Hi Jens, can you also add me to the test pypi project: https://test.pypi.org/project/thrift/? My username is https://test.pypi.org/user/fishy/
With how pypi works, I will need to test it on test pypi first before doing it for the real pypi. On Fri, Jan 19, 2024 at 2:21 PM Jens Geyer <jensge...@hotmail.com> wrote: > Hi, > > > The image is: > > I see. Not sure if I can do this, since I have no access to project > settings. Maybe INFRA can. > > Have fun, > > JensG > > > > Am 18.01.2024 um 23:58 schrieb Yuxuan Wang: > > My pypi account is fishy: > https://protect.checkpoint.com/v2/___https://pypi.org/user/fishy/___.YzJ1OnJlZGRpdDpjOmc6MDg0MmRmZjE0YjI0MDBkNWY4YTk5ZDM2MjAzMDExY2E6NjpkZGNjOjM3OWQyYjk2NDgzZjk0MWVhZDdiMmMwMDY1MDA5ZTQzZDM5YWJiNDk4NjVjMWJjZThjY2FiMjE1YzA0ZWM4NmQ6cDpU > > > > The image is: > https://protect.checkpoint.com/v2/___https://imgur.com/a/vkehdiF___.YzJ1OnJlZGRpdDpjOmc6MDg0MmRmZjE0YjI0MDBkNWY4YTk5ZDM2MjAzMDExY2E6NjpkMTcxOjJlNjRkOTc3NTQ1NDAzNTU5YmQ4MmQ4NzliYzU4YWQyOWFiMGRiNzc4ZTE0YTNjNWQ4YzlkOWFmZjRkNjczNWY6cDpU > > > > On Thu, Jan 18, 2024 at 2:49 PM Jens Geyer<jensge...@hotmail.com> > wrote: > > > >> Hi, > >> > >> > >> I can't see the picture and I don't have your pypi username. I tried the > >> email but that did not work. > >> > >> > >> Have fun, > >> > >> jensG > >> > >> > >> Am 17.01.2024 um 02:11 schrieb Yuxuan Wang: > >>> I just logged into my pypi account (I was there to register an > >>> account, and it turns out I already have one, which I have no memory > >>> of, and I do not have any projects published there), it seems that > >>> they actually have an automated way to create the github actions for > >>> you automatically: > >> > https://protect.checkpoint.com/v2/___https://docs.pypi.org/trusted-publishers/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjoxYjIzOjE1MTU3M2QyZTExNGEzOTE5NjIxYjUzYjgyNDBhNzMxODQzN2U1ZWNmMGQ1MzMzM2EwMTY3NGFlNzk1MDA0YTI6cDpU > >>> But I would assume that might require that I have admin access to the > >>> github repo (not sure yet, as I don't have any other project to test), > >>> so if you are fine with that (e.g. add me to the PyPi maintainer list, > >>> I try to use that approach, if it doesn't work, give me admin access > >>> to the github repo), I'm fine :) > >>> > >>> Also, there's a recent pytorch supply chain attach report > >>> < > >> > https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjphNDlkOjFkYmFiNzllNjc5NzIxNWQwMjFiZWFhY2JkZjYxNGQ3NTM2OTFlMmUzOTJkYWUyMjkxMTNlYTZmMzllYjNkMDU6cDpU > > > >> > >>> which will be relevant to us if we choose to use github actions to > >>> auto publish to pypi, then we probably should follow their suggested > >>> mitigation > >>> < > >> > https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/%23mitigations___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjpjNDZkOjhlZjYzM2ZkOGEzNjMyNDk1OTk1OGE2MjBhZWIyNDUzMmU2Mzg4NjYzMDBkODJkNTUxYmViY2JkY2E2MDE1NjU6cDpU > >, > >> > >>> which is to change to "Require approval for all outside collaborators": > >>> image.png > >>> (changing this setting on github also requires admin access, the > >>> screenshot is taken from a repo I have admin access on) > >>> > >>> On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer<jensge...@hotmail.com> > >> wrote: > >>> > >>> I can probably add you to the PyPi maintainer list. Would that > help? > >>> > >>> > >>> Am 12.01.2024 um 23:19 schrieb Yuxuan Wang: > >>> > IMHO there are two issues with the pypi publishing problem: > >>> technical and > >>> > non-technical. > >>> > > >>> > The non-technical issue is the credential/secret required to > >>> publish to > >>> > > >>> > >> > https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU > >> . > >>> Any of the technical solution also > >>> > depends on that being available. > >>> > > >>> > Once we have it (in github actions secret store, for example), > then > >>> > technical solution is not the hard part. As I mentioned in the > >>> jira thread > >>> > Reddit already has a github action pipeline to publish to pypi > >>> on git tag > >>> > we can upstream to thrift project to be used (so whenever a > >>> maintainer > >>> > pushes a tag to github, github actions auto publishes to pypi). > >>> Or others > >>> > can contribute other solutions. > >>> > > >>> > On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer<je...@apache.org> > >> wrote: > >>> > > >>> >> @all, > >>> >> > >>> >> I just want to bring up that topic again. There is a rather > >>> frequent > >>> >> stream of (absolutely legitimate) questions regarding the PyPi > >>> packages > >>> >> not being published. > >>> >> > >>> >> So it seems fair to say that there is obviously a certain > >>> demand within > >>> >> the community, which is super great. Now on the other hand we > >>> have no > >>> >> noteworthy reactions from that very same community to help with > >>> that topic. > >>> >> > >>> >> Let me put it bluntly. This is not your mothers supermarked > >>> where stock > >>> >> refills almost like automagically overnight. This is open > >>> source. It > >>> >> works as long as there are at least some people spending parts > >>> of their > >>> >> valuable time supporting projects. It is about giving & taking. > >>> >> > >>> >> Thrift supports about 20+ target languages. So it is fair to > >>> say that > >>> >> supporting packages for all of them (where approprate) is quite > >>> a bit of > >>> >> work. > >>> >> > >>> >> Of course I can only speak for myself, but I personally > >>> maintain quite a > >>> >> number of packages after each release. Thanks to the great work > >>> of other > >>> >> people (e.g. @JimKing) who spent their time on that topic > >>> before me, > >>> >> this became manageable by setting up and documenting a > >> well-defined > >>> >> process to follow which also does not eat too much additional > >>> release time. > >>> >> > >>> >> If we can have such a process for PyPi that would be super > >> awesome. > >>> >> Right now this is not the case, unfortunately. This is where > >>> you could > >>> >> chime in. > >>> >> > >>> >> See also > >>> >> > >>> > >> > https://protect.checkpoint.com/v2/___https://github.com/apache/thrift/pull/2555___.YzJ1OnJlZGRpdDpjOmc6ZGEyMWNiMjExZDEwMWVjZmIzNGI3MWIzMGFmMmEyZTY6Njo0ZDRjOmIyMTFmOWI4ODI2ZTJmZTIxMTQ0NmNhMmQ4M2I5M2EzNDBhY2VhOTVlOGE2YzVjZDgyNWZlMGVmZmZhMThhOWU6cDpU > >>> >> > >>> >> Happy New Year everybody, > >>> >> JensG > >>> >> > >>> >> > >>> >> > >>>
