Hi,
> The image is:
I see. Not sure if I can do this, since I have no access to project
settings. Maybe INFRA can.
Have fun,
JensG
Am 18.01.2024 um 23:58 schrieb Yuxuan Wang:
My pypi account is fishy:
https://protect.checkpoint.com/v2/___https://pypi.org/user/fishy/___.YzJ1OnJlZGRpdDpjOmc6MDg0MmRmZjE0YjI0MDBkNWY4YTk5ZDM2MjAzMDExY2E6NjpkZGNjOjM3OWQyYjk2NDgzZjk0MWVhZDdiMmMwMDY1MDA5ZTQzZDM5YWJiNDk4NjVjMWJjZThjY2FiMjE1YzA0ZWM4NmQ6cDpU
The image is:
https://protect.checkpoint.com/v2/___https://imgur.com/a/vkehdiF___.YzJ1OnJlZGRpdDpjOmc6MDg0MmRmZjE0YjI0MDBkNWY4YTk5ZDM2MjAzMDExY2E6NjpkMTcxOjJlNjRkOTc3NTQ1NDAzNTU5YmQ4MmQ4NzliYzU4YWQyOWFiMGRiNzc4ZTE0YTNjNWQ4YzlkOWFmZjRkNjczNWY6cDpU
On Thu, Jan 18, 2024 at 2:49 PM Jens Geyer<jensge...@hotmail.com>
wrote:
Hi,
I can't see the picture and I don't have your pypi username. I tried the
email but that did not work.
Have fun,
jensG
Am 17.01.2024 um 02:11 schrieb Yuxuan Wang:
I just logged into my pypi account (I was there to register an
account, and it turns out I already have one, which I have no memory
of, and I do not have any projects published there), it seems that
they actually have an automated way to create the github actions for
you automatically:
https://protect.checkpoint.com/v2/___https://docs.pypi.org/trusted-publishers/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjoxYjIzOjE1MTU3M2QyZTExNGEzOTE5NjIxYjUzYjgyNDBhNzMxODQzN2U1ZWNmMGQ1MzMzM2EwMTY3NGFlNzk1MDA0YTI6cDpU
But I would assume that might require that I have admin access to the
github repo (not sure yet, as I don't have any other project to test),
so if you are fine with that (e.g. add me to the PyPi maintainer list,
I try to use that approach, if it doesn't work, give me admin access
to the github repo), I'm fine :)
Also, there's a recent pytorch supply chain attach report
<
https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjphNDlkOjFkYmFiNzllNjc5NzIxNWQwMjFiZWFhY2JkZjYxNGQ3NTM2OTFlMmUzOTJkYWUyMjkxMTNlYTZmMzllYjNkMDU6cDpU
which will be relevant to us if we choose to use github actions to
auto publish to pypi, then we probably should follow their suggested
mitigation
<
https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/%23mitigations___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjpjNDZkOjhlZjYzM2ZkOGEzNjMyNDk1OTk1OGE2MjBhZWIyNDUzMmU2Mzg4NjYzMDBkODJkNTUxYmViY2JkY2E2MDE1NjU6cDpU
,
which is to change to "Require approval for all outside collaborators":
image.png
(changing this setting on github also requires admin access, the
screenshot is taken from a repo I have admin access on)
On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer<jensge...@hotmail.com>
wrote:
I can probably add you to the PyPi maintainer list. Would that
help?
Am 12.01.2024 um 23:19 schrieb Yuxuan Wang:
> IMHO there are two issues with the pypi publishing problem:
technical and
> non-technical.
>
> The non-technical issue is the credential/secret required to
publish to
>
https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU
.
Any of the technical solution also
> depends on that being available.
>
> Once we have it (in github actions secret store, for example),
then
> technical solution is not the hard part. As I mentioned in the
jira thread
> Reddit already has a github action pipeline to publish to pypi
on git tag
> we can upstream to thrift project to be used (so whenever a
maintainer
> pushes a tag to github, github actions auto publishes to pypi).
Or others
> can contribute other solutions.
>
> On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer<je...@apache.org>
wrote:
>
>> @all,
>>
>> I just want to bring up that topic again. There is a rather
frequent
>> stream of (absolutely legitimate) questions regarding the PyPi
packages
>> not being published.
>>
>> So it seems fair to say that there is obviously a certain
demand within
>> the community, which is super great. Now on the other hand we
have no
>> noteworthy reactions from that very same community to help with
that topic.
>>
>> Let me put it bluntly. This is not your mothers supermarked
where stock
>> refills almost like automagically overnight. This is open
source. It
>> works as long as there are at least some people spending parts
of their
>> valuable time supporting projects. It is about giving & taking.
>>
>> Thrift supports about 20+ target languages. So it is fair to
say that
>> supporting packages for all of them (where approprate) is quite
a bit of
>> work.
>>
>> Of course I can only speak for myself, but I personally
maintain quite a
>> number of packages after each release. Thanks to the great work
of other
>> people (e.g. @JimKing) who spent their time on that topic
before me,
>> this became manageable by setting up and documenting a
well-defined
>> process to follow which also does not eat too much additional
release time.
>>
>> If we can have such a process for PyPi that would be super
awesome.
>> Right now this is not the case, unfortunately. This is where
you could
>> chime in.
>>
>> See also
>>
https://protect.checkpoint.com/v2/___https://github.com/apache/thrift/pull/2555___.YzJ1OnJlZGRpdDpjOmc6ZGEyMWNiMjExZDEwMWVjZmIzNGI3MWIzMGFmMmEyZTY6Njo0ZDRjOmIyMTFmOWI4ODI2ZTJmZTIxMTQ0NmNhMmQ4M2I5M2EzNDBhY2VhOTVlOGE2YzVjZDgyNWZlMGVmZmZhMThhOWU6cDpU
>>
>> Happy New Year everybody,
>> JensG
>>
>>
>>
