Donald Stufft added the comment:
I am not even sure what that is supposed to be doing... You're trying to count
midnight as the previous day instead of the actual day? That seems extremely
contrived.
--
___
Python tracker rep...@bugs.python.org
Donald Stufft added the comment:
If Midnight is considered the last moment of the day then it evaluating to
false makes even less sense since the rationale given is time is seconds since
midnight. However if you're considering it the last moment then time would be
seconds since 12:01.
So
Donald Stufft added the comment:
Infact I would argue that ``if dt.time() != datetime.time(0):`` *would* be an
improvement to that code because it is more accurately describing what you
actually intend in the same way that ``if time_or_none is None`` would be an
improvement to that code
New submission from Donald Stufft:
Please cherry-pick 005d0678f93c into 3.4.0. It upgrades pip to 1.5.4, the only
change is a fix for an errant deprecation warning which was displaying all the
time instead of only when you used the deprecated feature.
Sorry for making you need to cherry-pick
New submission from Donald Stufft:
Please pull in the upgrade from pip 1.5.2 to 1.5.3 into CPython 3.4.0, the
revision is d57df3f72715
--
assignee: larry
messages: 211787
nosy: dstufft, larry, ncoghlan
priority: release blocker
severity: normal
status: open
title: 3.4 cherry-pick
Donald Stufft added the comment:
I created issue20713
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20570
___
___
Python-bugs-list mailing list
Donald Stufft added the comment:
pip 1.5.3 is released and I've requested larry cherry-pick it into 3.4.0 with
issue20713
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20053
Donald Stufft added the comment:
Just a FYI I'm going to be cutting this release sometime in the next 6-12 hours
and I'll commit it to the CPython repository and make the cherry-pick request.
--
___
Python tracker rep...@bugs.python.org
http
Donald Stufft added the comment:
Yea, I'll get it done. Was planning on doing it this weekend but I had a
medical issue. I'll see about getting all the things get done asap.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org
Donald Stufft added the comment:
I put out the email that I'll be rolling 1.5.3 tues/weds of next week (so 18th
or 19th). Hopefully that's a reasonable time schedule.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20570
Donald Stufft added the comment:
Just t be clear, it's 1.5.3 not 0.15.3.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20570
___
___
Python
Donald Stufft added the comment:
I'm not sure I grasp what the problem is
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20053
___
___
Python
Donald Stufft added the comment:
The proper fix is an isolated mode, but we could special case devnull in pip
for 1.5.3 and make a proper isolated solution in 1.6.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20053
Donald Stufft added the comment:
I'd remove it in 1.6 with a proper isolated mode. I'm purely thinking of
minimal changes to make it easier to to get it into 3.4.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20053
Donald Stufft added the comment:
Yes I am aware of that. However ensurepip is also required to maintain
functionality of the venv module in 3.4. See the guidelines in
http://www.python.org/dev/peps/pep-0453/#recommendations-for-downstream-distributors
which explicitly mentions the fact
Donald Stufft added the comment:
I don't see any reason not to install ensurepip in this situation. That flag
controls whether or not ``python -m ensurepip`` will be executed during the
install, but ensurepip itself will still be installed. It is not an optional
module
Changes by Donald Stufft don...@stufft.io:
--
resolution: - fixed
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20322
New submission from Donald Stufft:
Pip 1.5.1 and setuptools 2.1 are out which both fix some bugs that are likely
to affect some people. They both should be fairly innocuous as far as issues go
so there shouldn't be any harm in upgrading in 3.4.
--
assignee: dstufft
messages: 208610
Donald Stufft added the comment:
+1
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20207
___
___
Python-bugs-list mailing list
Donald Stufft added the comment:
It's basically ready for a release. We had a last minute bug with distlib that
was fixed by distlib 0.6 released on 12-31. I was giving the rc that had that
bug fix a day or two for any other issues to surface before making the final
release
Donald Stufft added the comment:
I'll have it released today, there are no known issues with the last rc of pip.
I just didn't want to release the fix to the distlib issue without a day or two
of an RC (which we've now had) and the folks who reported the issue verifying
it fixed for them
Donald Stufft added the comment:
It's not released yet, I'll have it (future tense) release today. It's roughly
6am here and I'm getting ready to get my daughter ready for school. I just
happened to check my email before starting that. Once I get her on the bus I'll
do the release
Donald Stufft added the comment:
pip 1.5 is released and CPython has been updated.
--
assignee: - dstufft
resolution: - fixed
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20107
Donald Stufft added the comment:
Making this happen is a non trivial change to pip. Is this *required* for
PEP453?
The problem is the pip dependency is already being seen as fulfilled so it's
not reinstalling pip again with the new options picked. Likely the actual
answer is a command in pip
Donald Stufft added the comment:
Is there anything left in this ticket to be done?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19728
Donald Stufft added the comment:
Vinay, I've verified that the current default branch of distlib works without
threading when vendored in pip and these tests pass.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19766
Donald Stufft added the comment:
Can this be solved in ensurepip for now? I've been banging away at this but
it's going to require some refactoring in pip to make it reasonably work. The
move to distlib and requests made this harder to do than the old PR against pip
could handle
Donald Stufft added the comment:
Requests was released and pip updated it, I can release a new pip but it
appears that perhaps distlib needs fixed before the without threads case is
taken care of?
--
___
Python tracker rep...@bugs.python.org
http
Donald Stufft added the comment:
The urllib3 in requests VCS was updated, I just need to bother Kenneth to make
a new release of requests or update pip to an unreleased requests.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org
Donald Stufft added the comment:
I agree with Christian, mail.stufft.io should not be able to masquerade as
smtp.google.com and being able to do so is a pretty big security hole.
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http
Donald Stufft added the comment:
Probably the higher level libraries don't even realize it's not happening, it's
similar to the issue of SSL validation for HTTPS connections where a vast
swathe of people didn't even realize that their certificates weren't being
validated
Donald Stufft added the comment:
I assumed we were talking about 3.4 and didn't even notice that the issues had
3.3 and 3.2 attached to it.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19509
Donald Stufft added the comment:
It probably can. I just need to figure out how to test it to make sure the PR
that supposedly fixes it fixes it, and then figure out how to ensure it still
works into the future.
--
___
Python tracker rep
Donald Stufft added the comment:
There's a ticket in pip to make pip work even when ssl isn't available. You
wouldn't be able to install from PyPI but you would be able to install from
local archives.
--
nosy: +dstufft
___
Python tracker rep
Donald Stufft added the comment:
Well the PEP does state that the option will be checked by default, but I'm not
arguing that we shouldn't implement uninstall if Windows users expect it, I was
just trying to figure out if we needed to update the PEP.
So unilaterally removing on uninstall
Donald Stufft added the comment:
I'm honestly not sure what to do about #8 on your list. It's sort of a really
wierd edge case as far as pip is concerned right now because the support for
the versioned commands and differing them is sort of a hack job while we wait
for proper support from
Donald Stufft added the comment:
That's similar to how virtualenv does it, so it's probably pretty reasonable.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19552
Donald Stufft added the comment:
I don't know much about installers, can they execute code as part of their
uninstall process?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19728
Donald Stufft added the comment:
Also does the PEP need updated? It specifically called out this problem and
said that it will leave pip behind?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19728
Donald Stufft added the comment:
1. This is bound to be an issue that stems from the fact pip is doing the
install instead of distutils. It probably makes sense to use the group id of
the parent directory I think?
2. This is a side effect of Wheel being a whole new way to install, previously
Donald Stufft added the comment:
* Updated setuptools
* Updated pip to the latest development snapshot
* Installs default to installing easy_install-X.Y, pipX, and pipX.Y
* Added --altinstall which only installs easy_install-X.Y and pipX.Y
* Added --default-install which installs easy_install
Donald Stufft added the comment:
Tweaking the Wheels won't work. The scripts are generated at install time.
We need to fix it in pip, I was waiting on answers to
http://bugs.python.org/issue19406#msg201954 before coming up with a solution
and making a PR request as that will influence
Donald Stufft added the comment:
The .pya thing is an experimental extension type that setuptools added that
just got missed during the new features to generate scripts during wheel
install vs wheel build time. I opened a bug to remove that and it'll be gone
before 1.5 is released.
I can fix
Donald Stufft added the comment:
Oh one thing, I can't move anything out of _run_pip because the part you're
referring to is actually modifying the sys.path. If I move it then I can't
prevent the tests from having side effects.
--
___
Python
Donald Stufft added the comment:
Oh nevermind, I understand now. I misread the statement. I can do that.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19406
Donald Stufft added the comment:
Attached is the second combined2 patch with Ned's feedback incorporated.
For anyone testing this the patch does not contain the binary files which can
be found at
https://github.com/dstufft/cpython/blob/ensurepip/Lib/ensurepip/_bundled/.
--
Added file
Donald Stufft added the comment:
For what it's worth I can get --root ready to go shortly, I have a patch
against pip for it (https://github.com/pypa/pip/pull/1272) I just need to write
some tests to ensure it keeps working. Let me go off and do that right now
Donald Stufft added the comment:
I also need to update the bundled Wheel to one that was created with Python 3.4
instead of 2.7 (which matters until the fix for
https://github.com/pypa/pip/issues/1067 which is
https://github.com/pypa/pip/pull/1251 lands). That fixes the issue where the
wheel
Donald Stufft added the comment:
Ok, merged in the --root fix to pip and created a Wheel using Python 3.4 (which
I installed the Wheel distribution using an ensurepip installed pip ;) ).
Updated on github and a patch added, all outstanding issues that affect this
patch exist on the pip side
Changes by Donald Stufft don...@stufft.io:
Added file: http://bugs.python.org/file32446/combined.diff
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19406
Donald Stufft added the comment:
There you go Nick.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19406
___
___
Python-bugs-list mailing list
Changes by Donald Stufft don...@stufft.io:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19407
___
___
Python-bugs-list mailing
Donald Stufft added the comment:
You cannot use --user in a virtual environment (well a venv, no idea about a
pyvenv - but it should get a similar error message IMO if it doesn't).
If you use --root and --user together it will install to the --root location,
using the user layout, so instead
Donald Stufft added the comment:
Attached is an initial rough draft of the ensurepip module. There are some
issues still, but they largely need resolved in pip.
1. Setuptools' use of dependency_links causes pip to still reach out to the
internet.
2. Need to remove the --pre flag from the pip
Donald Stufft added the comment:
Added a second draft that handles the case when the stdlib isn't directly
browseable (e.g. it's zipped up or something).
--
Added file: http://bugs.python.org/file32373/draft2.diff
___
Python tracker rep
New submission from Donald Stufft:
Currently pkgutil cannot be imported unless you first import
importlib.machinery. This means ./python.exe -m pkgutil works, but doing
``import pkgutil`` in the REPL does not.
--
messages: 201355
nosy: dstufft, larry
priority: release blocker
severity
Donald Stufft added the comment:
Added a third draft, this one adds the script to check if pip needs updated.
I've removed the first two drafts to make it simpler.
--
Added file: http://bugs.python.org/file32374/draft3.diff
___
Python tracker rep
Changes by Donald Stufft don...@stufft.io:
Removed file: http://bugs.python.org/file32371/draft.diff
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19406
Changes by Donald Stufft don...@stufft.io:
Removed file: http://bugs.python.org/file32373/draft2.diff
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19406
New submission from Donald Stufft:
The Python tutorial tells, and even recommends, new users that they can use the
pickle module to serialize arbitrary objects. However it does not provide any
warning about the insecurity of unpickling arbtirary data. The text even goes
so far as to mention
Donald Stufft added the comment:
The section to me just seems to be about how to handle more than just strings,
it mentions numbers, lists, dictionaries, and class instances. Of those it
mentions, only the class instances are not able to handled out of the box by
JSON.
However like I said
Donald Stufft added the comment:
Further more the tutorial claims it's the standard way of persisting data which
in my experience it's far from that due to the security concerns. I've seen
very little actual use of pickle in the wild (and when it was used it was often
used by people who
Donald Stufft added the comment:
A description of the pickle module itself does not equate to the purpose of the
section. Given that this is a tutorial and previous section taught how to read
and write from files I would suggest that the purpose of the section was to
give them the next step
Changes by Donald Stufft don...@stufft.io:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18709
___
___
Python-bugs-list mailing
Donald Stufft added the comment:
-1
This essentially gives the ability for an XMLRPC server to crash any python
code that interfaces with them unless you catch _every_ single exception
including ones like SystemExit, KeyboardInterupt, SyntaxError, StopIteration
etc.
An XMLRPC server
Donald Stufft added the comment:
Well you could possibly whitelist some exceptions although I still think that's
ultimately a bad idea because it means to prevent the remote server (or someone
in the middle of the connection) from being able to crash your program with an
arbitrary exception
New submission from Donald Stufft:
I noticed today that the builtin reversed() requires an explicit sequence and
won't work with an iterator instead it throws a TypeError like:
reversed(x for x in [1, 2, 3])
TypeError: argument to reversed() must be a sequence
It would be really great
Donald Stufft added the comment:
As an additional note this works how I would expect it to work if you're using
sorted() instead of reversed() which I think is a stronger point in the favor
of making reversed() work this way as well.
sorted(x for x in [1, 2, 3])
[1, 2, 3
Donald Stufft added the comment:
Lazily opening urandom and holding it open sounds like a sane thing to do to me
+1
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18756
Changes by Donald Stufft donald.stu...@gmail.com:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18582
___
___
Python-bugs-list
Changes by Donald Stufft donald.stu...@gmail.com:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17134
___
___
Python-bugs-list
Changes by Donald Stufft donald.stu...@gmail.com:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue9146
___
___
Python-bugs-list
Changes by Donald Stufft donald.stu...@gmail.com:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17128
___
___
Python-bugs-list
Changes by Donald Stufft donald.stu...@gmail.com:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18233
___
___
Python-bugs-list
Changes by Donald Stufft donald.stu...@gmail.com:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14518
___
___
Python-bugs-list
Changes by Donald Stufft donald.stu...@gmail.com:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue18454
___
___
Python-bugs-list
Changes by Donald Stufft donald.stu...@gmail.com:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue8813
___
___
Python-bugs-list
Changes by Donald Stufft donald.stu...@gmail.com:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13655
___
___
Python-bugs-list
Changes by Donald Stufft don...@stufft.io:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16113
___
___
Python-bugs-list mailing
Changes by Donald Stufft don...@stufft.io:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue8106
___
___
Python-bugs-list mailing
Donald Stufft added the comment:
haypo: It's been suggested by a number of security professionals that using the
OpenSSL random (or really any random) instead of urandom is likely to be a
smarter idea. The likelyhood that urandom is broken is far less than any other
source of random. This can
Donald Stufft added the comment:
Just to be explicit, ``open(/dev/urandom)`` only works on POSIX platforms
while ``os.usrandom`` should work on any supported platform that has an OS
level source of randomness. So advocating *for* simply using ``open()`` is
probably a bad idea unless
Changes by Donald Stufft donald.stu...@gmail.com:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16190
___
___
Python-bugs-list
Donald Stufft added the comment:
Looking at random.SystemRandom it appears it would suffer from the same FD
exhaustion problem.
So as of right now afaik none of the sources of cryptographically secure random
in the python stdlib offer a way to open a persistent FD. The primary question
on my
New submission from Donald Stufft:
Currently the Python SSL module requires the full chain, including all
intermediaries, to be served in order to validate a TLS connection. This isn't
*wrong* however a number of folks have had issues trying to setup a custom PyPI
index in pip due to missing
Changes by Donald Stufft donald.stu...@gmail.com:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16487
___
___
Python-bugs-list
Donald Stufft added the comment:
I would +! backporting this, but It's not massively required since it only
protects against passive attacks.
It would however make things a little nicer.
--
___
Python tracker rep...@bugs.python.org
http
Donald Stufft added the comment:
Uploading always hits the backend servers and thus has the same logging as
before
Merely switching to HTTPS only provides protections against passive attacks.
You need verification to protect against active attacks (which are simple and
easy to do as well
Changes by Donald Stufft donald.stu...@gmail.com:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue14621
___
___
Python-bugs-list
Changes by Donald Stufft donald.stu...@gmail.com:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17947
___
___
Python-bugs-list
Donald Stufft added the comment:
Small nitpick, weakref is imported but not used in the latest patch.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17947
Donald Stufft added the comment:
FWIW I put the warning on all the sax pages just because there's no way to know
which page a user will go to if they are coming in via google.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org
Donald Stufft added the comment:
Update looks fine to me, I'm not the best at docs I just wanted to get at least
a jumping off point.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17538
New submission from Donald Stufft:
Here's a documentation patch (Made against the 2.7 branch) that adds warning to
the various xml modules to warn about the insecurity and points towards
defusedxml/defusedexpat.
--
components: Library (Lib), XML
files: xmldocs.diff
keywords: patch
Donald Stufft added the comment:
Using HTTPS without a Certificate prevents passive attacks but not active
attacks. It puts things in a _better_ situation but not the ideal situation.
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http
Donald Stufft added the comment:
+1 for back porting SSL validation even if it's a private to distutils backport.
pypissh requires a SSH Binary which isn't all that great on Windows where SSH
is not typically installed by default.
--
nosy: +dstufft
Donald Stufft added the comment:
Well Infrastructure *should* get a proper cert anyways else MITM is trivial via
the web interface anyways.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17121
Donald Stufft added the comment:
CACert is not *proper* irregardless of what that projects goals are. It is not
trusted by default therefore it does not provide the same level of security in
the browser (Very few people will bother to look at the difference between a
CACert and a self signed
601 - 698 of 698 matches
Mail list logo
