devpi-server-4.0: fixing the pip-8.1.2 problem / PEP503 compliance
We've made available critically important releases of the devpi private
packaging
available. If you are not using "devpi" yet then you can may just
or your company is interested to donate to or
attend the largest python testing sprint in history with a particular
focus to pytest or tox, please see
https://www.indiegogo.com/projects/python-testing-sprint-mid-2016/
have fun,
holger krekel, http://merlinux.
This trinity release of devpi, the private packaging and workflow
system, is drop-in compatible to earlier releases and comes with these
improvements:
- support for pip search on the server side which is also configured
when "devpi use" writes to pip configuration files.
- explicit
Thanks to Florian Schulze, Jason R. Coombs and all issue reporters.
For your information, we are now starting work for devpi-server-3.0
which will introduce further speedups, internal code simplifications
and new features (like mirroring from arbitrary pypi-servers).
cheers,
holger krekel
server
We just pushed devpi-{server,web,client,common} release files out to pypi.
Most notably, the private pypi package server allows much faster installs
due to much improved simple-page serving speed. See the changelog
below for a host of other changes and fixes as well as for compatibility
have fun,
holger krekel, merlinux GmbH
2.3.0 (2015-09-10)
--
- switched to semantic versioning. Only major revisions will ever require an
export/import cycle.
- fix issue260: Log identical upload message on level "info"
- Log upload trigger message on leve
the home page for docs and tutorials:
http://doc.devpi.net
have fun,
Holger Krekel and Florian Schulze
contracting: http://merlinux.eu
server-2.2.2
- make replica thread more robust by catching more exceptions
- Remove duplicates in plugin version info
- track timestamps
major parts of the above
work.
have fun,
holger krekel, merlinux GmbH
___
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig
I'd appreciate a current packaging specs site which ideally also states
how pypa tools support it, since which version.
holger
On Fri, Apr 17, 2015 at 16:18 -0400, Nick Coghlan wrote:
Daniel's started work on a new revision of the wheel specification,
and it's crystallised a concern for me
Hi all,
Florian Schulze just released several devpi package maintenance updates
to PyPI, see the changelogs below for details. Upgrading is considered
safe and does not require an export/import cycle on the server side.
Note that the devpi metapackage is discontinued, please rather use::
Hi Donald,
On Sat, Nov 29, 2014 at 19:43 -0500, Donald Stufft wrote:
On Nov 13, 2014, at 9:21 PM, Donald Stufft don...@stufft.io wrote:
Starting a new thread with more explicit details at Richard’s request.
Essentially the tl;dr here is that we'll switch to using sha2 (specifically
On Mon, Dec 01, 2014 at 12:45 -0600, Ian Cordasco wrote:
On Mon, Dec 1, 2014 at 12:35 PM, Donald Stufft don...@stufft.io wrote:
On Dec 1, 2014, at 4:25 AM, holger krekel hol...@merlinux.eu wrote:
Hi Donald,
On Sat, Nov 29, 2014 at 19:43 -0500, Donald Stufft wrote:
On Nov 13, 2014
On Mon, Dec 01, 2014 at 15:29 -0600, Ian Cordasco wrote:
On Mon, Dec 1, 2014 at 3:23 PM, holger krekel hol...@merlinux.eu wrote:
On Mon, Dec 01, 2014 at 12:45 -0600, Ian Cordasco wrote:
On Mon, Dec 1, 2014 at 12:35 PM, Donald Stufft don...@stufft.io wrote:
On Dec 1, 2014, at 4:25 AM
On Sat, Nov 15, 2014 at 10:45 +, Paul Moore wrote:
On 7 November 2014 15:46, Paul Moore p.f.mo...@gmail.com wrote:
To that end, I'd like to get an idea of what sort of access to Windows
a typical Unix developer would have.
Thanks to all who contributed to this thread.
Based on the
Hi Donald,
thanks for the detail and the pre-announcement!
I am all for the change but indeed need to check how devpi code is affected
(pretty sure it is) and how to accomodate the change. Will see to do so
next week and get back to this thread.
best,
holger
On Thu, Nov 13, 2014 at 21:21
On Tue, Nov 11, 2014 at 15:13 -0500, Donald Stufft wrote:
On Nov 11, 2014, at 7:22 AM, holger krekel hol...@merlinux.eu wrote:
On Tue, Nov 11, 2014 at 07:10 -0500, Donald Stufft wrote:
Hi Donald, all,
i noticed that for several packages daily download numbers are only a
tenth or so
Hi Donald, all,
i noticed that for several packages daily download numbers are only a
tenth or so of what they used to be. This occurs since about a couple
of days or a week ago. Any known reason?
cheers,
holger
___
Distutils-SIG maillist -
On Mon, Oct 27, 2014 at 16:45 -0400, Daniel Holth wrote:
I liked it because I agree with the TOML author that the YAML spec
gives rage; YAML seems to be defined as a bunch of things that the end
user is supposed to think are intuitive, but try understanding and
correctly parsing the full set
On Tue, Oct 28, 2014 at 07:43 -0700, Chris Jerdonek wrote:
On Tue, Oct 28, 2014 at 2:59 AM, holger krekel hol...@merlinux.eu wrote:
On Mon, Oct 27, 2014 at 16:45 -0400, Daniel Holth wrote:
I liked it because I agree with the TOML author that the YAML spec
gives rage; YAML seems
in devpi-web.
Have fun,
holger krekel, merlinux GmbH
devpi-server-2.1.2
--
- fix issue172: avoid traceback when user/index/name/version is accessed.
- fix issue170: ensure that we parse the prospective pip-6.0 user agent
string properly so that using the username/index url
Hi all,
the caching and private pypi server, devpi-server-2.1.1, is out and
fixes some bugs, see changelog below.
It is fully backward compatible, no export/import cycle required.
For more info, see http://doc.devpi.net.
best,
holger krekel, merlinux GmbH
2.1.1
- fix
On Tue, Oct 14, 2014 at 13:38 +1100, Richard Jones wrote:
Thanks for raising squatting as a concern. I have added what I think is a
reasonable method of handling squatting (or otherwise unused name
registrations):
Hi Carl, Paul, all,
On Sat, Oct 11, 2014 at 18:48 -0600, Carl Meyer wrote:
Hi Holger,
On 10/11/2014 12:31 AM, holger krekel wrote:
I understand that as a fairly generic security statement. But I was trying
to
rather ask about use cases and scenarios where precisely the
--extra-index
On Sun, Oct 12, 2014 at 10:10 +1000, Nick Coghlan wrote:
On 12 October 2014 09:49, Donald Stufft don...@stufft.io wrote:
On Oct 11, 2014, at 7:48 PM, Nick Coghlan ncogh...@gmail.com wrote:
On 12 October 2014 04:29, Donald Stufft don...@stufft.io wrote:
I plan to put the external
On Mon, Oct 13, 2014 at 12:00 +0100, Paul Moore wrote:
On 13 October 2014 11:40, holger krekel hol...@merlinux.eu wrote:
and I just noted that the very Python guide on packaging is advertising
using plain --extra-index-url for private packages as well:
http://docs.python-guide.org/en
Hi Donald,
many thanks for answering. A few follow up questions inline.
On Thu, Oct 09, 2014 at 13:40 -0400, Donald Stufft wrote:
On Oct 9, 2014, at 12:41 PM, holger krekel hol...@merlinux.eu wrote:
Numbers of users affected
-
Do i see it right
Hi Donald, Nick,
to change the somewhat unsuccessfull way how we were conversing about PEP470
so far i'd like to kindly ask you a few questions related to the PEP.
This is to check if i am maybe barking up the wrong tree and also to
enlarge the common ground/understanding that we are discussing
On Tue, Oct 07, 2014 at 08:00 -0400, Donald Stufft wrote:
On Oct 7, 2014, at 6:09 AM, holger krekel hol...@merlinux.eu wrote:
I had thought of similar things, and my reasons for not using an a
href and instead using a meta tag and for removing the old URLs
instead of just making
On Wed, Oct 08, 2014 at 03:47 -0400, Donald Stufft wrote:
On Oct 8, 2014, at 3:17 AM, holger krekel hol...@merlinux.eu wrote:
Worse security problems loom with current multi-index ops like
the --extra-index-url option which is advertised prominently in PEP470.
You recommend to use
On Wed, Oct 08, 2014 at 05:44 -0400, Donald Stufft wrote:
On Oct 8, 2014, at 4:44 AM, holger krekel hol...@merlinux.eu wrote:
On Wed, Oct 08, 2014 at 03:47 -0400, Donald Stufft wrote:
On Oct 8, 2014, at 3:17 AM, holger krekel hol...@merlinux.eu wrote:
Worse security problems loom
On Wed, Oct 08, 2014 at 06:24 -0400, Donald Stufft wrote:
On Oct 8, 2014, at 6:06 AM, holger krekel hol...@merlinux.eu wrote:
On Wed, Oct 08, 2014 at 05:44 -0400, Donald Stufft wrote:
I think raising the issue is FUDish because it has nothing to do with using
multi repository support
On Wed, Oct 08, 2014 at 20:27 +1000, Nick Coghlan wrote:
On 8 October 2014 19:44, Donald Stufft don...@stufft.io wrote:
On Oct 8, 2014, at 4:44 AM, holger krekel hol...@merlinux.eu wrote:
I am sorry if raising the issue of private/public compromises sounds
like FUD to you. From my
On Wed, Oct 08, 2014 at 21:22 +1000, Nick Coghlan wrote:
On 8 October 2014 20:57, holger krekel hol...@merlinux.eu wrote:
On Wed, Oct 08, 2014 at 20:27 +1000, Nick Coghlan wrote:
Well, for installing NAME from pypi you need to trust that the people
who registered and maintain NAME
On Wed, Oct 08, 2014 at 13:05 +0100, Paul Moore wrote:
On 8 October 2014 12:40, holger krekel hol...@merlinux.eu wrote:
I am concerned about the fact that public PyPI links are merged in even
for my private packages residing on the extra index.
Bluntly, that's irrelevant.
I disagree
On Wed, Oct 08, 2014 at 22:18 +1000, Nick Coghlan wrote:
On 8 October 2014 21:40, holger krekel hol...@merlinux.eu wrote:
No, i am not concerned about the extra index supplying whatever packages.
After all, the users specifies the option and should trust that index.
I am concerned about
On Wed, Oct 08, 2014 at 08:47 -0400, Donald Stufft wrote:
On Oct 8, 2014, at 8:43 AM, holger krekel hol...@merlinux.eu wrote:
On Wed, Oct 08, 2014 at 22:18 +1000, Nick Coghlan wrote:
On 8 October 2014 21:40, holger krekel hol...@merlinux.eu wrote:
No, i am not concerned about
On Fri, Oct 03, 2014 at 15:08 -0400, Donald Stufft wrote:
On Oct 3, 2014, at 2:28 PM, holger krekel hol...@merlinux.eu wrote:
On Sat, Oct 04, 2014 at 00:24 +1000, Nick Coghlan wrote:
On 3 October 2014 22:02, Donald Stufft don...@stufft.io wrote:
As far as simplication goes, I don't
On Tue, Oct 07, 2014 at 11:40 +0100, Paul Moore wrote:
On 7 October 2014 11:09, holger krekel hol...@merlinux.eu wrote:
Well, the main benefit of PEP438 was that it removed random crawling for
some 90% of the packages on the package index, speeding up and making
installs more reliable
Hi Donald,
i could just only briefly glimpse over the new draft. I am still not in
favor of the PEP because it forces backard-incompatible changes and work
on various sides for not enough gain. Particularly end users will see
previously working commands now fail and if they run a new enough
On Sat, Oct 04, 2014 at 00:24 +1000, Nick Coghlan wrote:
On 3 October 2014 22:02, Donald Stufft don...@stufft.io wrote:
As far as simplication goes, I don't believe it simplifies the
implementation
of PyPI at all, it just shuffles things around and creates work on my part
in order to
On Mon, Sep 29, 2014 at 10:46 +0200, M.-A. Lemburg wrote:
On 28.09.2014 23:59, Donald Stufft wrote:
On Sep 28, 2014, at 5:36 PM, M.-A. Lemburg m...@egenix.com
mailto:m...@egenix.com wrote:
On 28.09.2014 21:31, Donald Stufft wrote:
Hello All!
I'd like to discuss the idea of
(Fixed quoting indent + some own comments)
On Mon, Sep 29, 2014 at 11:04 +, Donald Stufft wrote:
On Sep 29, 2014, at 6:01 AM, Nick Coghlan
ncogh...@gmail.commailto:ncogh...@gmail.com wrote:
On 29 Sep 2014 19:50, Nick Coghlan
ncogh...@gmail.commailto:ncogh...@gmail.com wrote:
On
features.
And special thanks go to the two companies who funded major parts
of the above work.
have fun,
Holger Krekel, merlinux GmbH
devpi-server-2.1.0 (compared to 2.0.6)
- make replication more precise: if a file cannot be replicated,
fail with an error
On Mon, Sep 22, 2014 at 14:16 +, Antoine Pitrou wrote:
Donald Stufft donald at stufft.io writes:
PyPI inherinently has complete control over who owns what name on PyPI.
Political authority does not derive from technical control, though.
valid point IMO.
As Toshio said that are
On Wed, Sep 17, 2014 at 20:59 -0400, Donald Stufft wrote:
Right now pip (and originally setuptools, which does it as well) will do this
sort of dance when looking for things on the PyPI simple index. This isn't the
actual code though:
thing_to_install = foo==1.0
page = None
On Thu, Sep 18, 2014 at 06:17 -0400, Donald Stufft wrote:
On Sep 18, 2014, at 3:48 AM, Nick Coghlan ncogh...@gmail.com wrote:
What about an approach where pip first tries the canonical name, and if
that fails, tries the exact given name?
Seems to me like that should handle legacy
On Tue, Sep 16, 2014 at 08:01 -0400, Donald Stufft wrote:
On Sep 16, 2014, at 7:57 AM, Paul Moore p.f.mo...@gmail.com wrote:
One thing that might be worth clarifying somewhere/somehow (not
particularly in the specs, though) is where is the best place to find
the canonical implementations
On Mon, Sep 15, 2014 at 11:05 +0800, Eduardo Schettino wrote:
Hi Donald, all,
I sometimes have doubts that the download numbers as shown by
pypi.python.org are correct. Here is one case where i am pretty sure
something is wrong:
https://pypi.python.org/pypi/pytes
That's a
Hi Donald, all,
I sometimes have doubts that the download numbers as shown by
pypi.python.org are correct. Here is one case where i am pretty sure
something is wrong:
https://pypi.python.org/pypi/pytes
That's a project a friend uploaded after he heart me saying at my devpi
talk at EP2014 that
and many others for
very useful issue contributions.
best,
holger krekel, merlinux GmbH
devpi-2.0.2 (metapackage)
-
devpi-server-2.0.5 (compared to 2.0.2):
- fix issue145: restrict devpi_common dependency so that a future
pip install 'devpi-server2.0' has
Hi all,
On Fri, Aug 22, 2014 at 22:34 +1000, Nick Coghlan wrote:
I just pushed Donald's final round of edits in response to the
feedback on the last PEP 440 thread, and as such I'm happy to announce
that I am accepting PEP 440 as the recommended approach to identifying
versions and specifying
On Mon, Sep 01, 2014 at 19:07 -0400, Donald Stufft wrote:
On Sep 1, 2014, at 4:53 PM, holger krekel hol...@merlinux.eu wrote:
On Thu, Aug 28, 2014 at 14:58 -0400, Donald Stufft wrote:
Right now the “canonical” page for a particular project on PyPI is
whatever the
author happened
system are at http://doc.devpi.net
best and have fun,
Holger Krekel, merlinux GmbH
devpi-server 2.0.4
- fix issue139: adapt to a recent change in pypi which now serves under
URLs using normalized project names instead of the real registered
name Thanks Timothy Allen
On Thu, Aug 28, 2014 at 14:58 -0400, Donald Stufft wrote:
Right now the “canonical” page for a particular project on PyPI is whatever
the
author happened to name their package (e.g. Django). This requires PyPI to
have
some smarts so that it can redirect things like /simple/django/ to
Florian Schulze and me just released devpi-server-2.0.3 fixing a regression
from the 1.X series preventing a plain python setup.py register -r NAME
to succeed.
have fun,
holger
On Wed, Aug 06, 2014 at 21:41 +, holger krekel wrote:
The new devpi releases (devpi-server-2.0.2, devpi-web
-server-state
many thanks to Florian Schulze who again helped a lot with this release.
have fun,
holger krekel
devpi-2.0.1 (metapackage)
-
devpi-server-2.0.2:
- fix issue120: link to upgrade section from main index page.
- preserve http reason string
Hi again,
a small follow up release of devpi-server is out to fix setup.py
register/upload commands with basic auth.
best,
holger
devpi-server-2.0.1
- fix regression which prevented the basic authentication for the
setuptools upload/register commands to fail. Thanks
many thanks to Florian Schulze who implemented the new ``devpi-web``
package and helped with many other improvements.
have fun,
Holger Krekel, merlinux GmbH
2.0.0
--
devpi-server:
- major revamp of the internal core of devpi to support
replication (both master and server code
Hi Richard,
On Wed, Jul 02, 2014 at 21:25 -0400, Donald Stufft wrote:
On Jul 2, 2014, at 9:07 PM, Richard Jones r1chardj0...@gmail.com wrote:
Hi folks,
I'd like to get interested folks together at EuroPython to get up to date,
talk through current issues and generally catch up on all
On Sat, Jun 07, 2014 at 09:46 +1000, Nick Coghlan wrote:
On 7 Jun 2014 06:08, Donald Stufft don...@stufft.io wrote:
On Jun 6, 2014, at 9:41 AM, holger krekel hol...@merlinux.eu wrote:
Once you care for ACLs for indexes and releases you have a number
of issues to consider, it's
Hi Donald,
1. you published numbers where 4K or 300 discounting PIL would be
affected by PEP470. You also say that the main reason for deprecating
PEP438 is that it confused users. Did it confuse other users than those few?
2. I don't see a valid precise reasoning why PEP438, just agreed
On Fri, Jun 06, 2014 at 07:55 -0400, Donald Stufft wrote:
On Jun 6, 2014, at 4:13 AM, holger krekel hol...@merlinux.eu wrote:
Hi Donald,
1. you published numbers where 4K or 300 discounting PIL would be
affected by PEP470. You also say that the main reason for deprecating
On Sat, May 17, 2014 at 20:20 -0400, Donald Stufft wrote:
On May 17, 2014, at 1:51 PM, holger krekel hol...@merlinux.eu wrote:
On Sat, May 17, 2014 at 11:32 -0400, Donald Stufft wrote:
More conclusions!
In that same time period PyPI received a total of ~16463209 hits to a page
On Sat, May 17, 2014 at 11:32 -0400, Donald Stufft wrote:
More conclusions!
In that same time period PyPI received a total of ~16463209 hits to a page on
the simple installer API. This means that in total these projects represent
a combined 0.56% of the simple installer traffic on PyPI.
Hi Donald, Nick, Richard, all,
finally got around to read and think about the issues discussed in PEP470.
First of all thanks for going through the effort of trying to
advance the overall situation with a focus on making it easier
for our wonderful and beloved end users :)
However, I think
On Fri, May 16, 2014 at 07:20 -0400, Donald Stufft wrote:
On May 16, 2014, at 6:16 AM, holger krekel hol...@merlinux.eu wrote:
Hi Donald, Nick, Richard, all,
finally got around to read and think about the issues discussed in PEP470.
First of all thanks for going through the effort
On Fri, May 16, 2014 at 08:20 -0400, Donald Stufft wrote:
On May 16, 2014, at 8:06 AM, holger krekel hol...@merlinux.eu wrote:
On Fri, May 16, 2014 at 07:20 -0400, Donald Stufft wrote:
On May 16, 2014, at 6:16 AM, holger krekel hol...@merlinux.eu wrote:
Hi Donald, Nick, Richard, all
On Fri, May 16, 2014 at 13:38 -0500, Carl Meyer wrote:
On 05/16/2014 12:10 PM, Donald Stufft wrote:
2. Add a deprecation path for --allow-unverified; can describe it in
general terms as the PEP 438 installer flag allowing installation of
unverified external packages if you don't want to be
On Mon, Nov 25, 2013 at 08:48 +0200, Marius Gedminas wrote:
On Sat, Nov 23, 2013 at 08:59:35AM -0500, Donald Stufft wrote:
Can you try with 1.5rc1?
This was trickier than I thought, because pip appears to be incapable of
upgrading itself on Windows:
$ git clone
server and for using the
devpi workflow tool (optional), see:
http://doc.devpi.net
If you want to upgrade an existing installation, you should
be able to execute::
$ pip install -U devpi
$ devpi-server --upgrade-state [--serverdir YOUR_SERVER_DIR]
Have fun,
holger krekel
On Thu, Oct 31, 2013 at 16:52 -0700, Noah Kantrowitz wrote:
On Oct 31, 2013, at 4:32 AM, anatoly techtonik techto...@gmail.com wrote:
On Wed, Oct 30, 2013 at 11:11 PM, Noah Kantrowitz n...@coderanger.net
wrote:
Please stop submitting pull requests. Development on the existing codebase
`` is deprecated now
in favor of using pip/easy_install directly (see also the --set-cfg
and --always-set-cfg options).
For more information please refer to the extensive documentation at:
http://doc.devpi.net/
or check the CHANGELOG below.
have fun,
holger krekel
1.2
Hi Nick, all,
PEP426 and its prior related peps see project-specific metadata as part
of distribution metadata. Main examples are project urls such as
home page, repository, issue tracker or contact points such as
mailing lists, maintainer emails etc. However, at any point in time
there is only
On Sun, Oct 27, 2013 at 14:30 +1000, Nick Coghlan wrote:
On 27 October 2013 14:13, Donald Stufft don...@stufft.io wrote:
On Oct 26, 2013, at 11:59 PM, Donald Stufft don...@stufft.io wrote:
Ok here’s the real list: https://gist.github.com/dstufft/7177500
Quick note that this list is a
On Fri, Oct 25, 2013 at 13:49 -0400, Donald Stufft wrote:
Mostly new packages will get roughly 2-3k of downloads from what appears to be
mirroring infrastructure. I’m hesitant to mess with the traffic numbers at
all because
I don’t want them to be inaccurate *and* artificial vs just
On Tue, Oct 08, 2013 at 10:44 -0400, Donald Stufft wrote:
Hrm, I'm assuming these require a file listing at
/packages/source/D/ too.
Of course these files should probably be using the simple API and
not the packages url directly :/
Indeed. Why not watch a project's simple index instead?
On Mon, Sep 30, 2013 at 10:55 -0700, Marcus Smith wrote:
so, take a case like so pytest-xdist-dev.tar.gz (or any sdist with -
in the project name, and a version starting with a string)
I think it's like so:
- pkg_resources.Distribution.from_location will treat xdist-dev as the
version.
-
(but not indefinitely).
have fun,
holger krekel
tox 1.6.1
---
- fix issue119: {envsitepackagesdir} is now correctly computed and has
a better test to prevent regression.
- fix issue116: make 1.6 introduced behaviour of changing to a
per-env HOME directory during install
On Mon, Aug 12, 2013 at 20:55 +, Vinay Sajip wrote:
Donald Stufft donald at stufft.io writes:
Hopefully this all will solve this problem, as it is right now if you use
setuptools entry points then Wheels erroneously pretend to be platform
agnostic.
That's not unreasonable, as long
On Mon, Aug 05, 2013 at 23:31 -0700, Noah Kantrowitz wrote:
On Aug 5, 2013, at 11:11 PM, Christian Theune c...@gocept.com wrote:
Two more things:
why is the CDN not suffering from the security problems you describe for
the mirrors?
a) Fastly seems to be the one owning the
On Mon, Aug 05, 2013 at 23:49 -0700, Noah Kantrowitz wrote:
On Aug 5, 2013, at 11:09 PM, Christian Theune c...@gocept.com wrote:
(...)
Between now and the first DNS change, I would absolutely recommend any
current public mirrors to redirect users to their new domain name if
they intend to
On Tue, Aug 06, 2013 at 08:36 +0200, Lennart Regebro wrote:
Well, now we have one breakage point more which keeps annoying me.
We do? How?
Christian, Donald and me invested considerable debugging time, repeatably,
to accomodate Fastly/CDN issues. It required multiple rounds of changes
on
On Tue, Aug 06, 2013 at 17:19 +1000, Nick Coghlan wrote:
On 6 August 2013 17:13, Noah Kantrowitz n...@coderanger.net wrote:
Also, CPAN, like Linux distro trees, can be mirrored with rsync rather
than needing a custom client. It's much easier to maintain backwards
compatibility when the only
Hi Trishank,
On Wed, Jul 31, 2013 at 10:02 -0400, Trishank Karthik Kuppusamy wrote:
Hello Holger,
On 07/31/2013 08:13 AM, holger krekel wrote:
thanks for the high level overview. Do you have a current web page with
more detailed technical info with respect to PyPI/TUF?
Good question! I
Hi Trishank,
thanks for the high level overview. Do you have a current web page with
more detailed technical info with respect to PyPI/TUF?
best,
holger
On Wed, Jul 31, 2013 at 07:27 -0400, Trishank Karthik Kuppusamy wrote:
Hello Nick and the PyPI community,
This is a brief status report
On Wed, Jul 31, 2013 at 00:15 -0400, Donald Stufft wrote:
So, in the spirit of not treating distutils-sig like an adversary, here's
the main thing I've been working on lately with regards to PyPI. None
of this is set in stone but this is the general gist of the plan for moving
things to be
Hi Nick, Donald, all,
On Sun, Jul 28, 2013 at 22:23 +1000, Nick Coghlan wrote:
On 28 July 2013 20:55, Donald Stufft don...@stufft.io wrote:
Ok so given that:
- There's a readably available solution for Python 2.4+ with the
likelihood
being that most users are either using
On Mon, Jul 29, 2013 at 10:30 -0400, Donald Stufft wrote:
On Jul 29, 2013, at 7:58 AM, Nick Coghlan ncogh...@gmail.com wrote:
Actually, i strongly object further backward-incompatible changes.
Please (generally) find a way to introduce improvements without breaking
existing
On Wed, Jul 17, 2013 at 21:46 -0400, Donald Stufft wrote:
As I've mentioned before an online key (as is required by PyPI) means
that if someone compromises PyPI they compromise the key. It seems to
me that TUF is really designed to handle the case of the Linux
distribution (or similar) where
On Tue, Jul 16, 2013 at 13:57 -0400, Donald Stufft wrote:
On Jul 16, 2013, at 5:19 AM, holger krekel hol...@merlinux.eu wrote:
I am considering implementing gpg-signing and verification of release files
for devpi. Rather than requiring package authors to sign their release
files, i am
On Wed, Jul 17, 2013 at 07:48 +, Vinay Sajip wrote:
holger krekel holger at merlinux.eu writes:
about existing schemes/efforts. I guess most Linux distros do it already
so if nothing comes up here PyPI-specific (what is the status of TUF, btw?)
i am going to look into the distro's
I just released new versions of the devpi system, which provides a
self-updating pypi caching and index server and a ``devpi`` command
line tool to help with common upload/test/release activities.
devpi-0.9.3 comes with some bug fixes and two new sub commands to view
and remove release files
I am considering implementing gpg-signing and verification of release files
for devpi. Rather than requiring package authors to sign their release
files, i am pondering a scheme where anyone can vet for a particular
published release file by publishing a signature about it. This aims
to help
On Tue, Jul 16, 2013 at 12:21 +0200, Jannis Leidel wrote:
On 16.07.2013, at 11:19, holger krekel hol...@merlinux.eu wrote:
Any thoughts or pointers to existing efforts within the (Python)
packaging ecologies?
Erik Rose just released peep the other day [1], which admittedly doesn't use
On Thu, Jun 27, 2013 at 17:18 -0400, Donald Stufft wrote:
Download counts have (kind of) been re-enabled on PyPI.
The new download counts work as so:
* At the bottom of a detail page there is rolling tallies for the last
day, the last week, and the last month[1]
* The API
On Sat, Jun 29, 2013 at 12:51 +, Alex Clark wrote:
holger krekel holger at merlinux.eu writes:
Yesterday i downloaded a package myself three times alone from three
different locations and the download number i see now is 2. And i am
pretty sure i wasn't the only one doing a download
tox-1.5.0 is a new release of the virtualenv-managing generic Python
test runner. It comes with a few fixes and improvements (see below),
and is now released under the MIT license -- prior versions used the GPL2.
The main change is that tox now by default creates virtualenv's with
setuptools,
devpi, the caching pypi server and its optional upload/test/install helper
tool, just got a devpi-0.9.2 release. See the full updated docs here:
http://doc.devpi.net
Apart from some streamlining, there is a new upload option::
devpi upload --from-dir path/to/dir [--only-latest]
which
I still think the testing part of the interchange format
between software publication and integration tools is underspecified.
The dependencies alone will not be sufficient to allow the running
of tests in many cases. Or am i missing something?
best and thanks for your good work,
holger
On
Hi all,
devpi-0.9.1 is out which fixes bugs and introduces support for pushing a
tested release candidate from a private index to pypi. See
http://doc.devpi.net
on the ease of doing devpi upload, test and push commands
as well as general information on the devpi-server and devpi tools.
1 - 100 of 142 matches
Mail list logo