Re: packages that use dh_python{2,3} but don't depend on dh-python

2018-04-01 Thread Thomas Goirand 
On 03/26/2018 01:32 PM, Piotr Ożarowski wrote:
> Hi,
> 
> Here's a list of packages that will FTBFS soon if dh-python will not be
> added to Build-Depends (it's time to drop dh-python from python3's
> Depends and old version of dh_python2 from python package).
> 
> http://people.debian.org/~piotr/dh_python3_without_dh-python.list
> http://people.debian.org/~piotr/dh_python3_without_dh-python.ddlist
> http://people.debian.org/~piotr/dh_python2_without_dh-python.list
> http://people.debian.org/~piotr/dh_python2_without_dh-python.ddlist
> 
> The plan is to report bugs first and follow up with changes in -defaults
> packages in April or May.

I will take care of all the OpenStack packages. Some havent' been touch
in a while. If you can generate a new list after I'm done, that'd be
very helpful (it's easy to miss one of the 49 needed uploads).

Thanks for the list, and good that you're planning on doing this,
Cheers,

Thomas Goirand (zigo)

Re: the new PyPI, coming next month

2018-04-01 Thread Donald Stufft 


> On Apr 1, 2018, at 2:27 AM, Dominik George  wrote:
> 
> Hi,
> 
>> To be clear, PGP signatures can still be uploaded and they are still
>> available for download, they just don’t appear in the UI anymore.
> 
> So, what does the pypi.debian.net redirector use for uscan?  I imagine it
> used to scrape the website.  Can it be changed to use the JSON API?

The original PoC I wrote used the JSON API, but I don’t think what’s being 
deployed is descendant from my PoC so I have no idea what it uses, but if it’s 
not using the JSON API then yes it can be.

> 
>> Longer term I’d *like* to get rid of PGP signatures, because I think
>> their value here is actually pretty low.
> 
> I partially share this opinion, but that's a question to be discusses with
> the Debian policy people in general.  While checking a GPG signature on the
> source tarball in general is a good idea, I am afraid some developers just
> drop any key they find on first glance into the package and are done with
> it, which actually provides nothing but a false sense of safety.
> 
>> In that case they’d be replaced with TUF, but that’s a longer term
>> project.
> 
> That one?: https://github.com/theupdateframework/tuf 
> 


Yes.


> 
> Well, I can only say *please* do not remove the possibility to upload signed
> source tarballs, but leave that to the developers!
> 
> -nik
> 
> --
> PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296
> 
> Dominik George · Hundeshagenstr. 26 · 53225 Bonn
> Phone: +49 228 92934581 · https://www.dominik-george.de/
> 
> Teckids e.V. · FrOSCon e.V. · Debian Developer
> 
> LPIC-3 Linux Enterprise Professional (Security)



signature.asc
Description: Message signed with OpenPGP

Re: the new PyPI, coming next month

2018-04-01 Thread Sumana Harihareswara 
On 03/31/2018 10:15 PM, Sumana Harihareswara wrote:
> Debian-Python experts,
> 
> I'm writing to you in hopes you will forward this to the right places,
> and file relevant bugs against uscan/watch, which I don't quite
> understand enough to do myself. And if you want to follow up on
> https://github.com/pypa/warehouse/issues/358#issuecomment-337233792 and
> file a new issue asking for us to support your redirector more cleanly,
> I'd welcome that.
> 
> I'm the project manager for the new Python Package Index (Warehouse),
> which is currently in beta at http://pypi.org/ 

[snip]

Because the above was basically a copy of a mail I attempted to have
posted to this list a few weeks ago, I neglected to add a link to our
beta announcement

https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html

which has an updated list of migration steps, and our IRC/Twitter
livechat hours. Apologies. The upcoming livechats:

* Tuesday, April 3rd, 8am-9am PDT, 11am-noon EDT, 17:00-18:00 CEST,
8:30pm-9:30pm India, 15:00-16:00 UTC
https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+livechat&iso=20180403T10&p1=24&ah=1

* Thursday, April 5th, 5pm-6pm PDT, 8pm-9pm EDT, (April 5th) 8am-9am
Manila, (April 5th) 10am-11am Melbourne, (April 5th) 0:00-1:00 UTC
https://www.timeanddate.com/worldclock/fixedtime.html?p1=24&iso=20180405T19&msg=Warehouse/PyPI%20beta%20livechat&ah=1&low=4

And please forward
https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html
widely; we'd like to get PyPI users to test Warehouse as much as
possible during the next couple weeks.

-- 
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc