Donald Stufft added the comment:
(A)RC4 and ChaCha are just two stream ciphers that let you encrypt some data,
they work by essentially producing a psuedo-random stream of data in a
deterministic manner based off of a key, and than that is XOR'd with the data
you want to encrypt. arc4random
Donald Stufft added the comment:
Oh yea, and (A)RC4 is broken and shouldn't be used for anything anymore, ChaCha
is much better and is pretty great.
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Donald Stufft added the comment:
Yea ``pip.main(args)`` won't change. I'm not sure how well parts of pip will
handle being in a persistent-ish process, but the API itself will work.
--
___
Python tracker <rep...@bugs.python.org>
Donald Stufft added the comment:
There is a "site" config file which works for all installs on that particular
machine, there is not a per Python configuration file, though I don't see why
we couldn't add one.
--
___
Python tr
Donald Stufft added the comment:
Yea, we'd be willing to fix things where we can. I think the biggest problem
you'll run into is probably going to be pkg_resources and it's module scoped
cache of the sys.path and what items are installed
Donald Stufft added the comment:
pip doesn't really support being called as an API, there's been requests for it
before but nobody has yet come forward to specify what parts in particular they
need. The practical effect of this is that there's no backwards compatibility
promises for anything
Changes by Donald Stufft <don...@stufft.io>:
--
nosy: +steve.dower
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue23551>
___
_
Donald Stufft added the comment:
This looks more like lib2to3 doesn't support running from a .zip archive.
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Donald Stufft added the comment:
I'm all for deprecating asyncore/asynchat but should deprecating them wait
until asyncio is no longer provisional?
--
nosy: +dstufft
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Donald Stufft added the comment:
For what it's worth, the El Capitan Beta's apparently don't ship with OpenSSL
headers anymore though they do still ship with the dylibs.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24646
Donald Stufft added the comment:
We should probably pass ``-s`` to the ensurepip call.
Adding 2.7 here as well because I think this will probably affect more than
just the Makefile, probably the Windows installers and OSX installers too.
--
versions: +Python 2.7
Donald Stufft added the comment:
Yea, I already upgraded pip. I did forget that we'll want to add
--disable-pip-version-check to the pip invocation inside of ensurepip.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24267
for some percentage of
projects as well as have bugs within the system itself. As always, if you find
a bug please feel free to open an issue up on the pip issue tracker at
https://github.com/pypa/pip/issues.
---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Donald Stufft added the comment:
Hey,
This is actually a message that comes from a third party component, pip in this
case. I've opened up https://github.com/pypa/pip/issues/2773 with the pip
project and suggest that further discussion/tracking happen there. It will be
picked up by Python
Donald Stufft added the comment:
I think it's worthwhile to maintain the ability to easily backport patches from
3.x to 2.7, especially given the security sensitive nature of the ssl module.
--
___
Python tracker rep...@bugs.python.org
http
Donald Stufft added the comment:
Perhaps you can point me to some use cases where the triple
platform tag is really useful.
If I understand correctly (and ABI isn't my strong suite), it would be useful
in the sense that you could utilize it to create a sort of fat wheel that
included
Donald Stufft added the comment:
PyPI should already handle it fine, and Warehouse certainly does.
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16108
Donald Stufft added the comment:
Whatever you do, you're still going to force all your main users to
download things they don't need, so I don't see the argument of
optimizing downloads or caches.
pip caches downloads by default, many systems are starting to utilize that
cache in order
Donald Stufft added the comment:
Well, it's even more wasteful if you have to download 100MB wheels
with all the different platforms when the dedicated wheel would just
need 1.5MB.
I think it's going to vary greatly based on how many platforms you're
attempting to support and how big your
Donald Stufft added the comment:
I think 1.0.2 is the only version of OpenSSL that has the ability to short
circuit the chain validation which is something that makes it easier for
libraries like requests to remove the weak 1024 bit roots from their SSL
certificate store.
It's also needed
Donald Stufft added the comment:
I wonder if it's this?
https://github.com/python/cpython/commit/453f86c6977bab18fe4a9c58a4155253375adc8e#diff-ff7dba04c5ad252aa440598d6c88067a
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org
Donald Stufft added the comment:
I don't consider monkey patching a proper way to configure a Python
installation.
The point is that that TLS validation on/off isn't conceptually a Python level
configuration option, that's going to be a per application configuration
option. The monkeypatching
Donald Stufft added the comment:
On it's own I think this switch is a bad idea because it's too big of a hammer.
Someone shouldn't accidentally disable TLS verification in pip for instance
because they wanted to disable TLS verification for some random tool that only
hit internal TLS
Donald Stufft added the comment:
Now, I knew how to fix this, but the solution was not
an obvious one. I had to use truss to figure out where OpenSSL
was looking for certificates and the added the Mozilla cert
bundle from our egenix-pyopenssl package to make things work
again.
You also
Donald Stufft added the comment:
No, I want to be able to easily disable the newly added
checks in 2.7.9+ to get systems such as these behave the
same as with 2.7.8, since without this option, people
using these system are going to be forced to stick with
buggy 2.7.8 systems.
Why
Donald Stufft added the comment:
I'd really rather not add this to Python itself. If downstream wants to patch
their Pythons to do it that is their prerogative. There's some legacy at play
here of course, however I don't think that Python upstream is the right place
to deal with that.
One
Donald Stufft added the comment:
Also adding Berker Peksag because they've touched this module recently :)
--
nosy: +berker.peksag
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23801
Donald Stufft added the comment:
Added R David Murray to the nosy list because this is kinda similar to the
email stuff and there doesn't seem to be anyone better to look at this patch
that I can find...
--
nosy: +r.david.murray
___
Python tracker
Donald Stufft added the comment:
@Benjamin
The reason I didn't do that to begin with, was the code currently checks if the
first line is a bytes object or not in order to be able to raise an error if
it's returning str instead of bytes. I didn't want to redo that check on every
iteration, so
Changes by Donald Stufft don...@stufft.io:
--
stage: - resolved
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23801
___
___
Python-bugs-list
Donald Stufft added the comment:
Thanks everyone for taking a look at this!
--
stage: resolved -
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23801
New submission from Donald Stufft:
While working on PyPI 2.0 (which is currently running Python 3) I discovered
that ``setup.py upload`` was causing an exception. After tracing things I
determined that the reason for this is that Python 3 fails to handle leading
whitespace in a multipart body
Donald Stufft added the comment:
Added a patch that fixes this issue by reading lines until we find the line
that is our expected boundary marker.
--
keywords: +patch
Added file: http://bugs.python.org/file38722/cgi-read-until-boundary.diff
Donald Stufft added the comment:
To be clear, I have no opinion on your specific proposal and I don't know if
the difference between cryptographically secure and not cryptographically
secure matters for it. I just wanted to be clear that with SipHash an attacker
should *not* be able to choose
Donald Stufft added the comment:
I'm not sure what you mean by Siphash isn't cryptographically secure. One of
the key points of Siphash is that it *is* cryptographically secure. It has a
smaller space than your typical hash function (MD5, SHA1, SHA2, etc) which
means that collisions
Changes by Donald Stufft don...@stufft.io:
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23593
___
___
Python-bugs-list mailing
Donald Stufft added the comment:
It was merged to the 2.7 branch, so it'll be released as part of 2.7.10.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
Changes by Donald Stufft don...@stufft.io:
--
keywords: +needs review
resolution: not a bug -
stage: resolved - patch review
status: closed - open
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
Donald Stufft added the comment:
There actually *is* an API that can be set that will cause OpenSSL to use the
shortest trust path it can, however it's only available in OpenSSL 1.0.2+ which
means it'll solve it for a handful of people but not the bulk of people
Donald Stufft added the comment:
I'm unlikely to have the time or motivation to do this anytime soon (just to be
clear). I would be able to advise anyone who does feel like doing it the best
ways to interact with pip itself though.
--
___
Python
Donald Stufft added the comment:
I don't know if this should be part of IDLE or not, but I've long wondered if
we should make a GUI frontend for pip. To be clear, I'm not against this being
in IDLE either, but just saying I've thought about making a pip-gui project in
the past, I just haven't
Donald Stufft added the comment:
This is a pip problem and should be filed against the pip issue tracker at
https://github.com/pypa/pip/issues.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23240
Donald Stufft added the comment:
I just noticed this issue. I think all that really needs done here is changing
the venv module to use subprocess.check_call instead of subprocess.check_output
when calling ensurepip.
--
___
Python tracker rep
Donald Stufft added the comment:
I do not know what setuptools plans on with regards to distlib sorry.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23121
Donald Stufft added the comment:
+1, This sounds completely reasonable to do to me.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23143
Donald Stufft added the comment:
If distlib 0.2.0 fixes this, then it should be fixed in pip 6+ when installing
from Wheels. If the same problem exists in setuptools then it'll need to get
fixed in setuptools (or pip will need to start writing it's own console scripts
when installing from
file any issues with either https://github.com/pypa/pip/issues
or https://github.com/pypa/virtualenv/issues.
---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
--
https://mail.python.org/mailman/listinfo/python-announce-list
Support the Python Software Foundation
Donald Stufft added the comment:
This should be fixed now as of https://hg.python.org/cpython/rev/651e1862dbed,
https://hg.python.org/cpython/rev/651e1862dbed, and
https://hg.python.org/cpython/rev/9f60d024e586.
--
resolution: - fixed
status: open - closed
Donald Stufft added the comment:
I'm not sure how to get a link to that, can you link it and I can see if I
think it's a permanent error or not?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22669
Donald Stufft added the comment:
BTW: Having a way to change the SSL options globally would be useful
for Python 3.x as well, since OpenSSL often adds new options and
it's not unlikely we'll see an OP_NO_TLSv1 option soon, given its
age and similarity to SSLv3...
https
New submission from Donald Stufft:
Various browsers[1][2] are dropping support for wild card certificates which
are anything but a single * alone in the left most position. The other style
wildcards were deprecated previously and they should not appear in any public
certificate
://d.stufft.io/image/0z1841112o0C
http://d.stufft.io/image/0z1841112o0C is a hard question to answer, since
most code I write is both.
---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
--
https://mail.python.org/mailman/listinfo/python-list
Donald Stufft added the comment:
I agree completely. This is something that should generally be discouraged all
together. See:
http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
--
nosy: +dstufft
___
Python tracker rep
Donald Stufft added the comment:
I tested this patch on Python 3.5 compiled on CentOS 5.11 which does not have
SNI enabled. The end result is that you can use server_hostname even when SNI
isn't there to enable the SSL certificate checks. Of course the check will fail
if the host your
Donald Stufft added the comment:
Added docs.
--
Added file:
http://bugs.python.org/file37258/check-hostname-no-sni-with-docs.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22921
Donald Stufft added the comment:
A new patch that achieves the same thing in a simpler way at benjamin's
suggestion.
--
Added file:
http://bugs.python.org/file37259/check-hostname-no-sni-with-docs-2.patch
___
Python tracker rep...@bugs.python.org
Donald Stufft added the comment:
Uploaded a third patch, this is the same technique as in the -2 patch, except
it fixes a missed spot in Lib/ssl.py where I needed a better error message.
Additionally this goes through and unskips all of the tests that were marked as
depending on HAS_SNI when
Donald Stufft added the comment:
Added a patch for Python 2.7
--
Added file:
http://bugs.python.org/file37262/check-hostname-no-sni-with-docs-py27.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22921
Donald Stufft added the comment:
Right, they did that because Debian has disabled SSLv3 in OpenSSL in Jessie.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22638
Donald Stufft added the comment:
Yea see: http://sources.debian.net/src/openssl/1.0.2~beta3-1/debian/rules/#L29
The configure options they are running with are: no-idea no-mdc2 no-rc5 no-zlib
enable-tlsext no-ssl2 no-ssl3 no-ssl3-method enable-unit-test
New submission from Donald Stufft:
The SSLContext().wrap_socket() method allows you to pass in a server_hostname
option which will be used for two purposes, it will be used as the server name
for SNI and it will be used to verify the server name of the certificate.
However currently
Donald Stufft added the comment:
I've attached a patch which I believe updates the 2.x docs with what 3.x has. I
ran ``make html`` and the only errors I got were in relation to pyporting which
I don't believe has anything to do with this ticket.
If someone can sanity check this for me I can
Donald Stufft added the comment:
Is this ticket able to be closed now or is there more to do?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22850
Donald Stufft added the comment:
Note: I removed the references to pyvenv in these docs because 2.7 doesn't have
that.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22827
Donald Stufft added the comment:
Updated the docs patch to address Nick's comments.
--
Added file: http://bugs.python.org/file37236/pep-477-docs-2.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22827
Changes by Donald Stufft don...@stufft.io:
--
resolution: - fixed
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22827
Donald Stufft added the comment:
Assigning this to myself, it'll get fixed when pip 6.0 is released and I
upgrade ensurepip to it.
--
assignee: vinay.sajip - dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22669
Donald Stufft added the comment:
So here's a thought:
pip does have a CLI flag --force-reinstall which will uninstall and then
reinstall whatever is being installed. If we modified things so that ensurepip
supported this flag (or always used it with --upgrade) then it would fix this
issue
Donald Stufft added the comment:
I've updated the patch with Nick's comments, except for pulling in the latest
versions of the documentation.
--
Added file: http://bugs.python.org/file37175/pep-477-3.patch
___
Python tracker rep...@bugs.python.org
Donald Stufft added the comment:
Merged in https://hg.python.org/cpython/rev/592a5414fabd, I forgot to mention
the issue number.
I'm going to leave this open for the docs changes, however the OSX installer
and Windows installer changes should be able to be made now
Donald Stufft added the comment:
I don't know anything about msi or this script so I can't offer any help there,
but thanks!
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22850
New submission from Donald Stufft:
As specified in PEP 477, this backports PEP 453 (ensurepip) to the Python 2.7
branch. Key differences from PEP 453 are:
* It is not run by default in the Makefile
* There is no venv modules, so downstream can remove it (though are asked to
patch
New submission from Donald Stufft:
As specified in PEP 477, this backports PEP 453 (ensurepip) to the Python 2.7
branch. Key differences from PEP 453 are:
* It is not run by default in the Makefile
* There is no venv modules, so downstream can remove it (though are asked to
patch
Donald Stufft added the comment:
Closing this in favor of http://bugs.python.org/issue22827
--
resolution: - duplicate
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22828
Changes by Donald Stufft don...@stufft.io:
--
nosy: +steve.dower
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22827
___
___
Python-bugs-list
Donald Stufft added the comment:
Second patch just fixes the docs to specify the correct behavior for 2.7 and it
fixes ensurepip.bootstrap() to match the default 2.7 behavior when executing
python -m ensurepip.
--
Added file: http://bugs.python.org/file37155/pep-477-2.patch
Donald Stufft added the comment:
The backport is taken from Python 3.4 so it's the same license as everything
else.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22827
Donald Stufft added the comment:
IOW it's literally Lib/unittest/mock.py from the 3.x series.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22827
-the-most-recent-looking-name Windows Server.
---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
--
https://mail.python.org/mailman/listinfo/python-list
Donald Stufft added the comment:
It is configured using salt, see
https://github.com/python/psf-salt/blob/master/salt/pythontest/init.sls.
A separate domain just makes it easier to do whatever we need with it without
needing to worry about getting confused between live sites and test sites
Donald Stufft added the comment:
This looks OK to me.
I'm not a Windows person are there changes in pip that would make sense to make
it work without this patch?
--
nosy: +Marcus.Smith, pmoore
___
Python tracker rep...@bugs.python.org
http
Donald Stufft added the comment:
The development version of pip switches things over to using the Python logging
framework instead of a homegrown one which more or less relies on print().
Probably we could detect if we don't have a stdout and just not output
anything? People can pass
Donald Stufft added the comment:
It hasn't been released yet, test_venv could be temp disabled if ctypes isn't
available though.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22669
Donald Stufft added the comment:
More or less. You could argue whether it's a defect or not but it
unconditionally imports ctypes and apparently that is an optional module (I had
no idea it was personally, and I can't find any documentation to say that it
is). colorama doesn't really *need
Donald Stufft added the comment:
I really don't think it's unreasonable to say SSL 3.0 is insecure, if you rely
on it then you need to pass this flag to use it. Passing a flag to do
something insecure is hardly onerous.
--
___
Python tracker rep
Donald Stufft added the comment:
The naming of SSLv23 is sort of unfortunate, that will negotiate the highest
version of SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 that both the client and
the server support. You can modify the list of what protocols are supported
using the ssl.OP_NO_* flags
Donald Stufft added the comment:
I think it's fine to disable it all together. Google is planning/hoping to kill
SSL 3.0 completely from their clients in the next couple of months. They just
don't want to release a patch that disables SSL 3.0 right today
Donald Stufft added the comment:
I don't know, how many times will it have to be repeated that secure defaults
matter?
SSL 3.0 can be turned back on easily enough, it isn't a hard shut off. It
changes the default just like what was done with SSLv2.0
Donald Stufft added the comment:
There's also https://www.trustworthyinternet.org/ssl-pulse/
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22638
Donald Stufft added the comment:
OpenSSL generally doesn't have bad options disabled until they are years old.
OpenSSL takes the stance that it's up to the consumers of the OpenSSL API to
properly configure themselves.
Also it's important to note that TLS_FALLBACK_SCSV isn't actually a work
Donald Stufft added the comment:
Firefox is planning to disable SSL 3.0 as well -
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
SSLv3 will be disabled by default in Firefox 34, which will be released on Nov
25
Donald Stufft added the comment:
This is no longer the case in the next version of pip.
--
resolution: - fixed
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22611
Donald Stufft added the comment:
There's a support link on the left hand side of the PyPI page, that'll take you
to the support forum where you can issue a support request and it'll get dealt
with. Alternatively you can email distutils-...@python.org, or Richard and
Myself (first names
Donald Stufft added the comment:
Sorry, Richard or myself (...) will take a look and fix it.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22483
Donald Stufft added the comment:
This will be my last post on this issue.
I've given you the mechanisms for reporting problems with PyPI. PyPI is not run
by python-dev nor is the python-dev bug tracker a mouth piece for your
frustration with some part of the ecosystem around Python.
If you
Donald Stufft added the comment:
Since I've been asked, just to clarify, my last post was a continuation of a
sentence I mistakenly forgot to write out the whole thing.
It should read:
If you actually care about fixing the issue report it through one of the
venues that I've mentioned
Donald Stufft added the comment:
Just to close the gap on this, most of the PSF web properties that go through
Fastly have been switched over to a set of IP addresses that are dedicated to
the PSF. So if someone does an IP ban they are blocking us.
I just made the switch in DNS so it'll take
Donald Stufft added the comment:
Yea can you give more information? How are you reproducing this? What version
of Python? I can't reproduce it locally.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22311
Donald Stufft added the comment:
Ok, I'll pull down Python 3.5 in a bit and see what is what.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22311
Donald Stufft added the comment:
If you want to be completely unambiguous, python -m pip works as well.
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22295
401 - 500 of 709 matches
Mail list logo