[Python-Dev] 2.7.12 schedule

[Benjamin Peterson]

I have been reminded that we are due for a 2.7.12 release. I think
Larry's 3.5.2 schedule is perfectly cromulent and am going to piggyback.
Therefore, 2.7.12rc1 will be on June 11th, and the final will be on June
25.

Servus,
Benjamin
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

[Python-Dev] Yearly PyPI breakage

[Stefan Krah]

Hello,

Could someone enlighten me which hoops I have to jump through
this year in order to keep pip downloads working?

Collecting cdecimal
  Could not find a version that satisfies the requirement cdecimal (from
versions: )
No matching distribution found for cdecimal
You are using pip version 7.1.2, however version 8.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.


If this continues, I'm going to release a premium version that's
50% faster and only available from bytereef.org or Anaconda.



Stefan Krah

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Yearly PyPI breakage

[Łukasz Langa]

Why don’t you just *host* the files on PyPI?

> On May 3, 2016, at 12:06 PM, Stefan Krah  wrote:
> 
> 
> Hello,
> 
> Could someone enlighten me which hoops I have to jump through
> this year in order to keep pip downloads working?
> 
> Collecting cdecimal
>  Could not find a version that satisfies the requirement cdecimal (from
> versions: )
> No matching distribution found for cdecimal
> You are using pip version 7.1.2, however version 8.1.1 is available.
> You should consider upgrading via the 'pip install --upgrade pip' command.
> 
> 
> If this continues, I'm going to release a premium version that's
> 50% faster and only available from bytereef.org or Anaconda.
> 
> 
> 
> Stefan Krah
> 
> ___
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: 
> https://mail.python.org/mailman/options/python-dev/lukasz%40langa.pl



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Yearly PyPI breakage

[Brett Cannon]

On Tue, 3 May 2016 at 12:06 Stefan Krah  wrote:

>
> Hello,
>
> Could someone enlighten me which hoops I have to jump through
> this year in order to keep pip downloads working?
>
> Collecting cdecimal
>   Could not find a version that satisfies the requirement cdecimal (from
> versions: )
> No matching distribution found for cdecimal
> You are using pip version 7.1.2, however version 8.1.1 is available.
> You should consider upgrading via the 'pip install --upgrade pip' command.
>

The distutils-sig mailing is the best place to try and get help.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Yearly PyPI breakage

[Donald Stufft]

> On May 3, 2016, at 3:06 PM, Stefan Krah  wrote:
> 
> 
> Hello,
> 
> Could someone enlighten me which hoops I have to jump through
> this year in order to keep pip downloads working?
> 
> 


This is off topic for python-dev, but 
https://www.python.org/dev/peps/pep-0470/#i-can-t-host-my-project-on-pypi-because-of-x-what-should-i-do
 .

-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Yearly PyPI breakage

[Nathaniel Smith]

On Tue, May 3, 2016 at 12:06 PM, Stefan Krah  wrote:
>
> Hello,
>
> Could someone enlighten me which hoops I have to jump through
> this year in order to keep pip downloads working?
>
> Collecting cdecimal
>   Could not find a version that satisfies the requirement cdecimal (from
> versions: )
> No matching distribution found for cdecimal
> You are using pip version 7.1.2, however version 8.1.1 is available.
> You should consider upgrading via the 'pip install --upgrade pip' command.
>
>
> If this continues, I'm going to release a premium version that's
> 50% faster and only available from bytereef.org or Anaconda.

There's no point in making threats -- you're threatening the air. PyPI
is maintained by one overloaded developer (Donald Stufft, sponsored by
HPE as part of their openstack work) with help from a few overloaded,
burned-out volunteers. Everyone wants PyPI to be awesome and useful;
your frustration is totally understandable, and lots of us share it.
But the limitation here is that we have ~one person running a website
that serves ~100,000,000 requests/day, and running as fast as they can
just to keep things from breaking more than they already have. As long
as that's the case it doesn't matter what "should" happen, there's
no-one to do it.

-n

-- 
Nathaniel J. Smith -- https://vorpus.org
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Yearly PyPI breakage

[Stefan Krah]

Nathaniel Smith  pobox.com> writes:
> > If this continues, I'm going to release a premium version that's
> > 50% faster and only available from bytereef.org or Anaconda.
> 
> There's no point in making threats -- you're threatening the air. PyPI
> is maintained by one overloaded developer (Donald Stufft, sponsored by
> HPE as part of their openstack work) with help from a few overloaded,
> burned-out volunteers. Everyone wants PyPI to be awesome and useful;
> your frustration is totally understandable, and lots of us share it.
> But the limitation here is that we have ~one person running a website
> that serves ~100,000,000 requests/day, and running as fast as they can
> just to keep things from breaking more than they already have. As long
> as that's the case it doesn't matter what "should" happen, there's
> no-one to do it.

This wasn't so much of a threat, it was resignation. At some point it
seems like the rational thing to do.

I don't fully understand your explanation. Judging by the link that
Donald posted (thanks!) it seems that PEP 470 introduced extra work
for him that would not have been present had things been left in place.


Also, I did not get any notification and now that I searched for
PEP 470 it seems that it wasn't announced here:

  https://mail.python.org/pipermail/python-dev/2015-October/141838.html


But if the majority prefers PyPI that way, I'll stop arguing.



Stefan Krah





























___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Yearly PyPI breakage

[Łukasz Langa]

> On May 3, 2016, at 1:42 PM, Stefan Krah  wrote:
> 
> I don't fully understand your explanation. Judging by the link that
> Donald posted (thanks!) it seems that PEP 470 introduced extra work
> for him that would not have been present had things been left in place.

IIRC the PyPI maintainers were constantly nagged about “PyPI reliability 
issues” that were instead external hosting issues. Everybody was affected every 
now and then whenever tummy.com or other external servers for popular packages 
were down. Or at least I know *I was*. Way too often.

> But if the majority prefers PyPI that way, I'll stop arguing.

I’m not sure what you mean here but if you want to argue for reverting PEP 470, 
I wouldn’t hold my breath.

--
Ł


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Yearly PyPI breakage

[Stefan Krah]

Łukasz Langa  langa.pl> writes:
> > I don't fully understand your explanation. Judging by the link that
> > Donald posted (thanks!) it seems that PEP 470 introduced extra work
> > for him that would not have been present had things been left in place.
> 
> IIRC the PyPI maintainers were constantly nagged about “PyPI reliability
issues” that were instead
> external hosting issues. Everybody was affected every now and then
whenever tummy.com or other external
> servers for popular packages were down. Or at least I know *I was*. Way
too often.

But making them completely unreachable does not increase reliability. :)


> > But if the majority prefers PyPI that way, I'll stop arguing.
> 
> I’m not sure what you mean here but if you want to argue for reverting PEP
470, I wouldn’t hold my breath.

No, I mean what we're doing now.


Stefan Krah

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Yearly PyPI breakage

[Glyph]

On May 3, 2016, at 2:38 PM, Stefan Krah  wrote:
> 
> But making them completely unreachable does not increase reliability. :)

But it does increase security.

The other motivation, besides reliability, listed in this section 
,
 is that:

"transparently including external links [is] a security hazard (given that in 
most cases it allowed a MITM to execute arbitrary Python code on the end users 
machine)".

And, indeed, the URL presently listed on PyPI for the cdecimal upload is an 
unverified http URL.  This means that any evil barista with access to a 
coffee-shop wifi router could instantly execute user-privileged code on any 
Python programmer's laptop if they were to `pip install´ this externally hosted 
package, which is one of the reasons why neither `pip´ nor `pypi´ allow such a 
thing any more.

Please believe me when I say I do not mean the following to be insulting - 
information security is incredibly confusing, difficult, and rapidly evolving, 
and I don't blame you for getting it wrong - but maintaining a popular package 
in this way is dangerously irresponsible.  There are solid social reasons to 
centralize the control of the default package repository in the hands of 
dedicated experts who can scale their security expertise to a large audience, 
so that package authors like you and I don't need to do this in order to 
prevent Python from gaining a reputation as a vector for malware; this package 
is a case in point.

Separately from the issue of how PyPI works, even if you have some reason you 
need to host it externally (which I seriously doubt), please take the trouble 
to set up a server with properly verified TLS, or use a '.github.io' hostname 
that can be verified that way.

In the meanwhile, just to demonstrate that it's a trivial amount of work to 
just host it on PyPI, I checked out this package via a verified mechanism ("git 
clone https://github.com/bytereef/bytereef.github.io";) and created a new 
pypi-cdecimal package >, via editing the setup.py to 
change the name, 'python setup.py register', 'python setup.py sdist', 'pip 
wheel' (for some reason direct 'python setup.py bdist_wheel' didn't work), and 
'twine upload'.  `pip install pypi-cdecimal´ should now work and get you an 
importable `cdecimal´, and if you happen to be lucky enough to run the same OS 
version I am, you won't even need to build C code.  cdecimal users may wish to 
retrieve it via this mechanism until there's a secure way to get the proper 
upstream distribution.

If anyone wants package-index access to this name to upload Windows or 
manylinux wheels just let me know; however, as this is just a proof of concept, 
I do not intend to maintain it long-term.

-glyph

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Yearly PyPI breakage

[Terry Reedy]

On 5/3/2016 8:56 PM, Glyph wrote:


setup.py bdist_wheel' didn't work), and 'twine upload'.  `pip install
pypi-cdecimal´ should now work and get you an importable `cdecimal´, and
if you happen to be lucky enough to run the same OS version I am, you
won't even need to build C code.  cdecimal users may wish to retrieve it
via this mechanism until there's a secure way to get the proper upstream
distribution.

If anyone wants package-index access to this name to upload Windows or
manylinux wheels just let me know; however, as this is just a proof of
concept, I do not intend to maintain it long-term.


For Windows, http://www.lfd.uci.edu/~gohlke/pythonlibs/ has 32 and 64 
bit builds of cdecimal 2.3 for 2.7, 3.4, and 3.5.


(Is cdecimal substantially different from the _decimal added in 3.5?)

--
Terry Jan Reedy


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Yearly PyPI breakage

[tritium-list]

> 
> (Is cdecimal substantially different from the _decimal added in 3.5?)
> 
AFAICT, they are unrelated codebases that do about the same thing with the same 
amount of performance, with the main exception that _decimal in 3.5 does not 
require one to change their import (or to compile the package themselves.)

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Yearly PyPI breakage

[Stefan Krah]

> [cut overlong post]

Glyph,

nice sneaky way to try to divert from the original issue. Your whole post
is invalidated by the simple fact that the URL was protected by a hash
(which I repeatedly asked to be upgraded to sha256).

This was the official scheme promoted by PEP-438, which you should know.  
But of course your actual intention here is character assassination, 
pretending to "rescue" cdecimal and trying to divert from the fact that
the transition to PEP 470 was handled suboptimally.


The very reason for this thread is that the security was silently disabled
WITHOUT me getting a notification.  What is on PyPI *now* is not what I
configured!


Please believe me when I say I do not mean the following to be insulting --
people who have done *actual* cryptography to varying degrees often tend
to focus on the important parts and aren't impressed by regurgitating
catch phrases like SSL and man-in-the-middle:

http://cr.yp.to/ecdh.html


The amount of security "experts" in the Python community that pontificate
on any occasion is pretty annoying.  What do you think djb thinks of Twisted?


> If anyone wants package-index access to this name to upload Windows or
manylinux wheels just let me know; however, as this is just a proof of
concept, I do not intend to maintain it long-term.

That apparently all you can do:  Move bits from place A to place B and not 
care how long it took to produce them.

You are a real hero.



Stefan Krah




___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Yearly PyPI breakage

[tritium-list]

Are you for real?  I honestly do not understand your hostility.

You posted a mean-spirited complaint about a policy that is nearly exactly
two years old, to the wrong list, and call out the people calmly trying to
explain what happened and why, and how you can mitigate it for your own work
and organization.  What do you intend to accomplish?

* PyPI is no longer and index, it is a repository
* The decision to disable the index-only features of PyPI were made 2 years
ago, including pep438 - plenty of time to make alternate arrangements.
* The tooling for hosting your own repository is available, should you
actually need to host the files outside of PyPI
* The tooling exists to use other indexes
* The tooling exists to host your own index that serves your own packages
(that you develop or third party packages that you package for your own
use), that defaults to PyPI for packages not in your own repository

I understand that you are upset that a feature you used was removed; posting
with hostility to a list of people who do not even have control over the
repository is not a legitimate way to solve your problems.

> -Original Message-
> From: Python-Dev [mailto:python-dev-bounces+tritium-
> list=sdamon@python.org] On Behalf Of Stefan Krah
> Sent: Wednesday, May 04, 2016 00:15
> To: python-dev@python.org
> Subject: Re: [Python-Dev] Yearly PyPI breakage
> 
> 
> > [cut overlong post]
> 
> Glyph,
> 
> nice sneaky way to try to divert from the original issue. Your whole post
> is invalidated by the simple fact that the URL was protected by a hash
> (which I repeatedly asked to be upgraded to sha256).
> 
> This was the official scheme promoted by PEP-438, which you should know.
> But of course your actual intention here is character assassination,
> pretending to "rescue" cdecimal and trying to divert from the fact that
> the transition to PEP 470 was handled suboptimally.
> 
> 
> The very reason for this thread is that the security was silently disabled
> WITHOUT me getting a notification.  What is on PyPI *now* is not what I
> configured!
> 
> 
> Please believe me when I say I do not mean the following to be insulting
--
> people who have done *actual* cryptography to varying degrees often tend
> to focus on the important parts and aren't impressed by regurgitating
> catch phrases like SSL and man-in-the-middle:
> 
> http://cr.yp.to/ecdh.html
> 
> 
> The amount of security "experts" in the Python community that pontificate
> on any occasion is pretty annoying.  What do you think djb thinks of
Twisted?
> 
> 
> > If anyone wants package-index access to this name to upload Windows or
> manylinux wheels just let me know; however, as this is just a proof of
> concept, I do not intend to maintain it long-term.
> 
> That apparently all you can do:  Move bits from place A to place B and not
> care how long it took to produce them.
> 
> You are a real hero.
> 
> 
> 
> Stefan Krah
> 
> 
> 
> 
> ___
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/tritium-
> list%40sdamon.com

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com