Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

> On Jan 2, 2015, at 1:33 AM, Nick Coghlan wrote: > > On 2 January 2015 at 16:13, Donald Stufft > wrote: > >> On Jan 2, 2015, at 12:57 AM, Nick Coghlan > > wrote: >> >> To raise the cost of a compromise through distributed signing authority,

Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

On 2 January 2015 at 16:13, Donald Stufft wrote: > > On Jan 2, 2015, at 12:57 AM, Nick Coghlan wrote: > > To raise the cost of a compromise through distributed signing authority, > we have to solve the trust management problem - getting developer keys out > to end users in a way that doesn't inv

Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

> On Jan 2, 2015, at 12:57 AM, Nick Coghlan wrote: > > To raise the cost of a compromise through distributed signing authority, we > have to solve the trust management problem - getting developer keys out to > end users in a way that doesn't involve trusting the central PyPI service. > That's

Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

On 1 January 2015 at 05:51, Donald Stufft wrote: > > So here is my problem. I’m completely on board with the developer signing > for the distribution files. I think that makes total sense. However I worry > that requiring the developer to sign for what is essentially the > “installer” API (aka ho

Re: [Distutils] Bilingual namespace package conundrum

On Jan 01, 2015, at 09:14 PM, Donald Stufft wrote: >Why are you puzzled by the notion that something designed to work with a >one mechanism for a particular feature probably does not work with a >newer, different mechanism for a particular feature? My assumption is that >setuptools is ensuring tha

Re: [Distutils] Bilingual namespace package conundrum

> On Jan 1, 2015, at 9:11 PM, Tres Seaver wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 01/01/2015 04:57 PM, Donald Stufft wrote: > >> I’m pretty sure the problem with setup.py develop and setup.py install >> is because they are installed as eggs more or less and setuptools

Re: [Distutils] Bilingual namespace package conundrum

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/01/2015 04:57 PM, Donald Stufft wrote: > I’m pretty sure the problem with setup.py develop and setup.py install > is because they are installed as eggs more or less and setuptools > probably doesn’t support it. pip install installs it > unpacke

Re: [Distutils] Bilingual namespace package conundrum

> On Jan 1, 2015, at 4:54 PM, Barry Warsaw wrote: > > On Jan 01, 2015, at 03:20 PM, Tres Seaver wrote: > >> That sounds right to me. I never really understood the motivation for >> PEP 420, but if the presence of that file disables it, then it should >> ensure the "old" behavior regardless. >

Re: [Distutils] Bilingual namespace package conundrum

On Jan 01, 2015, at 03:20 PM, Tres Seaver wrote: >That sounds right to me. I never really understood the motivation for >PEP 420, but if the presence of that file disables it, then it should >ensure the "old" behavior regardless. The motivation is described in the PEP, but briefly, on (many, mos

Re: [Distutils] Bilingual namespace package conundrum

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/01/2015 02:19 PM, Barry Warsaw wrote: > Maybe the sys.hexversion guards should be removed so that it acts the > same way in both Python 2 and Python 3. That sounds right to me. I never really understood the motivation for PEP 420, but if the pr

[Distutils] Bilingual namespace package conundrum

I hope the following makes sense; I've been a little under the weather. ;) Apologies in advance for the long data-dump, but I wanted to provide as complete information as possible. I have ported Mailman 3 to Python 3.4[*]. While working on various development tasks, I noticed something rather str

Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

On Wed, Dec 31, 2014 at 2:51 PM, Donald Stufft wrote: > > On Dec 31, 2014, at 11:08 AM, Vladimir Diaz > wrote: > > > > > > On Wed, Dec 31, 2014 at 2:26 AM, Donald Stufft wrote: > >> >> On Dec 10, 2014, at 10:16 PM, Vladimir Diaz >> wrote: >> >> Hello everyone, >> >> I am a research programmer