Re: [Distutils] providing a way for pip to communicate extra info to users

A MOTD from anything but a signed package would be user-supplied input. Shell/terminal command ^[escaping would be necessary: https://stackoverflow.com/questions/6534556/how-to-remove-and-all-of-the-escape-sequences-in-a-file-using-linux-shell-sc Impact: Are additional requests and variable

Re: [Distutils] providing a way for pip to communicate extra info to users

FYI: TUF has a custom metadata field in the targets metadata that could potentially be used for this purpose. We can explain more if there is interest... On Thu, Apr 12, 2018 at 8:26 AM, Nathaniel Smith wrote: > From the TUF perspective it seems like it would be straightforward

Re: [Distutils] providing a way for pip to communicate extra info to users

>From the TUF perspective it seems like it would be straightforward to make the MOTD a "package", whose "contents" is the MOTD text, and that we "upgrade" it to get the latest text before displaying anything. -n On Thu, Apr 12, 2018, 05:10 Nick Coghlan wrote: > On 12 April

Re: [Distutils] providing a way for pip to communicate extra info to users

It would be useful as well for sites that run their own mirror infrastructure to be able to add motd text to the pip commands as well. However I don't think this should be implemented via the response code from a call to some rest api. It would be trivial to proxy the call to a different

Re: [Distutils] providing a way for pip to communicate extra info to users

On 12 April 2018 at 07:01, Paul Moore wrote: > HTTPS access to the index server is fundamental to pip - if an > attacker can subvert that, they don't need to mess with a message, > they can just replace packages. So I don't see that displaying a > message that's available

Re: [Distutils] providing a way for pip to communicate extra info to users

On 11 April 2018 at 20:16, Dwight Hubbard wrote: > It would be useful as well for sites that run their own mirror > infrastructure to be able to add motd text to the pip commands as well. > > However I don't think this should be implemented via the response code from > a call

Re: [Distutils] providing a way for pip to communicate extra info to users

On Mon, Apr 9, 2018, 16:47 Chris Jerdonek wrote: > > One of Donald's comments in response to the idea (and that occurred to > me too and that I agree with) is that providing a way to communicate > messages to users introduces another possible avenue for attack. I

Re: [Distutils] providing a way for pip to communicate extra info to users

On 11 April 2018 at 17:32, Pradyun Gedam wrote: > On Tue, 10 Apr 2018, 05:17 Chris Jerdonek, wrote: [...] >> A possible middle-ground could be to hard-code a message in pip. Pip >> could display the message in certain circumstances, e.g. in response

Re: [Distutils] providing a way for pip to communicate extra info to users

On Tue, 10 Apr 2018, 05:17 Chris Jerdonek, wrote: > On the pypa-dev Google group, a suggestion was raised about giving pip > a way to communicate extra info to users. > > This was during a thread started by Matthew Brett about pip breaking > for certain macOS users due

[Distutils] providing a way for pip to communicate extra info to users

On the pypa-dev Google group, a suggestion was raised about giving pip a way to communicate extra info to users. This was during a thread started by Matthew Brett about pip breaking for certain macOS users due to certain TLS changes ("Impending silent breakage of pip / macOS likely to cause