[Twisted-Python] ANN: pythonpackages.com beta
Hi Twisted folks, I am reaching out to various Python-related programming communities in order to offer new help packaging your software. If you have ever struggled with packaging and releasing Python software (e.g. to PyPI), please check out this service: - http://pythonpackages.com The basic idea is to automate packaging by checking out code, testing, and uploading (e.g. to PyPI) all through the web, as explained in this introduction: - http://docs.pythonpackages.com/en/latest/introduction.html Also, I will be available to answer your Python packaging questions most days/nights in #pythonpackages on irc.freenode.net. Hope to meet/talk with all of you soon. Alex -- Alex Clark · http://pythonpackages.com/ONE_CLICK ___ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Re: [Twisted-Python] ANN: pythonpackages.com beta
Hi, On 7/30/12 12:31 PM, Eric P. Mangold wrote: > Alex, > > I'm not sure if this is borderline off-topic, or not... but anyway.. > > I'm sure starting a discussion here IS offtopic. > > But I have one question: > > How do package authors verify the integrity of their packages built "through > the web"? Good question, I just created: - http://docs.pythonpackages.com/en/latest/faq.html#how-do-package-authors-verify-the-integrity-of-packages-built-through-the-web If you have any feature suggestions please open a ticket: - https://bitbucket.org/pythonpackages/pythonpackages.com/issues/new Alex > > -- > -E > > On Sat, Jul 28, 2012 at 07:40:25PM -0400, Alex Clark wrote: >> Hi Twisted folks, >> >> >> I am reaching out to various Python-related programming communities in >> order to offer new help packaging your software. >> >> If you have ever struggled with packaging and releasing Python software >> (e.g. to PyPI), please check out this service: >> >> >> - http://pythonpackages.com >> >> >> The basic idea is to automate packaging by checking out code, testing, >> and uploading (e.g. to PyPI) all through the web, as explained in this >> introduction: >> >> >> - http://docs.pythonpackages.com/en/latest/introduction.html >> >> >> Also, I will be available to answer your Python packaging questions most >> days/nights in #pythonpackages on irc.freenode.net. Hope to meet/talk >> with all of you soon. >> >> >> >> Alex >> >> >> >> -- >> Alex Clark ? http://pythonpackages.com/ONE_CLICK >> >> >> ___ >> Twisted-Python mailing list >> Twisted-Python@twistedmatrix.com >> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python -- Alex Clark · http://pythonpackages.com/ONE_CLICK ___ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Re: [Twisted-Python] ANN: pythonpackages.com beta
Hi Eric, On 7/30/12 4:49 PM, Eric P. Mangold wrote: > On Mon, Jul 30, 2012 at 12:49:56PM -0400, Alex Clark wrote: >> Hi, >> >> >> On 7/30/12 12:31 PM, Eric P. Mangold wrote: >>> Alex, >>> >>> I'm not sure if this is borderline off-topic, or not... but anyway.. >>> >>> I'm sure starting a discussion here IS offtopic. >>> >>> But I have one question: >>> >>> How do package authors verify the integrity of their packages built >>> "through the web"? >> >> >> Good question, I just created: >> >> - >> http://docs.pythonpackages.com/en/latest/faq.html#how-do-package-authors-verify-the-integrity-of-packages-built-through-the-web > > Let me be clear: > > Is it possible to have any assurance that your system has faithfully built > the package, and/or that your servers have not been compromised? > > Why would anyone trust your web service to build packages, when it is *their* > pgp, reputation and users that are at stake? > (Yes, I would ask Launchpad/Canonical, et. all the same question...) > > (Also, if you're suggesting MD5 (following your link..) for anything related > to security or data authenticity, then I *know* you're way off base...) The point about md5 is not to suggest using it for security or data authenticity, it's to clarify that whatever security is currently place with PyPI (not a lot, admittedly) still applies, for whatever that is worth (not much, apparently). > > Sorry if this is harsh - but it's intended. Without any kind of verifiable > guarantee (get to work on that! :)) I don't think I could ever possibly use > such a thing, and would advise against it. > > Getting software to end-users is a tough challenge, and I applaude your > efforts to try and make it easier. A system with a single point of failure > and a single point of trust just isn't feasible or desirable, > imho.Administrators need to know who has final responsibility and *authority* over the software that they are consuming. If "the cloud" is the last link in that chain, then you have a big problem, I think. The last link in the chain is PyPI (or a private index). The node before that is typically your laptop. I'm suggesting you make it pythonpackages.com instead. Folks can either trust us or not, based on the "real world" risk perceived. Of course we will try to convince them it is safe by actually make it safe, in whatever way is necessary/possible. As for all your security points above, they are clearly valid and currently addressed (to the best of our ability) in the FAQ: - http://docs.pythonpackages.com/en/latest/faq.html And here: - http://docs.pythonpackages.com/en/latest/security.html > > Have a nice day, > -E > > P.S. Im open to sugguestions for moving this thread (where?), as I don't > believe it belongs on this list. You can bring it up (or join an existing thread) on catalog-sig if you like. I'm also in #pythonpackages on freenode 24/7. Thanks for the interest! Alex > -- Alex Clark · http://pythonpackages.com/ONE_CLICK ___ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Re: [Twisted-Python] ANN: pythonpackages.com beta
On 7/31/12 10:54 AM, Eric P. Mangold wrote: > On Tue, Jul 31, 2012 at 02:39:48PM -, exar...@twistedmatrix.com wrote: >> Please discontinue this discussion on twisted-python. Thanks. >> >> Jean-Paul > > Thanks. I meant to indicate that I had CC'ed catalog-sig. Indeed, thanks for your patience, all! Will pick up with Eric over on catalog-sig for anyone else interested. > > -E > -- Alex Clark · http://pythonpackages.com/ONE_CLICK ___ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
