Re: Impending silent breakage of pip / macOS likely to cause severe confusion

[Chris Jerdonek]

On Mon, Apr 9, 2018 at 11:28 AM Donald Stufft  wrote:

>
> > On Apr 9, 2018, at 1:33 PM, Erik Bray  wrote:
> >
> > On Fri, Apr 6, 2018 at 11:36 PM, Chris Jerdonek
> >  wrote:
> >>
> >> On Fri, Apr 6, 2018 at 11:21 AM Donald Stufft  wrote:
> >>>
> >>> No, there’s not. pip makes HTTP requests and there’s no place for extra
> >>> metadata attached those requests except in the HTTP status code (which
> as
> >>> you noted, pip swallows by default because historically we didn’t know
> if
> >>> the URL was expected to work or not). The simple API wasn’t really
> designed,
> >>> it evolved out of the primordial ooze.
> >>
> >>
> >> Would it make sense to open an issue for future versions of pip to allow
> >> such metadata to be attached and displayed, or is there already such an
> >> issue?
> >
> > I was going to suggest the same--while it would be too late to help in
> > this particular case (and as Donald already convincingly it explained
> > it probably won't have huge impact), this case, others I can think of
> > before it, and others that are likely to occur in the future would
> > have been well-served by the ability of PyPI administrators to set
> > arbitrary broadcast messages (a MotD if you will) to send along with
> > HTTP responses from PyPI (they could even go in an HTTP header,
> > perhaps).
> >
> > Best,
> > E
>
> It wouldn’t be a pip issue, it’d be a distutils-sig discussion and an
> amendment to PEP 503. The primary concern would be that as we move to a
> world where metadata is signed to prevent a malicious repository from
> attacking users, that this is another avenue that an attacker could take to
> trick end users (imagine a MOTD that says to pip install malicious-package).
>
> That doesn’t make it impossible, or a bad idea though! It just is
> something to consider, and the best avenue is distutils-sig.


I raised this suggestion on distutils-sig, FYI:
https://mail.python.org/pipermail/distutils-sig/2018-April/032141.html

—Chris

Re: Impending silent breakage of pip / macOS likely to cause severe confusion

[Donald Stufft]

> On Apr 6, 2018, at 5:06 PM, Matthew Brett  wrote:
> 
> OK - so our hard deadline is the planned Warehouse launch on April
> 16th?   I would argue for going straight to the SSL error at that
> point, and turning off the current brownout and April 8th TLS 1.0 shut
> down.  Is that possible?   Do other Macolytes agree with me that that
> would be less confusing?  In the mean time, would it be possible to
> put out some big announcements following up on the originals, giving
> the SSL error, to seed Google searches, and prime memories?


We’ve modified the plan so that instead of the brownout style error lasting 
until the 16th, we’re going to switch to the hard failure tomorrow with the 
100% brownout failure happening today (and yesterday). We didn’t want to move 
straight to the hard failure incase we needed to roll it back for some reason. 
We don’t want to wait until the 16th to avoid lumping too many changes onto a 
single day (so we don’t have to deal with potential fallout of too many 
different changes on a single day).

Hopefully that works for everyone.