a
> >>>  maintainer
> >>>  > pushes a tag to github, github actions auto publishes to pypi).
> >>>  Or others
> >>>  > can contribute other solutions.
> >>>  >
> >>>  > On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer
> >> wrote:
> >>>  >
> >>>  >> @all,
> >>>  >>
> >>>  >> I just want to bring up that topic again. There is a rather
> >>>  frequent
> >>>  >> stream of

Re: PyPi again

2024-01-19 Thread Jens Geyer 

Hi,

> The image is:

I see. Not sure if I can do this, since I have no access to project 
settings. Maybe INFRA can.


Have fun,

JensG



Am 18.01.2024 um 23:58 schrieb Yuxuan Wang:

My pypi account is fishy:https://pypi.org/user/fishy/

The image is:https://imgur.com/a/vkehdiF

On Thu, Jan 18, 2024 at 2:49 PM Jens Geyer  wrote:


Hi,


I can't see the picture and I don't have your pypi username. I tried the
email but that did not work.


Have fun,

jensG


Am 17.01.2024 um 02:11 schrieb Yuxuan Wang:

I just logged into my pypi account (I was there to register an
account, and it turns out I already have one, which I have no memory
of, and I do not have any projects published there), it seems that
they actually have an automated way to create the github actions for
you automatically:

https://protect.checkpoint.com/v2/___https://docs.pypi.org/trusted-publishers/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjoxYjIzOjE1MTU3M2QyZTExNGEzOTE5NjIxYjUzYjgyNDBhNzMxODQzN2U1ZWNmMGQ1MzMzM2EwMTY3NGFlNzk1MDA0YTI6cDpU

But I would assume that might require that I have admin access to the
github repo (not sure yet, as I don't have any other project to test),
so if you are fine with that (e.g. add me to the PyPi maintainer list,
I try to use that approach, if it doesn't work, give me admin access
to the github repo), I'm fine :)

Also, there's a recent pytorch supply chain attach report
<

https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjphNDlkOjFkYmFiNzllNjc5NzIxNWQwMjFiZWFhY2JkZjYxNGQ3NTM2OTFlMmUzOTJkYWUyMjkxMTNlYTZmMzllYjNkMDU6cDpU>


which will be relevant to us if we choose to use github actions to
auto publish to pypi, then we probably should follow their suggested
mitigation
<

https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/%23mitigations___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjpjNDZkOjhlZjYzM2ZkOGEzNjMyNDk1OTk1OGE2MjBhZWIyNDUzMmU2Mzg4NjYzMDBkODJkNTUxYmViY2JkY2E2MDE1NjU6cDpU>,


which is to change to "Require approval for all outside collaborators":
image.png
(changing this setting on github also requires admin access, the
screenshot is taken from a repo I have admin access on)

On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer

wrote:


 I can probably add you to the PyPi maintainer list. Would that help?


 Am 12.01.2024 um 23:19 schrieb Yuxuan Wang:
 > IMHO there are two issues with the pypi publishing problem:
 technical and
 > non-technical.
 >
 > The non-technical issue is the credential/secret required to
 publish to
 >


https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU
.

 Any of the technical solution also
 > depends on that being available.
 >
 > Once we have it (in github actions secret store, for example), then
 > technical solution is not the hard part. As I mentioned in the
 jira thread
 > Reddit already has a github action pipeline to publish to pypi
 on git tag
 > we can upstream to thrift project to be used (so whenever a
 maintainer
 > pushes a tag to github, github actions auto publishes to pypi).
 Or others
 > can contribute other solutions.
 >
 > On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer

wrote:

 >
 >> @all,
 >>
 >> I just want to bring up that topic again. There is a rather
 frequent
 >> stream of (absolutely legitimate) questions regarding the PyPi
 packages
 >> not being published.
 >>
 >> So it seems fair to say that there is obviously a certain
 demand within
 >> the community, which is super great. Now on the other hand we
 have no
 >> noteworthy reactions from that very same community to help with
 that topic.
 >>
 >> Let me put it bluntly. This is not your mothers supermarked
 where stock
 >> refills almost like automagically overnight. This is open
 source. It
 >> works as long as there are at least some people spending parts
 of their
 >> valuable time supporting projects. It is about giving & taking.
 >>
 >> Thrift supports about 20+ target languages. So it is fair to
 say that
 >> supporting packages for all of them (where approprate) is quite
 a bit of
 >> work.
 >>
 >> Of course I can only speak for myself, but I personally
 maintain quite a
 >> number of packages after each release. Thanks to the great work
 of other
 >> people (e.g. @JimKing) who spent their time on that topic
 before me,
 >> this became manageable by setting up and

Re: PyPi again

2024-01-18 Thread Yuxuan Wang 
My pypi account is fishy: https://pypi.org/user/fishy/

The image is: https://imgur.com/a/vkehdiF

On Thu, Jan 18, 2024 at 2:49 PM Jens Geyer  wrote:

> Hi,
>
>
> I can't see the picture and I don't have your pypi username. I tried the
> email but that did not work.
>
>
> Have fun,
>
> jensG
>
>
> Am 17.01.2024 um 02:11 schrieb Yuxuan Wang:
> > I just logged into my pypi account (I was there to register an
> > account, and it turns out I already have one, which I have no memory
> > of, and I do not have any projects published there), it seems that
> > they actually have an automated way to create the github actions for
> > you automatically:
> https://protect.checkpoint.com/v2/___https://docs.pypi.org/trusted-publishers/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjoxYjIzOjE1MTU3M2QyZTExNGEzOTE5NjIxYjUzYjgyNDBhNzMxODQzN2U1ZWNmMGQ1MzMzM2EwMTY3NGFlNzk1MDA0YTI6cDpU
> >
> > But I would assume that might require that I have admin access to the
> > github repo (not sure yet, as I don't have any other project to test),
> > so if you are fine with that (e.g. add me to the PyPi maintainer list,
> > I try to use that approach, if it doesn't work, give me admin access
> > to the github repo), I'm fine :)
> >
> > Also, there's a recent pytorch supply chain attach report
> > <
> https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjphNDlkOjFkYmFiNzllNjc5NzIxNWQwMjFiZWFhY2JkZjYxNGQ3NTM2OTFlMmUzOTJkYWUyMjkxMTNlYTZmMzllYjNkMDU6cDpU>
>
> > which will be relevant to us if we choose to use github actions to
> > auto publish to pypi, then we probably should follow their suggested
> > mitigation
> > <
> https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/%23mitigations___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjpjNDZkOjhlZjYzM2ZkOGEzNjMyNDk1OTk1OGE2MjBhZWIyNDUzMmU2Mzg4NjYzMDBkODJkNTUxYmViY2JkY2E2MDE1NjU6cDpU>,
>
> > which is to change to "Require approval for all outside collaborators":
> > image.png
> > (changing this setting on github also requires admin access, the
> > screenshot is taken from a repo I have admin access on)
> >
> > On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer 
> wrote:
> >
> >
> > I can probably add you to the PyPi maintainer list. Would that help?
> >
> >
> > Am 12.01.2024 um 23:19 schrieb Yuxuan Wang:
> > > IMHO there are two issues with the pypi publishing problem:
> > technical and
> > > non-technical.
> > >
> > > The non-technical issue is the credential/secret required to
> > publish to
> > >
> >
> https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU
> .
> > Any of the technical solution also
> > > depends on that being available.
> > >
> > > Once we have it (in github actions secret store, for example), then
> > > technical solution is not the hard part. As I mentioned in the
> > jira thread
> > > Reddit already has a github action pipeline to publish to pypi
> > on git tag
> > > we can upstream to thrift project to be used (so whenever a
> > maintainer
> > > pushes a tag to github, github actions auto publishes to pypi).
> > Or others
> > > can contribute other solutions.
> > >
> > > On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer 
> wrote:
> > >
> > >> @all,
> > >>
> > >> I just want to bring up that topic again. There is a rather
> > frequent
> > >> stream of (absolutely legitimate) questions regarding the PyPi
> > packages
> > >> not being published.
> > >>
> > >> So it seems fair to say that there is obviously a certain
> > demand within
> > >> the community, which is super great. Now on the other hand we
> > have no
> > >> noteworthy reactions from that very same community to help with
> > that topic.
> > >>
> > >> Let me put it bluntly. This is not your mothers supermarked
> > where stock
> > >> refills almost like automagically overnight. This is open
> > source. It
> > >> works as long as there are at least some people spending parts
> > of their
> > >> valuable time supporting projects. It is about giving & taking.
> > >>
> > >> Thrift supports about 20+ target languages. So it is fair to
> > say that
> > >> supporting packages for all of them (where approprate) is quite
> > a bit of
> > >> work.
> > >>
> > >> Of course I can only speak for myself, but I personally
> > maintain quite a
> > >> number of packages after each release. Thanks to the great work
> > of other
> > >>

Re: PyPi again

2024-01-18 Thread Jens Geyer 

Hi,


I can't see the picture and I don't have your pypi username. I tried the 
email but that did not work.



Have fun,

jensG


Am 17.01.2024 um 02:11 schrieb Yuxuan Wang:
I just logged into my pypi account (I was there to register an 
account, and it turns out I already have one, which I have no memory 
of, and I do not have any projects published there), it seems that 
they actually have an automated way to create the github actions for 
you automatically: https://docs.pypi.org/trusted-publishers/


But I would assume that might require that I have admin access to the 
github repo (not sure yet, as I don't have any other project to test), 
so if you are fine with that (e.g. add me to the PyPi maintainer list, 
I try to use that approach, if it doesn't work, give me admin access 
to the github repo), I'm fine :)


Also, there's a recent pytorch supply chain attach report 
 
which will be relevant to us if we choose to use github actions to 
auto publish to pypi, then we probably should follow their suggested 
mitigation 
, 
which is to change to "Require approval for all outside collaborators":

image.png
(changing this setting on github also requires admin access, the 
screenshot is taken from a repo I have admin access on)


On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer  wrote:


I can probably add you to the PyPi maintainer list. Would that help?


Am 12.01.2024 um 23:19 schrieb Yuxuan Wang:
> IMHO there are two issues with the pypi publishing problem:
technical and
> non-technical.
>
> The non-technical issue is the credential/secret required to
publish to
>

https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU.
Any of the technical solution also
> depends on that being available.
>
> Once we have it (in github actions secret store, for example), then
> technical solution is not the hard part. As I mentioned in the
jira thread
> Reddit already has a github action pipeline to publish to pypi
on git tag
> we can upstream to thrift project to be used (so whenever a
maintainer
> pushes a tag to github, github actions auto publishes to pypi).
Or others
> can contribute other solutions.
>
> On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer  wrote:
>
>> @all,
>>
>> I just want to bring up that topic again. There is a rather
frequent
>> stream of (absolutely legitimate) questions regarding the PyPi
packages
>> not being published.
>>
>> So it seems fair to say that there is obviously a certain
demand within
>> the community, which is super great. Now on the other hand we
have no
>> noteworthy reactions from that very same community to help with
that topic.
>>
>> Let me put it bluntly. This is not your mothers supermarked
where stock
>> refills almost like automagically overnight. This is open
source. It
>> works as long as there are at least some people spending parts
of their
>> valuable time supporting projects. It is about giving & taking.
>>
>> Thrift supports about 20+ target languages. So it is fair to
say that
>> supporting packages for all of them (where approprate) is quite
a bit of
>> work.
>>
>> Of course I can only speak for myself, but I personally
maintain quite a
>> number of packages after each release. Thanks to the great work
of other
>> people (e.g. @JimKing) who spent their time on that topic
before me,
>> this became manageable by setting up and documenting a well-defined
>> process to follow which also does not eat too much additional
release time.
>>
>> If we can have such a process for PyPi that would be super awesome.
>> Right now this is not the case, unfortunately. This is where
you could
>> chime in.
>>
>> See also
>>

https://protect.checkpoint.com/v2/___https://github.com/apache/thrift/pull/2555___.YzJ1OnJlZGRpdDpjOmc6ZGEyMWNiMjExZDEwMWVjZmIzNGI3MWIzMGFmMmEyZTY6Njo0ZDRjOmIyMTFmOWI4ODI2ZTJmZTIxMTQ0NmNhMmQ4M2I5M2EzNDBhY2VhOTVlOGE2YzVjZDgyNWZlMGVmZmZhMThhOWU6cDpU
>>
>> Happy New Year everybody,
>> JensG
>>
>>
>>

Re: PyPi again

2024-01-16 Thread Yuxuan Wang 
I just logged into my pypi account (I was there to register an account, and
it turns out I already have one, which I have no memory of, and I do not
have any projects published there), it seems that they actually have an
automated way to create the github actions for you automatically:
https://docs.pypi.org/trusted-publishers/

But I would assume that might require that I have admin access to the
github repo (not sure yet, as I don't have any other project to test), so
if you are fine with that (e.g. add me to the PyPi maintainer list, I try
to use that approach, if it doesn't work, give me admin access to the
github repo), I'm fine :)

Also, there's a recent pytorch supply chain attach report

which will be relevant to us if we choose to use github actions to auto
publish to pypi, then we probably should follow their suggested mitigation
,
which is to change to "Require approval for all outside collaborators":
[image: image.png]
(changing this setting on github also requires admin access, the screenshot
is taken from a repo I have admin access on)

On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer  wrote:

>
> I can probably add you to the PyPi maintainer list. Would that help?
>
>
> Am 12.01.2024 um 23:19 schrieb Yuxuan Wang:
> > IMHO there are two issues with the pypi publishing problem: technical and
> > non-technical.
> >
> > The non-technical issue is the credential/secret required to publish to
> >
> https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU.
> Any of the technical solution also
> > depends on that being available.
> >
> > Once we have it (in github actions secret store, for example), then
> > technical solution is not the hard part. As I mentioned in the jira
> thread
> > Reddit already has a github action pipeline to publish to pypi on git tag
> > we can upstream to thrift project to be used (so whenever a maintainer
> > pushes a tag to github, github actions auto publishes to pypi). Or others
> > can contribute other solutions.
> >
> > On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer  wrote:
> >
> >> @all,
> >>
> >> I just want to bring up that topic again. There is a rather frequent
> >> stream of (absolutely legitimate) questions regarding the PyPi packages
> >> not being published.
> >>
> >> So it seems fair to say that there is obviously a certain demand within
> >> the community, which is super great. Now on the other hand we have no
> >> noteworthy reactions from that very same community to help with that
> topic.
> >>
> >> Let me put it bluntly. This is not your mothers supermarked where stock
> >> refills almost like automagically overnight. This is open source. It
> >> works as long as there are at least some people spending parts of their
> >> valuable time supporting projects. It is about giving & taking.
> >>
> >> Thrift supports about 20+ target languages. So it is fair to say that
> >> supporting packages for all of them (where approprate) is quite a bit of
> >> work.
> >>
> >> Of course I can only speak for myself, but I personally maintain quite a
> >> number of packages after each release. Thanks to the great work of other
> >> people (e.g. @JimKing) who spent their time on that topic before me,
> >> this became manageable by setting up and documenting a well-defined
> >> process to follow which also does not eat too much additional release
> time.
> >>
> >> If we can have such a process for PyPi that would be super awesome.
> >> Right now this is not the case, unfortunately. This is where you could
> >> chime in.
> >>
> >> See also
> >>
> https://protect.checkpoint.com/v2/___https://github.com/apache/thrift/pull/2555___.YzJ1OnJlZGRpdDpjOmc6ZGEyMWNiMjExZDEwMWVjZmIzNGI3MWIzMGFmMmEyZTY6Njo0ZDRjOmIyMTFmOWI4ODI2ZTJmZTIxMTQ0NmNhMmQ4M2I5M2EzNDBhY2VhOTVlOGE2YzVjZDgyNWZlMGVmZmZhMThhOWU6cDpU
> >>
> >> Happy New Year everybody,
> >> JensG
> >>
> >>
> >>
>

Re: PyPi again

2024-01-13 Thread Jens Geyer 



I can probably add you to the PyPi maintainer list. Would that help?


Am 12.01.2024 um 23:19 schrieb Yuxuan Wang:

IMHO there are two issues with the pypi publishing problem: technical and
non-technical.

The non-technical issue is the credential/secret required to publish to
https://pypi.org/project/thrift/. Any of the technical solution also
depends on that being available.

Once we have it (in github actions secret store, for example), then
technical solution is not the hard part. As I mentioned in the jira thread
Reddit already has a github action pipeline to publish to pypi on git tag
we can upstream to thrift project to be used (so whenever a maintainer
pushes a tag to github, github actions auto publishes to pypi). Or others
can contribute other solutions.

On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer  wrote:


@all,

I just want to bring up that topic again. There is a rather frequent
stream of (absolutely legitimate) questions regarding the PyPi packages
not being published.

So it seems fair to say that there is obviously a certain demand within
the community, which is super great. Now on the other hand we have no
noteworthy reactions from that very same community to help with that topic.

Let me put it bluntly. This is not your mothers supermarked where stock
refills almost like automagically overnight. This is open source. It
works as long as there are at least some people spending parts of their
valuable time supporting projects. It is about giving & taking.

Thrift supports about 20+ target languages. So it is fair to say that
supporting packages for all of them (where approprate) is quite a bit of
work.

Of course I can only speak for myself, but I personally maintain quite a
number of packages after each release. Thanks to the great work of other
people (e.g. @JimKing) who spent their time on that topic before me,
this became manageable by setting up and documenting a well-defined
process to follow which also does not eat too much additional release time.

If we can have such a process for PyPi that would be super awesome.
Right now this is not the case, unfortunately. This is where you could
chime in.

See also
https://protect.checkpoint.com/v2/___https://github.com/apache/thrift/pull/2555___.YzJ1OnJlZGRpdDpjOmc6ZGEyMWNiMjExZDEwMWVjZmIzNGI3MWIzMGFmMmEyZTY6Njo0ZDRjOmIyMTFmOWI4ODI2ZTJmZTIxMTQ0NmNhMmQ4M2I5M2EzNDBhY2VhOTVlOGE2YzVjZDgyNWZlMGVmZmZhMThhOWU6cDpU

Happy New Year everybody,
JensG

Re: PyPi again

2024-01-12 Thread Yuxuan Wang 
IMHO there are two issues with the pypi publishing problem: technical and
non-technical.

The non-technical issue is the credential/secret required to publish to
https://pypi.org/project/thrift/. Any of the technical solution also
depends on that being available.

Once we have it (in github actions secret store, for example), then
technical solution is not the hard part. As I mentioned in the jira thread
Reddit already has a github action pipeline to publish to pypi on git tag
we can upstream to thrift project to be used (so whenever a maintainer
pushes a tag to github, github actions auto publishes to pypi). Or others
can contribute other solutions.

On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer  wrote:

> @all,
>
> I just want to bring up that topic again. There is a rather frequent
> stream of (absolutely legitimate) questions regarding the PyPi packages
> not being published.
>
> So it seems fair to say that there is obviously a certain demand within
> the community, which is super great. Now on the other hand we have no
> noteworthy reactions from that very same community to help with that topic.
>
> Let me put it bluntly. This is not your mothers supermarked where stock
> refills almost like automagically overnight. This is open source. It
> works as long as there are at least some people spending parts of their
> valuable time supporting projects. It is about giving & taking.
>
> Thrift supports about 20+ target languages. So it is fair to say that
> supporting packages for all of them (where approprate) is quite a bit of
> work.
>
> Of course I can only speak for myself, but I personally maintain quite a
> number of packages after each release. Thanks to the great work of other
> people (e.g. @JimKing) who spent their time on that topic before me,
> this became manageable by setting up and documenting a well-defined
> process to follow which also does not eat too much additional release time.
>
> If we can have such a process for PyPi that would be super awesome.
> Right now this is not the case, unfortunately. This is where you could
> chime in.
>
> See also
> https://protect.checkpoint.com/v2/___https://github.com/apache/thrift/pull/2555___.YzJ1OnJlZGRpdDpjOmc6ZGEyMWNiMjExZDEwMWVjZmIzNGI3MWIzMGFmMmEyZTY6Njo0ZDRjOmIyMTFmOWI4ODI2ZTJmZTIxMTQ0NmNhMmQ4M2I5M2EzNDBhY2VhOTVlOGE2YzVjZDgyNWZlMGVmZmZhMThhOWU6cDpU
>
> Happy New Year everybody,
> JensG
>
>
>

PyPi again

2024-01-06 Thread Jens Geyer 

@all,

I just want to bring up that topic again. There is a rather frequent 
stream of (absolutely legitimate) questions regarding the PyPi packages 
not being published.


So it seems fair to say that there is obviously a certain demand within 
the community, which is super great. Now on the other hand we have no 
noteworthy reactions from that very same community to help with that topic.


Let me put it bluntly. This is not your mothers supermarked where stock 
refills almost like automagically overnight. This is open source. It 
works as long as there are at least some people spending parts of their 
valuable time supporting projects. It is about giving & taking.


Thrift supports about 20+ target languages. So it is fair to say that 
supporting packages for all of them (where approprate) is quite a bit of 
work.


Of course I can only speak for myself, but I personally maintain quite a 
number of packages after each release. Thanks to the great work of other 
people (e.g. @JimKing) who spent their time on that topic before me, 
this became manageable by setting up and documenting a well-defined 
process to follow which also does not eat too much additional release time.


If we can have such a process for PyPi that would be super awesome. 
Right now this is not the case, unfortunately. This is where you could 
chime in.


See also https://github.com/apache/thrift/pull/2555

Happy New Year everybody,
JensG




OpenPGP_0x76BD340FC4B75865.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature