Hi,
Did that last week or so.
Have fun,
JensG
Am 06.02.2024 um 23:28 schrieb Yuxuan Wang:
Hi Jens, can you also add me to the test pypi project:
https://test.pypi.org/project/thrift/? My username is
https://test.pypi.org/user/fishy/
With how pypi works, I will need to test it on test pypi first before doing
it for the real pypi.
On Fri, Jan 19, 2024 at 2:21 PM Jens Geyer wrote:
Hi,
> The image is:
I see. Not sure if I can do this, since I have no access to project
settings. Maybe INFRA can.
Have fun,
JensG
Am 18.01.2024 um 23:58 schrieb Yuxuan Wang:
My pypi account is fishy:
https://protect.checkpoint.com/v2/___https://pypi.org/user/fishy/___.YzJ1OnJlZGRpdDpjOmc6MDg0MmRmZjE0YjI0MDBkNWY4YTk5ZDM2MjAzMDExY2E6NjpkZGNjOjM3OWQyYjk2NDgzZjk0MWVhZDdiMmMwMDY1MDA5ZTQzZDM5YWJiNDk4NjVjMWJjZThjY2FiMjE1YzA0ZWM4NmQ6cDpU
The image is:
https://protect.checkpoint.com/v2/___https://imgur.com/a/vkehdiF___.YzJ1OnJlZGRpdDpjOmc6MDg0MmRmZjE0YjI0MDBkNWY4YTk5ZDM2MjAzMDExY2E6NjpkMTcxOjJlNjRkOTc3NTQ1NDAzNTU5YmQ4MmQ4NzliYzU4YWQyOWFiMGRiNzc4ZTE0YTNjNWQ4YzlkOWFmZjRkNjczNWY6cDpU
On Thu, Jan 18, 2024 at 2:49 PM Jens Geyer
wrote:
Hi,
I can't see the picture and I don't have your pypi username. I tried the
email but that did not work.
Have fun,
jensG
Am 17.01.2024 um 02:11 schrieb Yuxuan Wang:
I just logged into my pypi account (I was there to register an
account, and it turns out I already have one, which I have no memory
of, and I do not have any projects published there), it seems that
they actually have an automated way to create the github actions for
you automatically:
https://protect.checkpoint.com/v2/___https://docs.pypi.org/trusted-publishers/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjoxYjIzOjE1MTU3M2QyZTExNGEzOTE5NjIxYjUzYjgyNDBhNzMxODQzN2U1ZWNmMGQ1MzMzM2EwMTY3NGFlNzk1MDA0YTI6cDpU
But I would assume that might require that I have admin access to the
github repo (not sure yet, as I don't have any other project to test),
so if you are fine with that (e.g. add me to the PyPi maintainer list,
I try to use that approach, if it doesn't work, give me admin access
to the github repo), I'm fine :)
Also, there's a recent pytorch supply chain attach report
<
https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjphNDlkOjFkYmFiNzllNjc5NzIxNWQwMjFiZWFhY2JkZjYxNGQ3NTM2OTFlMmUzOTJkYWUyMjkxMTNlYTZmMzllYjNkMDU6cDpU
which will be relevant to us if we choose to use github actions to
auto publish to pypi, then we probably should follow their suggested
mitigation
<
https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/%23mitigations___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjpjNDZkOjhlZjYzM2ZkOGEzNjMyNDk1OTk1OGE2MjBhZWIyNDUzMmU2Mzg4NjYzMDBkODJkNTUxYmViY2JkY2E2MDE1NjU6cDpU
,
which is to change to "Require approval for all outside collaborators":
image.png
(changing this setting on github also requires admin access, the
screenshot is taken from a repo I have admin access on)
On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer
wrote:
I can probably add you to the PyPi maintainer list. Would that
help?
Am 12.01.2024 um 23:19 schrieb Yuxuan Wang:
> IMHO there are two issues with the pypi publishing problem:
technical and
> non-technical.
>
> The non-technical issue is the credential/secret required to
publish to
>
https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU
.
Any of the technical solution also
> depends on that being available.
>
> Once we have it (in github actions secret store, for example),
then
> technical solution is not the hard part. As I mentioned in the
jira thread
> Reddit already has a github action pipeline to publish to pypi
on git tag
> we can upstream to thrift project to be used (so whenever a
maintainer
> pushes a tag to github, github actions auto publishes to pypi).
Or others
> can contribute other solutions.
>
> On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer
wrote:
>
>> @all,
>>
>> I just want to bring up that topic again. There is a rather
frequent
>> stream of (absolutely legitimate) questions regarding the PyPi
packages
>> not being published.
>>
>> So it seems fair to say that there is obviously a certain
demand within
>> the community, which is super great. Now on the other hand we
have no
>> noteworthy reactions from that very same community to help with
that