Donald Stufft added the comment:
"Depleting" /dev/urandom isn't actually a thing. /dev/urandom on all modern
*nix OSs uses a fast PRNG which is secure as long as it has received enough
bytes of initial entropy.
--
___
Python
Donald Stufft added the comment:
I don't think what you're worrying about here is something that has a high
chance of happening, if it even occurs in the wild at all. To be clear in order
for that to matter at all in the context of this ticket, some software would
need to be reading
Donald Stufft added the comment:
> But backporting always has a risk, which has to be balanced.
Sure, which is why a PEP was written, discussed and accepted to find that
balance.
--
___
Python tracker
<http://bugs.python.org/issu
Donald Stufft added the comment:
Well except random.SystemRandom doesn't keep the file open (At least in 2.7)
and actually it just calls os.urandom under the covers, also it doesn't make it
very nice to get a glob of random bytes.
--
Donald Stufft added the comment:
Just verified that 3.x also does not exhibit this behavior with
random.SystemRandom (except implicitly through os.urandom doing it).
--
___
Python tracker
<http://bugs.python.org/issue21
Donald Stufft added the comment:
One of the reasons the PEP was done the way it was done was it allowed you to
write 2/3 compatible code without version checks. Enhancing that class won't
land until 3.5 which is 18+ months away. Further more the os.urandom persistent
FD's already
Donald Stufft added the comment:
The attached patch looks good to me.
--
___
Python tracker
<http://bugs.python.org/issue21306>
___
___
Python-bugs-list mailin
Donald Stufft added the comment:
"Depleting the entropy pool" is sort of a nonsense idea that /dev/random has.
Nobody should ever be worried about it and nobody should ever use /dev/random.
The manpage is wrong and has continued to be wrong because of historical
reasons and
Donald Stufft added the comment:
Let me raise the issue with urllib3 and see if maybe we can get a quick turn
around and just fix it for real.
--
___
Python tracker
<http://bugs.python.org/issue7
Donald Stufft added the comment:
This is going to break existing versions of urllib3 (and thus requests and thus
pip) when using verified TLS + a proxy, however future versions can work around
it and a fix is being looked at right now. Once it's fixed there it can
propagate to request
Donald Stufft added the comment:
Just an update, the issue is fixed in urllib3 and that has been pulled into
requests. Requests is currently prepping to release a new version which I'll
pull into pip and issue a pip 1.5.6 release which can be pulled into CPython
which should fix
Donald Stufft added the comment:
I agree that 2.7.8 is more realistic. This particular backport is going to be
the most work due to the scope of it.
--
___
Python tracker
<http://bugs.python.org/issue21
Donald Stufft added the comment:
The attached patch looks pretty good to me.
--
___
Python tracker
<http://bugs.python.org/issue21304>
___
___
Python-bugs-list m
Donald Stufft added the comment:
I don't think there's any way around it, nor do I think that it actually leaks
any meaningful timing.
--
___
Python tracker
<http://bugs.python.o
Donald Stufft added the comment:
Oh, gotcha.
Yea I agree, but it's Python 2.x that's par for the course.
--
___
Python tracker
<http://bugs.python.o
Donald Stufft added the comment:
Requests has been released and I've pulled it into the pip tree. I'll be
releasing tonight probably, or maybe tomorrow.
--
___
Python tracker
<http://bugs.python.
Donald Stufft added the comment:
Well you're the RM Larry :) I'll do whatever you think is best. I would greatly
prefer it if the pip shipped with CPython 3.4.1 wasn't broken with proxies. I
think the choices are
1) Ship it with the new pip, I can give a delta of the differe
Donald Stufft added the comment:
I just released pip 1.5.6.
The ensurepip package currently has 1.5.4 inside of it. 1.5.5 has been out for
2 weeks or so and there haven't been any reported regressions.
The only difference between 1.5.5 and 1.5.6 is that requests has been upgraded.
Here&
Donald Stufft added the comment:
Just FYI, I upgraded setuptools and pip in 3.5:
http://hg.python.org/cpython/rev/acb5cc616052
http://hg.python.org/cpython/rev/308ff6a5ce67
If you decide to go that way dunno if you can just cherry pick or not
Donald Stufft added the comment:
@larry
Is there anything else I need to do?
--
___
Python tracker
<http://bugs.python.org/issue7776>
___
___
Python-bugs-list m
Changes by Donald Stufft :
--
resolution: -> fixed
status: open -> closed
___
Python tracker
<http://bugs.python.org/issue21528>
___
___
Python-bugs-list
Donald Stufft added the comment:
That's also a security sensitive thing, you don't want to compare two different
encoding and have it accidentally fail. Strictly speaking you can only do a
constant time comparison on bytes, the fact it accepts unicode at all (even on
Python
Donald Stufft added the comment:
Might it make sense to special case 3.2 and 3.3 since the last releases of
those were not security releases and the security issue is with a bundled
library?
--
nosy: +dstufft
___
Python tracker
<h
Donald Stufft added the comment:
So Twisted is actually in the process of pulling out their tooling they use for
the separate files technique and making it a stand alone project. Seems like
it'd make sense to reuse/contribute to that?
It's at https://github.com/twisted/n
New submission from Donald Stufft:
Since Python 3.3 the zipfile module has support bzip2 and lzma compression,
however the zipimporter does not support these. It would be awesome if
zipimport did support them.
--
messages: 220477
nosy: brett.cannon, dstufft, eric.snow, ncoghlan
Donald Stufft added the comment:
Right, but it could still have support for those things implemented yea?
--
___
Python tracker
<http://bugs.python.org/issue21
Donald Stufft added the comment:
I disagree that there is no large benefit. Python files aren't the only files
that could exist inside of a zip file. Supporting LZMA import (or bz2) would
make it easier to have LZMA or bzip2 wheels in the future without losing the
ability to import
Donald Stufft added the comment:
I'm not sure what that statement means. There is package data that sits
alongside python files. These cannot use anything but DEFLATED because
zipimport doesn't support it.
--
___
Python trac
Donald Stufft added the comment:
+1 for back porting SSL validation even if it's a private to distutils backport.
pypissh requires a SSH Binary which isn't all that great on Windows where SSH
is not typically installed by default.
--
nosy
Donald Stufft added the comment:
Well Infrastructure *should* get a proper cert anyways else MITM is trivial via
the web interface anyways.
--
___
Python tracker
<http://bugs.python.org/issue17
Donald Stufft added the comment:
CACert is not *proper* irregardless of what that projects goals are. It is not
trusted by default therefore it does not provide the same level of security in
the browser (Very few people will bother to look at the difference between a
CACert and a self signed
Donald Stufft added the comment:
Attached is an initial rough draft of the ensurepip module. There are some
issues still, but they largely need resolved in pip.
1. Setuptools' use of dependency_links causes pip to still reach out to the
internet.
2. Need to remove the --pre flag from th
Donald Stufft added the comment:
Added a second draft that handles the case when the stdlib isn't directly
browseable (e.g. it's zipped up or something).
--
Added file: http://bugs.python.org/file32373/draft2.diff
___
Python trac
New submission from Donald Stufft:
Currently pkgutil cannot be imported unless you first import
importlib.machinery. This means ./python.exe -m pkgutil works, but doing
``import pkgutil`` in the REPL does not.
--
messages: 201355
nosy: dstufft, larry
priority: release blocker
severity
Donald Stufft added the comment:
Added a third draft, this one adds the script to check if pip needs updated.
I've removed the first two drafts to make it simpler.
--
Added file: http://bugs.python.org/file32374/draft3.diff
___
Python tracker
Changes by Donald Stufft :
Removed file: http://bugs.python.org/file32371/draft.diff
___
Python tracker
<http://bugs.python.org/issue19406>
___
___
Python-bugs-list mailin
Changes by Donald Stufft :
Removed file: http://bugs.python.org/file32373/draft2.diff
___
Python tracker
<http://bugs.python.org/issue19406>
___
___
Python-bugs-list m
Donald Stufft added the comment:
You cannot use --user in a virtual environment (well a venv, no idea about a
pyvenv - but it should get a similar error message IMO if it doesn't).
If you use --root and --user together it will install to the --root location,
using the user layout, so in
Changes by Donald Stufft :
--
nosy: +dstufft
___
Python tracker
<http://bugs.python.org/issue19407>
___
___
Python-bugs-list mailing list
Unsubscribe:
Donald Stufft added the comment:
For what it's worth I can get --root ready to go shortly, I have a patch
against pip for it (https://github.com/pypa/pip/pull/1272) I just need to write
some tests to ensure it keeps working. Let me go off and do that righ
Donald Stufft added the comment:
I also need to update the bundled Wheel to one that was created with Python 3.4
instead of 2.7 (which matters until the fix for
https://github.com/pypa/pip/issues/1067 which is
https://github.com/pypa/pip/pull/1251 lands). That fixes the issue where the
wheel
Donald Stufft added the comment:
Ok, merged in the --root fix to pip and created a Wheel using Python 3.4 (which
I installed the Wheel distribution using an ensurepip installed pip ;) ).
Updated on github and a patch added, all outstanding issues that affect this
patch exist on the pip side
Changes by Donald Stufft :
Added file: http://bugs.python.org/file32446/combined.diff
___
Python tracker
<http://bugs.python.org/issue19406>
___
___
Python-bugs-list m
Donald Stufft added the comment:
There you go Nick.
--
___
Python tracker
<http://bugs.python.org/issue19406>
___
___
Python-bugs-list mailing list
Unsubscribe:
Donald Stufft added the comment:
The .pya thing is an experimental extension type that setuptools added that
just got missed during the new features to generate scripts during wheel
install vs wheel build time. I opened a bug to remove that and it'll be gone
before 1.5 is released.
I ca
Donald Stufft added the comment:
Oh one thing, I can't move anything out of _run_pip because the part you're
referring to is actually modifying the sys.path. If I move it then I can't
prevent the tests from having side effects.
--
___
Donald Stufft added the comment:
Oh nevermind, I understand now. I misread the statement. I can do that.
--
___
Python tracker
<http://bugs.python.org/issue19
Donald Stufft added the comment:
Attached is the second combined2 patch with Ned's feedback incorporated.
For anyone testing this the patch does not contain the binary files which can
be found at
https://github.com/dstufft/cpython/blob/ensurepip/Lib/ensurepip/_bundled/.
--
Added
Donald Stufft added the comment:
Tweaking the Wheels won't work. The scripts are generated at install time.
We need to fix it in pip, I was waiting on answers to
http://bugs.python.org/issue19406#msg201954 before coming up with a solution
and making a PR request as that will influenc
Donald Stufft added the comment:
* Updated setuptools
* Updated pip to the latest development snapshot
* Installs default to installing easy_install-X.Y, pipX, and pipX.Y
* Added --altinstall which only installs easy_install-X.Y and pipX.Y
* Added --default-install which installs easy_install
Donald Stufft added the comment:
1. This is bound to be an issue that stems from the fact pip is doing the
install instead of distutils. It probably makes sense to use the group id of
the parent directory I think?
2. This is a side effect of Wheel being a whole new way to install, previously
Donald Stufft added the comment:
I'm honestly not sure what to do about #8 on your list. It's sort of a really
wierd edge case as far as pip is concerned right now because the support for
the versioned commands and differing them is sort of a hack job while we wait
for proper supp
Donald Stufft added the comment:
That's similar to how virtualenv does it, so it's probably pretty reasonable.
--
___
Python tracker
<http://bugs.python.o
Donald Stufft added the comment:
I don't know much about installers, can they execute code as part of their
uninstall process?
--
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
Also does the PEP need updated? It specifically called out this problem and
said that it will leave pip behind?
--
___
Python tracker
<http://bugs.python.org/issue19
Donald Stufft added the comment:
Well the PEP does state that the option will be checked by default, but I'm not
arguing that we shouldn't implement uninstall if Windows users expect it, I was
just trying to figure out if we needed to update the PEP.
So unilaterally removing on
Donald Stufft added the comment:
There's a ticket in pip to make pip work even when ssl isn't available. You
wouldn't be able to install from PyPI but you would be able to install from
local archives.
--
nosy: +dstufft
___
Python
Donald Stufft added the comment:
It probably can. I just need to figure out how to test it to make sure the PR
that supposedly fixes it fixes it, and then figure out how to ensure it still
works into the future.
--
___
Python tracker
<h
Donald Stufft added the comment:
I agree with Christian, mail.stufft.io should not be able to masquerade as
smtp.google.com and being able to do so is a pretty big security hole.
--
nosy: +dstufft
___
Python tracker
<http://bugs.python.
Donald Stufft added the comment:
Probably the higher level libraries don't even realize it's not happening, it's
similar to the issue of SSL validation for HTTPS connections where a vast
swathe of people didn't even realize that their certificates were
Donald Stufft added the comment:
I assumed we were talking about 3.4 and didn't even notice that the issues had
3.3 and 3.2 attached to it.
--
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
The urllib3 in requests VCS was updated, I just need to bother Kenneth to make
a new release of requests or update pip to an unreleased requests.
--
___
Python tracker
<http://bugs.python.org/issue19
Donald Stufft added the comment:
Requests was released and pip updated it, I can release a new pip but it
appears that perhaps distlib needs fixed before the without threads case is
taken care of?
--
___
Python tracker
<http://bugs.python.
Donald Stufft added the comment:
I believe in pip 1.5.6 we switched from shutil.move to shutil.copytree which I
believe will reset the permissions/SELinux context?
--
___
Python tracker
<http://bugs.python.org/issue21
Changes by Donald Stufft :
--
nosy: +dstufft
___
Python tracker
<http://bugs.python.org/issue22028>
___
___
Python-bugs-list mailing list
Unsubscribe:
Donald Stufft added the comment:
I think we probably want to revert that particular change. Afaik it wasn't
added to 3.4 because of the danger of breaking things so we probably shouldn't
add it to 2.7.
--
___
Python tracker
<http://bu
Donald Stufft added the comment:
Just a FYI, I've let Fastly know about this.
--
nosy: +dstufft
___
Python tracker
<http://bugs.python.org/issue4>
___
___
Donald Stufft added the comment:
> I think we should have additional fallback domains setup
> that go to frontend.python.org and then also get mapped to
> the right backend server in order to be able to easily
> work around this.
I'm not sure it's worth it tbh. It's
Donald Stufft added the comment:
I've heard back from Fastly!
Specific to this particular incident, they've identified a few places where
their own internal procedures fell short and they've rectified them.
Specifically:
1. Their ticketing software saw the notifications f
Donald Stufft added the comment:
I just heard back from Fastly again. They are going to donate a dedicated IP
address setup on top of the rest of the stuff they are already donating to us.
It's not setup yet and the exact details are not sorted out yet. This should
more or less eliminate
Donald Stufft added the comment:
This Look good to me. +1
--
___
Python tracker
<http://bugs.python.org/issue21307>
___
___
Python-bugs-list mailing list
Unsub
Donald Stufft added the comment:
If you want to be completely unambiguous, python -m pip works as well.
--
nosy: +dstufft
___
Python tracker
<http://bugs.python.org/issue22
Donald Stufft added the comment:
Yea can you give more information? How are you reproducing this? What version
of Python? I can't reproduce it locally.
--
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
Ok, I'll pull down Python 3.5 in a bit and see what is what.
--
___
Python tracker
<http://bugs.python.org/issue22311>
___
___
Donald Stufft added the comment:
Just to close the gap on this, most of the PSF web properties that go through
Fastly have been switched over to a set of IP addresses that are dedicated to
the PSF. So if someone does an IP ban they are blocking us.
I just made the switch in DNS so it'll
Donald Stufft added the comment:
There's a support link on the left hand side of the PyPI page, that'll take you
to the support forum where you can issue a support request and it'll get dealt
with. Alternatively you can email distutils-...@python.org, or Richard and
Myse
Donald Stufft added the comment:
Sorry, Richard or myself (...) will take a look and fix it.
--
___
Python tracker
<http://bugs.python.org/issue22483>
___
___
Donald Stufft added the comment:
This will be my last post on this issue.
I've given you the mechanisms for reporting problems with PyPI. PyPI is not run
by python-dev nor is the python-dev bug tracker a mouth piece for your
frustration with some part of the ecosystem around Python.
I
Donald Stufft added the comment:
Since I've been asked, just to clarify, my last post was a continuation of a
sentence I mistakenly forgot to write out the whole thing.
It should read:
"If you actually care about fixing the issue report it through one of the
venues that I'v
Donald Stufft added the comment:
Making this happen is a non trivial change to pip. Is this *required* for
PEP453?
The problem is the pip dependency is already being seen as fulfilled so it's
not reinstalling pip again with the new options picked. Likely the actual
answer is a command i
Donald Stufft added the comment:
Is there anything left in this ticket to be done?
--
___
Python tracker
<http://bugs.python.org/issue19728>
___
___
Python-bug
Donald Stufft added the comment:
Vinay, I've verified that the current default branch of distlib works without
threading when vendored in pip and these tests pass.
--
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
Can this be solved in ensurepip for now? I've been banging away at this but
it's going to require some refactoring in pip to make it reasonably work. The
move to distlib and requests made this harder to do than the old PR against pip
co
Donald Stufft added the comment:
It's basically ready for a release. We had a last minute bug with distlib that
was fixed by distlib 0.6 released on 12-31. I was giving the rc that had that
bug fix a day or two for any other issues to surface before making the final
re
Donald Stufft added the comment:
I'll have it released today, there are no known issues with the last rc of pip.
I just didn't want to release the fix to the distlib issue without a day or two
of an RC (which we've now had) and the folks who reported the issue verifying
it
Donald Stufft added the comment:
It's not released yet, I'll have it (future tense) release today. It's roughly
6am here and I'm getting ready to get my daughter ready for school. I just
happened to check my email before starting that. Once I get her on the bus
Donald Stufft added the comment:
pip 1.5 is released and CPython has been updated.
--
assignee: -> dstufft
resolution: -> fixed
status: open -> closed
___
Python tracker
<http://bugs.python.or
Donald Stufft added the comment:
+1
--
nosy: +dstufft
___
Python tracker
<http://bugs.python.org/issue20207>
___
___
Python-bugs-list mailing list
Unsubscribe:
New submission from Donald Stufft:
Pip 1.5.1 and setuptools 2.1 are out which both fix some bugs that are likely
to affect some people. They both should be fairly innocuous as far as issues go
so there shouldn't be any harm in upgrading in 3.4.
--
assignee: dstufft
messages: 2
Changes by Donald Stufft :
--
resolution: -> fixed
status: open -> closed
___
Python tracker
<http://bugs.python.org/issue20322>
___
___
Python-bugs-list
Donald Stufft added the comment:
I don't see any reason not to install ensurepip in this situation. That flag
controls whether or not ``python -m ensurepip`` will be executed during the
install, but ensurepip itself will still be installed. It is not an optional
m
Donald Stufft added the comment:
Yes I am aware of that. However ensurepip is also required to maintain
functionality of the "venv" module in 3.4. See the guidelines in
http://www.python.org/dev/peps/pep-0453/#recommendations-for-downstream-distributors
which explicitly mentions the
Donald Stufft added the comment:
I'm not sure I grasp what the problem is
--
___
Python tracker
<http://bugs.python.org/issue20053>
___
___
Python-bugs-list m
Donald Stufft added the comment:
The proper fix is an isolated mode, but we could special case devnull in pip
for 1.5.3 and make a proper isolated solution in 1.6.
--
___
Python tracker
<http://bugs.python.org/issue20
Donald Stufft added the comment:
I'd remove it in 1.6 with a proper isolated mode. I'm purely thinking of
minimal changes to make it easier to to get it into 3.4.
--
___
Python tracker
<http://bugs.python.o
Donald Stufft added the comment:
Just t be clear, it's 1.5.3 not 0.15.3.
--
___
Python tracker
<http://bugs.python.org/issue20570>
___
___
Python-bugs-list m
Donald Stufft added the comment:
Yea, I'll get it done. Was planning on doing it this weekend but I had a
medical issue. I'll see about getting all the things get done asap.
--
___
Python tracker
<http://bugs.python.o
Donald Stufft added the comment:
I put out the email that I'll be rolling 1.5.3 tues/weds of next week (so 18th
or 19th). Hopefully that's a reasonable time schedule.
--
___
Python tracker
<http://bugs.python.o
Donald Stufft added the comment:
Just a FYI I'm going to be cutting this release sometime in the next 6-12 hours
and I'll commit it to the CPython repository and make the cherry-pick request.
--
___
Python tracker
<http://bugs.python.o
New submission from Donald Stufft:
Please pull in the upgrade from pip 1.5.2 to 1.5.3 into CPython 3.4.0, the
revision is d57df3f72715
--
assignee: larry
messages: 211787
nosy: dstufft, larry, ncoghlan
priority: release blocker
severity: normal
status: open
title: 3.4 cherry-pick
401 - 500 of 700 matches
Mail list logo
