End Of List
This list is now decommissioned.* Please instead use https://discuss.python.org/c/packaging or https://mail.python.org/mailman3/lists/distutils-sig.python.org/ to discuss Python packaging, installation, and distribution tools. Thanks to all the developers and users who used this list to improve Python tooling! -Sumana Harihareswara a list owner * For the background for this decision, please see https://groups.google.com/d/msg/pypa-dev/twf9HCGfv3k/t2HJwzF-AgAJ "archive this group & redirect conversation elsewhere?" from April and May 2020. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/e92cb750-2611-24d4-1b79-6249b05538d6%40changeset.nyc.
Re: Guidance on where to take my companies' internal tools for packaging.
Yusuke, I know it's been some time since you posted this; it looks like it was a complicated question and volunteers said "oh I need to think about that and get to it later" and then no one did. We're about to close down this mailing list to reduce the number of places where discussion fragments; if you're still dealing with difficulties using/building Python packages at Zillow, I encourage you to forward your note to https://discuss.python.org/c/packaging or https://mail.python.org/mailman3/lists/distutils-sig.python.org/ to discuss further. Sorry again! -Sumana -- Sumana Harihareswara Changeset Consulting https://changeset.nyc On 2/16/19 5:45 PM, Yusuke Tsutsumi wrote: Hi pypa-dev, This is a rather involved post, so I appreciate the time. I've been shepparding a lot of the way we do Python at a company called Zillow. We use Python quite a bit, and have a huge need to re-use tools and keep them stable among the 200+ Python repositories we have. Internally, we heavily use a project I wrote called uranium (https://uranium.readthedocs.io/) that is effectively a python-based version of Make that uses Pip and Virtualenv under the hood. I have two main open questions: 1. Does pypa have a plan for additional, arbitrary build steps for applications? The reason uranium is so freeform is to handle aspects of building an application that are outside the scope of downloading and installing python packages: * simplifying the configuration and startup of local dev builds of web servers * packaging the final application as a tarball, in a propietary format * bootstrapping test configuration (e.g. linting rules) * pulling in the above using a common dependency * picking and choosing what to install from source vs from a wheel (we sometimes need to link python packages to compiled c shared objects, but we use wheels when we can) I know that pyproject.toml was designed to allow custom configuration values for various systems (e.g. black rules). Is there a story for how this type of stuff would be done? Now that I'm typing this... I think I would probably write a python package that encapsulates a lot of the configuration we have today, and then expose ways to manipulate that through the pyproject.toml. What I would end up with is a mega-plugin that facilitates everything that was described above. 2. Support for "platform versioning" This next one may be a little weird.. so bear with me :) Internally, we have found a lot of value in maintaining a blessed version set for packages that do not have a local override. For example, this has allowed us to pin back backwards-incompatible dependencies that were not expressed properly from the package maintainer via semver. In other words, we have a centralized system that keeps track of blessed versions, kind of like a giant requirements.txt: requests == 2.21.0 aiohttp == 3.5.4 Locally, if you do not specify a specific version, then the blessed version will be inserted in it's place. So locally if you had something like: requests == 2.7.0 And you wanted aiohttp, requests, the final result would be: requests == 2.7.0 aiohttp = 3.5.4 regardless of what the latest version in the package repository actually is. The pros and cons of a system like this are probably worth a debate on it's own :) But aside from that: is there any plans to support something like this? Currently Uranium extends the pip package resolution process to ensure this works for dependencies as well. constraints.txt is almost perfect but IIRC it can conflict with a requirements.txt or a setup.py specification, rather than omit itself. Summary: my hope is to migrate over to more common open source tooling, and I think the work done around pyproject.toml and other projects like poetry are a huge step. I'm just trying to get a read on whether there are thoughts around this I should focus effort on, or figure out a solution outside of that. Thanks! -Yusuke -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/b2fc0149-2ce8-8b23-40bd-818b8cca36e0%40changeset.nyc.
Re: Membership in pypa organization
Sorin Ionuț Sbârnea: there's been a new push in the last year to improve many aspects of virtualenv, and you may have better luck if you try again now. Best wishes. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/a7c54e28-5fdc-1f36-ad45-47d34b9e773c%40changeset.nyc.
Re: archive this group & redirect conversation elsewhere?
The group has spoken. I'm decommissioning this list now; I'll send a final closeout email and then stop the ability to post. Thanks. -Sumana -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/2c8ed609-423f-42de-284c-91d6c319377c%40changeset.nyc.
Re: Announcement: Pipenv Beta Release
Thanks, Dan! Dan is now planning to release tomorrow (Monday). https://github.com/pypa/pipenv/issues/3369#issuecomment-626108212 On Friday, May 1, 2020 at 4:47:53 PM UTC-4, Dan Ryan wrote: > > Greetings all! I am happy to announce that after a long hiatus, there is > a pre-release of pipenv available for testing. > > You can read the full announcement at > https://discuss.python.org/t/announcement-pipenv-beta-release/4051 > > > I look forward to your feedback. > > Thanks, > Dan > > > > -- > Dan Ryan > Software Engineer | Pipenv Maintainer > Canonical, Ltd. | Python Packaging Authority > d@canonical.com | d.@danryan.co > > -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/93db814f-8f5b-451a-892c-4c8e00f92910%40googlegroups.com.
Re: archive this group & redirect conversation elsewhere?
Hey all -- I've heard no opposition, onlist or offlist. As I asked in April: please speak up if I'm wrong, or if there's some other reason to keep this Google group going. And please reply if you agree with the idea - Jason's the only one who's replied so far. Reply by May 12th (2 days from now). -Sumana On Friday, May 1, 2020 at 6:02:16 PM UTC-4, Sumana Harihareswara wrote: > > Thanks, Jason. > > Nudge to the group; 11 more days to comment. > -Sumana > > On 4/14/20 9:20 PM, Jason R. Coombs wrote: > > My initial reaction was that I _need_ this list, but after a moment’s > consideration, I think you’re right. +1 > > > >> On 13 Apr, 2020, at 22:18, Sumana Harihareswara wrote: > >> > >> TL;DR: ok to archive this Google group? Reply by May 12th. > >> > >> Below: Context and proposal, reasoning, and timeline. > >> > >> > >> Context & proposal: > >> > >> People talk about Python packaging problems, work, and plans in many > different media: https://discuss.python.org/ , distutils-sig, blogs, > Twitter, conference talks, IRC, https://python.zulipchat.com/ , > individual GitHub issues on several different repositories, Stack Overflow, > and more. So people frequently ask me: where should I go to keep up, or to > announce something or ask for feedback? It's hard to guide them, because of > this proliferation and fragmentation. And people have commented on that > before, both senior folks like Donald[0], and people who are earlier in the > learning curve[1]. > >> > >> We can't and shouldn't stop people from talking about Python packaging > on social media, at conferences, and so on. But three mailing lists/forums > on nearly identical topics strikes me as more than we need. > >> > >> So I suggest that, one month from now, we stop posting to this list ( > pypa-dev@googlegroups.com) and essentially archive it. > >> > >> > >> Reasoning (why close THIS one?): > >> > >> We now have three mailing list-type places to talk about Python > packaging tools and progress. All of them allow both reading and posting > from the web or from an email client, and all of them have web archives > with built-in search. Generally, the people who want to talk about one of > these topics want to hear about the same topics (things happening in PyPA > and about related things in Python that will affect PyPA) no matter what > venue they're in. > >> > >> 1. pypa-dev (here). Started in 2013. About 5 posts in the past month, > mostly cross-posted to other places as well. Hosted by Google in a > closed-source application that doesn't seem to get much love from Google's > product folks. > >> > >> 2. The distutils-sig mailing list[2] which has expanded in its scope. > It's a place to discuss and resolve problems that cut across different > parts of the Python packaging ecosystem, and to announce new releases or > in-progress work. You can log in an account, or with Facebook, GitHub, > GitLab, or Google authentication. About 12 threads in the past month. > Hosted by Python Software Foundation with an open source application that's > under active development. > >> > >> 3. The Packaging category on Python's Discourse forum > https://discuss.python.org/c/packaging , which started about a year and a > half ago[3]. Very wide scope. You can log in with an account, or with > Facebook or GitHub or via email. About 21 posts per month. Hosted by PSF > with an open source application that's under active development. > >> > >> Maybe I'm missing something. Maybe there is a function being served by > having a mailing list that is specifically labelled "PyPA" (for instance, > we could add "get on the Google Group and that makes you a member of PyPA" > to the pypa.io docs[4]). Maybe there are people actively reading/posting > here who feel unwelcome on the other two lists/forums, because of > atmosphere or user interface. As a person doing a bunch of work on PyPA > stuff over the past ~2.5 years, I haven't noticed either of those > conditions, so please speak up if I'm wrong, or if there's some other > reason to keep this Google group going. > >> > >> > >> Timeline and methods: > >> > >> Here's what I suggest, and what I will carry out if there is no > objection. > >> > >> In one month, on May 13th, I would verify that no one has argued here > for why this Google group should continue to be open for posting. Or, even > if a few people have objected to closing the list, I would check for rough
Re: archive this group & redirect conversation elsewhere?
Thanks, Jason. Nudge to the group; 11 more days to comment. -Sumana On 4/14/20 9:20 PM, Jason R. Coombs wrote: My initial reaction was that I _need_ this list, but after a moment’s consideration, I think you’re right. +1 On 13 Apr, 2020, at 22:18, Sumana Harihareswara wrote: TL;DR: ok to archive this Google group? Reply by May 12th. Below: Context and proposal, reasoning, and timeline. Context & proposal: People talk about Python packaging problems, work, and plans in many different media: https://discuss.python.org/ , distutils-sig, blogs, Twitter, conference talks, IRC, https://python.zulipchat.com/ , individual GitHub issues on several different repositories, Stack Overflow, and more. So people frequently ask me: where should I go to keep up, or to announce something or ask for feedback? It's hard to guide them, because of this proliferation and fragmentation. And people have commented on that before, both senior folks like Donald[0], and people who are earlier in the learning curve[1]. We can't and shouldn't stop people from talking about Python packaging on social media, at conferences, and so on. But three mailing lists/forums on nearly identical topics strikes me as more than we need. So I suggest that, one month from now, we stop posting to this list (pypa-dev@googlegroups.com) and essentially archive it. Reasoning (why close THIS one?): We now have three mailing list-type places to talk about Python packaging tools and progress. All of them allow both reading and posting from the web or from an email client, and all of them have web archives with built-in search. Generally, the people who want to talk about one of these topics want to hear about the same topics (things happening in PyPA and about related things in Python that will affect PyPA) no matter what venue they're in. 1. pypa-dev (here). Started in 2013. About 5 posts in the past month, mostly cross-posted to other places as well. Hosted by Google in a closed-source application that doesn't seem to get much love from Google's product folks. 2. The distutils-sig mailing list[2] which has expanded in its scope. It's a place to discuss and resolve problems that cut across different parts of the Python packaging ecosystem, and to announce new releases or in-progress work. You can log in an account, or with Facebook, GitHub, GitLab, or Google authentication. About 12 threads in the past month. Hosted by Python Software Foundation with an open source application that's under active development. 3. The Packaging category on Python's Discourse forum https://discuss.python.org/c/packaging , which started about a year and a half ago[3]. Very wide scope. You can log in with an account, or with Facebook or GitHub or via email. About 21 posts per month. Hosted by PSF with an open source application that's under active development. Maybe I'm missing something. Maybe there is a function being served by having a mailing list that is specifically labelled "PyPA" (for instance, we could add "get on the Google Group and that makes you a member of PyPA" to the pypa.io docs[4]). Maybe there are people actively reading/posting here who feel unwelcome on the other two lists/forums, because of atmosphere or user interface. As a person doing a bunch of work on PyPA stuff over the past ~2.5 years, I haven't noticed either of those conditions, so please speak up if I'm wrong, or if there's some other reason to keep this Google group going. Timeline and methods: Here's what I suggest, and what I will carry out if there is no objection. In one month, on May 13th, I would verify that no one has argued here for why this Google group should continue to be open for posting. Or, even if a few people have objected to closing the list, I would check for rough consensus, especially of people who are doing SOMETHING productive having to do with PyPA (teaching, answering questions online or in person, running key infrastructure, writing documentation, making or fixing software, etc.). I would post a final message to this list, marking its close and suggesting that people use distutils-sig or discuss.python.org instead. Then, I would stop members from posting to this Google group. That is, I would stop members from creating new posts, but leave past posts up at their current URLs, so links, browsing and search would work. And then I would look through relevant documentation within PyPA repositories to see what needs updating (READMEs and so on pointing to the old list), and submit pull requests. I appreciate the work folks here have done to carry forward Python packaging over the past several years. I don't mean to diminish that or to insult anyone here. I want to help us out, and I think closing this list will help focus that energy better. But I am open to hearing that I am wrong. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc [0] https://mail.python.org
Announcement: pip 20.1 release
Thanks for the testing, all. Pip 20.1 is now out and https://pip.pypa.io/en/latest/news/ has the changes since the beta. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/1471c698-428c-218a-cedf-01923443108a%40changeset.nyc.
Re: Announcement: pip 20.1b1 beta release
We're aiming on releasing pip 20.1 in the next hour or so. If you found bugs to file regarding the beta https://pypi.org/project/pip/20.1b1/ before we release 20.1, now's a good time to do that. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/1dbe1dcb-edec-fe14-582f-a58caeaf1e36%40changeset.nyc.
Announcement: pip 20.1b1 beta release
On behalf of the PyPA, I am pleased to announce a beta release of pip, pip 20.1b1, has been released. The highlights for this release are: * Significant speedups when building local directories, by changing behavior to perform in-place builds, instead of copying to temporary directories. * Significant speedups in `pip list --outdated`, by parallelizing network access. This is the first instance of parallel code within pip's codebase. * A new `pip cache` command, which makes it possible to introspect and manage pip's cache directory. * Better `pip freeze` for packages installed from direct URLs, enabled by the implementation of PEP 610. We would be grateful for all the testing that users could do to ensure that, when pip 20.1 is released, it's as solid as we can make it. You can upgrade to this beta with `python -m pip install -U --pre pip`. This release also contains an alpha version of pip's next generation resolver. It is **off by default** because it is **unstable and not ready for everyday use**. If you're curious about this, please visit [this GitHub issue about the resolver, what doesn't work yet, and what kind of testing would help us out](https://github.com/pypa/pip/issues/8099). As with all pip releases, a significant amount of the work was contributed by pip's user community. Huge thanks to all who have contributed, whether through code, documentation, issue reports and/or discussion. Your help keeps pip improving, and is hugely appreciated. Specific thanks go to [Mozilla (through its Mozilla Open Source Support Awards)](https://www.mozilla.org/en-US/moss/) and to [the Chan Zuckerberg Initiative](https://chanzuckerberg.com/eoss/) DAF, an advised fund of Silicon Valley Community Foundation, for their support that enabled the work on the new resolver. -- Sumana Harihareswara pip project manager under contract with Python Software Foundation Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/4881f240-ad47-48b6-9f0b-5d663dce9a0a%40changeset.nyc.
Feature Proposal for PyPI: Draft Releases (comment by 30 April)
Right now, there are ways for package maintainers to test and share draft versions of their upcoming releases, but they cause friction and confusion. So we want to add staged releases -- a temporary state that a release can be in, where PyPI _has_ it and can evaluate it, but hasn't _published_ it yet. In 2015, Nathaniel Smith opened an issue https://github.com/pypa/warehouse/issues/726 saying: it would be very nice if there where better ergonomics around package uploads -- in particular some way to upload a new release, and then take a look over it to double-check that everything is correct before you -- as a second step -- hit the button to make it "go live". We have also variously called this idea "unpublished releases", "two-phase upload", "draft releases", and "package preview". This feature will unblock a LOT of stuff we want to do -- see https://wiki.python.org/psf/Fundable%20Packaging%20Improvements#Package_preview_feature_for_PyPI for a list. Alan Velasco is now working on implementing this in Warehouse. Please comment on the GitHub issue or in the Discourse thread at https://discuss.python.org/t/feature-proposal-for-pypi-draft-releases/3903/ where he shares his proposal at length. He notes: I’ll need your feedback by April 30th 2020 at which point I’ll proceed with the basis of what I know. (Thread was: Re: [Distutils] PyPi not allowing duplicate filenames https://mail.python.org/archives/list/distutils-...@python.org/message/S37OQLGOICR5WBIOTEBHP5ISWCMFAVNT/ ) -- Sumana Harihareswara Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/74dbd06c-dfb9-0514-7153-2f8d4d7353f2%40changeset.nyc.
Re: Process for adding new trove classifiers
There's a new process: file an issue at https://github.com/pypa/trove-classifiers . On Wednesday, April 5, 2017 at 1:35:49 PM UTC-4, Tim Graham wrote: > > I pinged Donald (dstufft) on IRC and he said, "the process is basically me > finding time to do it, that doesn't have a streamlined way to handle it yet > so it's a bit annoying and I've just not had much time to poke at it." > > On Monday, March 6, 2017 at 9:44:53 PM UTC-5, Tim Graham wrote: >> >> Hi, >> >> There are a number of trove classifier requests on GitHub issues [0] but >> it's unclear how to move them forward. Is it just a matter of finding the >> person with the proper permissions to do the updates? The delay is >> bothersome for Django when apps want to declare compatibility with the >> latest Django release but can't be uploaded to PyPI because the new version >> classifier doesn't exist. >> >> If there's something to do to help streamline the process,I might be able >> to help. >> >> Thanks! >> >> [0] >> https://github.com/pypa/warehouse/issues?q=is%3Aissue+label%3A%22classifier+request%22+is%3Aopen >> > -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/ae157663-c348-4fd7-ad6b-fe7dc2b55927%40googlegroups.com.
Online talk in 90 min: how pip works internally
Pradyun Gedam is giving a talk to a local meetup group in 90 minutes on how pip works. You can watch via GoToMeeting. https://www.meetup.com/HydPyGroup/events/269498071/ pip is the package manager for the Python ecosystem, but what actually happens when you "pip install foo"? This talk explores what pip does to install your packages. When: April 7th, 9:00 p.m - 10:00 p.m. India time It'll likely be recorded and be available on YouTube afterward. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/c60dd220-b5c4-8f0a-d1a0-d557496616a4%40changeset.nyc.
Re: Next Pipenv Release
Thanks Dan! Some further comments inline. On 3/25/20 4:32 PM, Dan Ryan wrote: 4. Documentation! Pipenv documentation, now at https://pipenv.pypa.io/,needs some serious rework. So if you have any skills in this area,the project would really benefit from a critical review here. A few specific documentation bugs that people could help with: * https://github.com/pypa/pipenv/issues/2660 a list of a few sections that could use better explanations * https://github.com/pypa/pipenv/issues/1952 asking for a note about a particular quirk * https://github.com/pypa/pipenv/issues/1862 on conda And, because error logs and autogenerated lockfiles include documentation, some "give people info so they can troubleshoot better" issues they could use help with: * https://github.com/pypa/pipenv/issues/2707 How do you see the delta between two Pipfile.lock files? * https://github.com/pypa/pipenv/issues/2365 Explicitly inform user we can’t allow certain packages to be pinned * https://github.com/pypa/pipenv/issues/2092 Actively warn users about misconfigured locale * https://github.com/pypa/pipenv/issues/1886 Capture more auditing metadata in the lock file * https://github.com/pypa/pipenv/issues/2818 Add a comment to the top of generated requirements.txt files 5. Make sure to say 'thanks' to Sumana if you see her on IRC, she is responsible for moving this release forward and is pretty great! As you probably guessed, I did not write this line. :-) Thanks, Dan. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/08fd88ca-67d7-7d19-efe7-e02f87332d59%40changeset.nyc.
pip resolver work chugging along
The alpha or beta release of pip with its new dependency resolver should be out in May. I just posted https://pyfound.blogspot.com/2020/03/new-pip-resolver-to-roll-out-this-year.html which discusses what is going to change in the pip resolver, when, and how you can help (including some low-effort things you can do right now). I didn't mention this in the blog post because ordinary Python users shouldn't try it, but: As of right now, people who install pip from GitHub master will have the ability to run `pip install --unstable-feature=resolver` and test the new resolver code. And less than half of the test suite fails! Expect errors and missing features, but it’s there! [Celebratory trumpet honk here.] Hope all of you, and all the people you are close to, are healthy and staying that way. -- Sumana Harihareswara pip project manager (contracting with Python Software Foundation) Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/6fd43588-9199-08c2-286f-bca9a0b6c33f%40changeset.nyc.
Today: livestreamed talk about PyPI malware detection
Today at 1pm PT/4pm ET: a livestreamed presentation by Cristina Muñoz, who's been working on the PyPI malware detection feature: https://www.meetup.com/pacifichackers/events/267932809/ "Automatic Detection of Malware in PyPI" Alternate link: https://phack.my.webex.com/phack.my/j.php?MTID=mdb827dc0a7f6dfe9784f793686e39d58 She noted: A general note: this is a presentation geared more towards security folks. A lot of the Python stuff I talk about might feel really redundant/obvious for people who are software engineers and have Python familiarity. Like, there are several slides describing what PyPI is, and the difference between packages, releases and files, for example. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/8c2c1922-93e4-4e02-d00b-61107a9e54e5%40changeset.nyc.
Fwd: [Distutils] [setuptools] Install entry point only if extras_require are satisfied?
Forwarding/cross-posting in case any of you can help. Forwarded Message Subject: [Distutils] [setuptools] Install entry point only if extras_require are satisfied? Date: Sat, 29 Feb 2020 08:00:05 +0100 From: Jonatan Palsson To: distutils-...@python.org Hi, I'm modifying a python project which uses setuptools for installation. The project installs an entry point as such: setup_args["entry_points"] = { "console_scripts": ["w1thermsensor = w1thermsensor.cli:cli [CLI]"] } where [CLI] is a reference to an extra_requires entry. This entry looks like this: extras_require=dict(CLI="click>=7.0") With these two lines, the current behavior is that the w1thermsensor entry point is *always* installed when "setup.py install" is invoked, but the entry point will cause an error if its dependencies are not available. I would like to change the behavior, so that the entry point is *not installed* if the extra dependencies are not available (and perhaps also show a warning, indicating that this entry point has not been installed). How can I do this? Cheers, Jonatan -- Distutils-SIG mailing list -- distutils-...@python.org To unsubscribe send an email to distutils-sig-le...@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-...@python.org/message/UGKNY6C2Y4J5VEA4S2MG77I24QNCN4VL/ -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/9c02d2a2-d24b-af1a-76e2-4475188caea7%40changeset.nyc.
PEP 458: Secure PyPI downloads with package signing
On Discourse https://discuss.python.org/t/pep-458-surviving-a-compromise-of-pypi/2648/ , folks have been discussing a PEP to better secure package downloads from PyPI https://www.python.org/dev/peps/pep-0458/ . BDFL-Delegate Donald Stufft is due to approve it in two days: Unless someone has an objection, I intend to accept this PEP on Friday. Discussion should be directed to the Discourse thread at discuss.python.org . (I requested comment on PEP 458 back in September, in the email to this list with the subject line "PyPI & cryptographic signing and malware detection - seeking comment".) -- Sumana Harihareswara Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/c9c3ea45-37e7-8acd-ab6f-92bd39e899f5%40changeset.nyc.
Re: [GitHub] Third-party application approval request for Python Packaging Authority
Thanks Pradyun. Odd that if setuptools is part of Tidelift, that they didn't have to install the app PyPA-wide, then... Never mind, at this point it's just my own curiosity (and I certainly don't have any objections to projects signing up with Tidelift!) > Paul I believe Jason R. Coombs set that up. Jason, I wonder whether you'd like to talk about setuptools's setup with Tidelift and how it is organized? And whether you think more PyPA projects should sign up? -Sumana -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/b975bbe4-a959-1e02-9cb7-b0a6bb4f3a0d%40changeset.nyc.
Re: localization, accessibility, & security progress on PyPI
API tokens and all our 2FA methods are out of beta on PyPI and Test PyPI! If you maintain or own a project on the Python Package Index, you should start using these features. Details, future policy changes, and help needed: https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/49 -- Sumana Harihareswara Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/d21082bf-2d82-1f00-cd0c-69985ae1540b%40changeset.nyc.
Re: Apply by Nov 22 for paid contract on pip
Thanks to everyone who applied! Due to the large number of applicants, we will not be able to provide a final decision by November 27th, but will work to provide at least a preliminary status to everyone by November 27th, and final decisions to all applicants by December 4th. (I've updated the RfP timeline: https://github.com/python/request-for/blob/master/2020-pip/RFP.md#timeline ) I'm sorry for the delay. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/3432e4b0-caaf-d10f-6c84-ce93a5e01b36%40changeset.nyc.
Fwd: Apply by Nov 22 for paid contract on pip
I had to fish this out of the Google Group's spam box and believe it wasn't sent; forwarding/re-sending below. On Tuesday, November 12, 2019 at 10:28:29 AM UTC-5, Sumana Harihareswara wrote: > > Freelancers and other programming consultants: Get paid to improve pip. > Specifically, to help finish the dependency resolver overhaul. > > > https://pyfound.blogspot.com/2019/11/seeking-developers-for-paid-contract.html > > > Role 1: We seek a senior Python developer, work starting in mid-December > 2019 or early January 2020, work ending at the end of May 2020. Pay: > USD$116,375 total (665 hours of work at $175 per hour). Detailed task > list and timeline: > > https://github.com/python/request-for/blob/master/2020-pip/RFP.md#role-1-senior-developer > > > Role 2: We seek an intermediate-to-senior Python developer, work > starting in early January 2020, till the end of December 2020. Pay: > USD$103,700 (670 hours of work at $150 per hour), plus $1600 budgeted > for onboarding travel and $1600 budgeted for PyCon travel. Details: > > https://github.com/python/request-for/blob/master/2020-pip/RFP.md#role-2-intermediate-developer > > > Full request for proposals: > https://github.com/python/request-for/blob/master/2020-pip/RFP.md > > Please apply by November 22nd, or please spread the word. > > Here's the giant list of reasons why this project is important: > > https://wiki.python.org/psf/Fundable%20Packaging%20Improvements#Finish_dependency_resolver_for_pip > > > -- > Sumana Harihareswara > contract project manager for PSF > Changeset Consulting > https://changeset.nyc > -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/7c712b20-c65b-44a4-9d91-b80abf686721%40googlegroups.com.
Re: Apply by Nov 22 for paid contract on pip
Dustin Ingram wrote a Twitter thread about why this is big news, giving context and shout-outs: https://twitter.com/di_codes/status/1193980331004743680 -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/6f140bd4-ae85-4f9a-bc16-0f6465fc1cfd%40googlegroups.com.
Apply by Nov 22 for paid contract on pip
Freelancers and other programming consultants: Get paid to improve pip. Specifically, to help finish the dependency resolver overhaul. https://pyfound.blogspot.com/2019/11/seeking-developers-for-paid-contract.html Role 1: We seek a senior Python developer, work starting in mid-December 2019 or early January 2020, work ending at the end of May 2020. Pay: USD$116,375 total (665 hours of work at $175 per hour). Detailed task list and timeline: https://github.com/python/request-for/blob/master/2020-pip/RFP.md#role-1-senior-developer Role 2: We seek an intermediate-to-senior Python developer, work starting in early January 2020, till the end of December 2020. Pay: USD$103,700 (670 hours of work at $150 per hour), plus $1600 budgeted for onboarding travel and $1600 budgeted for PyCon travel. Details: https://github.com/python/request-for/blob/master/2020-pip/RFP.md#role-2-intermediate-developer Full request for proposals: https://github.com/python/request-for/blob/master/2020-pip/RFP.md Please apply by November 22nd, or please spread the word. Here's the giant list of reasons why this project is important: https://wiki.python.org/psf/Fundable%20Packaging%20Improvements#Finish_dependency_resolver_for_pip -- Sumana Harihareswara contract project manager for PSF Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/05049b84-b77c-3aa7-d282-2e63c3080c42%40changeset.nyc.
localization, accessibility, & security progress on PyPI
I've just posted a final progress report on Discourse about the last month of Open Tech Fund-supported progress on PyPI's localization and accessibility features. Including a screenshot and a bar graph! https://discuss.python.org/t/pypi-localization-accessibility-progress/2284/4 We've finished our OTF-funded accessibility & internationalization work. And sometime this month people will be able to use PyPI in Brazilian Portugese and Japanese! -- Sumana Harihareswara PyPI project manager Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/b2ee1783-6071-626a-899d-fedb0428ab39%40changeset.nyc.
localization, accessibility, & security progress on PyPI
I've just posted a few progress reports on Discourse about the last month of Open Tech Fund-supported progress on PyPI's localization, accessibility, & security features. https://discuss.python.org/t/pypi-localization-accessibility-progress/2284 https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/47 We've shifted our focus from security work to accessibility & internationalization work. We're aiming to wrap it up by September 30th. -- Sumana Harihareswara PyPI project manager Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/18236dd1-69a7-dd7b-9d0f-5a4860222fef%40changeset.nyc.
Re: PyPI & cryptographic signing and malware detection - seeking comment
Sorry, forgot to add: Please comment by September 18th. That's when the RFI ends. Then, the Request for Proposals period will be September 23-October 16. Then we aim to start work in December. (Timeline details are in RFI.) On 9/3/19 10:40 AM, Sumana Harihareswara wrote: https://github.com/python/request-for/blob/master/2019-Q4-PyPI/RFI.md -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/8908a599-c731-7177-dc9a-08a703797871%40changeset.nyc.
PyPI & cryptographic signing and malware detection - seeking comment
Python Software Foundation has published a Request for Information seeking software developers to add these features to Warehouse (PyPI): * Verifiable cryptographic signing of artifacts (PEP 458/TUF or simiilar) * Technical infrastructure and methods for automated detection of malicious package uploads More info: https://github.com/python/request-for/blob/master/2019-Q4-PyPI/RFI.md We'd like for potential contractors & other experts to keep discussion at the Discourse forum https://discuss.python.org/c/python-software-foundation/pypi-q4-rfi , especially on these questions: • What methods should we implement to detect malicious content? https://discuss.python.org/t/what-methods-should-we-implement-to-detect-malicious-content/2240/2 and * PEPs 458 and 480 offer different levels of security; which (if either) should we implement? Which one has more appropriate operational efficacy? Should we use TUF (The Update Framework) or another approach? https://discuss.python.org/t/which-cryptographic-signing-approach/2241 and more generally: * What should community acceptance criteria be? * How feasible is it to implement this on PyPI? * What features do PyPI administrators need to make use of these features in the future? * What work would the developer need to do to make these features more maintainable by future Warehouse maintainers? -- Sumana Harihareswara PyPI project manager Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/77331a86-c8b3-bd1c-105d-d75892b8df9f%40changeset.nyc.
Re: PyPI security work: multifactor auth progress & help needed
The last few work summaries are on Discourse: https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/27 https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/29 https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/43 Summary of current status: We have deployed beta versions of WebAuthn 2FA support and scoped upload API tokens for PyPI, and further improved 2FA and accessibility, and started the audit log feature. And we need your help to test the new API tokens feature. If you've uploaded packages to PyPI before, and https://blog.python.org/2019/07/pypi-now-supports-uploading-via-api.html makes sense to you, please get in touch with our UX researcher and designer, Nicole Harris, via https://calendly.com/nlhkabu/pypi-testing for a 30-minute structured conversation/user test. -- Sumana Harihareswara Warehouse/PyPI project manager Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/eb2ce560-5d10-480b-689a-79652aefefd9%40changeset.nyc.
Re: upcoming work to facilitate PyPA communications/roadmaps
On Monday, December 24, 2018 at 3:12:59 PM UTC-5, Sumana Harihareswara wrote: > > It's been eight months since the release of Warehouse[0] and the > sunsetting of legacy PyPI[1]. Following up from our meeting at PyCon in > May[2], Changeset Consulting is back on board for another round of project > management to facilitate next steps! For the next 3-6 months this work will > be spearheaded by myself (Sumana) assisted by Jenny Ryan ( > https://jennyryan.net ). > > The goal over these upcoming months is to create, steward and facilitate > internal and public-facing communications to aid the folks within PyPA. > > What this means is that we'll be focused on the following: > * Facilitating regular meetings of and for maintainers and contributors; > * Stewarding communications with various PyPA stakeholders, including > funders and users; > * Organizing, labelling, prioritizing, and responding to GitHub issues; > * Coordinating public communications, such as announcements, sprints, and > calls for participation; > * Maintaining and improving documentation, meeting notes and development > roadmaps for PyPA projects. > > Feedback from and participation by the Python packaging developer > community is obviously part and parcel of this project, so you may see some > new "here's what I think is up with this issue, is that right?" questions > on old unresolved discussions. And we'll be asking questions on this & > other lists and on GitHub and in IRC to collect ideas, concerns, and other > productive input regarding the tools roadmaps. > > You'll be seeing more details in mid-January to properly kick off this > next chapter of levelling up PyPI and the PyPA -- just wanted to give y'all > a heads-up. > > But of course, if you were already planning on using the next few weeks to > do issue triage and roadmap-writing and PyCon planning, please don't wait > for us -- that'll make this work all the easier. > > Thanks, > Sumana Harihareswara > > > [0] > https://blog.python.org/2018/04/new-pypi-launched-legacy-pypi-shutting.html > [1] > https://mail.python.org/archives/list/distutils-...@python.org/thread/YREMU56QKRMTTFBFVFJ2B4EHOEKOJZFJ/ > > [2] > https://mail.python.org/archives/list/distutils-...@python.org/thread/CCOV6PITEWELONZHP4ZHXALBFQA3K3MY/ > > > -- > Sumana Harihareswara > Changeset Consulting > https://changeset.nyc > I wanted to give a very belated update on this work, which I think many of you have seen in glimpses or at sprints. (This is separate from the Open Tech Fund-funded work to improve security, accessibility, and localization for PyPI <https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042> .) I regret that I didn't do a proper public kickoff earlier in the year, and instead -- once I was back from some family travel that took up all of January -- jumped into particular bits of work that needed doing. Due to that delay, this work is extending from the original 3-6 month timeline into more like 9 months from the start (with no increase in the number of hours or the amount PSF is paying Changeset, to be clear). I apologize for that. Changeset has done a bunch of PyPA-related coordination and communication, reaching out to stakeholders, responding to and organizing GitHub issues and discuss.python.org threads (such as following up on the minisummit at PyCon <https://discuss.python.org/t/pycon-us-packaging-mini-summit-2019/833>), helping maintainers and contributors speak up about their progress and needs (examples: Pradyun's recent pip progress report <https://pradyunsg.me/blog/2019/06/23/pip-update/> and the manylinux thread on Discourse <https://discuss.python.org/t/the-next-manylinux-specification/1043>), researching fundable projects and grants/directed gifts that could support future PyPA work <https://wiki.python.org/psf/Fundable%20Packaging%20Improvements>, and writing/improving some docs. Quite a bit of the work has been in one-on-one conversation or in person at sprints <https://wiki.python.org/psf/PackagingSprints>, so there's less linkable public work product about that. There's still work to be done, particularly on funding, manylinux, PyPA documentation (in particular how we talk about ourselves to ourselves and to our upstreams, partners, and downstreams), and the development roadmap. I aim to have Changeset make a swath of updates to https://pypa.io and would welcome committer privileges for GitHub user "brainwane" on https://github.com/pypa/pypa.io/ . I think this update also relates to the governance thread on Discourse <https://discuss.python.org/t/closing-the-loop-on-pypa-governance-bdfrn/1776/> so I'll link to this there. Hope that the work so
Re: pypi stats page down
It was down, and then it went back up, and now it seems to be having problems again: https://github.com/pypa/warehouse/issues/5769 I've added a comment on that issue, but I don't think this is very high-priority so it might not get fixed for several days. In the interim, here are some ways you can get some stats about PyPI packages: https://packaging.python.org/guides/analyzing-pypi-package-downloads/ as Randy mentioned https://pypistats.org/faqs https://libraries.io/pypi/ https://pepy.tech/ -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/c228144b-394b-4938-b8c2-3ce309048a70%40googlegroups.com.
tiny sprint Saturday, June 8th
A few folks will be getting together on Saturday and doing a short in-person sprint on some Python packaging & distribution tools, around 10am-4pm ET, at a coworking space/lounge in New York City. A few packaging/distribution folks, e.g., a Twine contributor, a pip bug fixer/triager, and a Warehouse maintainer (me), are confirmed as coming. I figure we'll review some open pull requests, triage bugs to find ones we can close as no longer reproducible, and explain stuff to each other. I think we've already run out of space for who can participate in person, but please feel free to hang out and chat with us via IRC! I'll be on Freenode IRC (#pypa-dev) as user "sumanah". And that way logs of our conversations will also be available at http://kafka.dcpython.org/channel/pypa-dev . (If you have never contributed to Python packaging/distribution tools before, and you want to start, this is probably not the best event for you; let me know, and I'll set up a more introductory event in the future.) -- Sumana Harihareswara Warehouse project manager Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/5f46a872-5dd7-e66f-a781-d48d116e1c85%40changeset.nyc.
Re: PyPI security work: multifactor auth progress & help needed
Further progress in today's summary: https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/17 Short version: Work continues on Milestone 1, Security Feature Development, and specifically on the Multi-Factor Authentication task. TOTP-based 2FA is about to roll out for everyone, and we’re working on WebAuthN (e.g., Yubikeys). -- Sumana Harihareswara Warehouse project manager Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/106ee038-9fee-7bb1-c91a-bd4c2f367159%40changeset.nyc.
Sprints have started at PyCon NA 2019
https://wiki.python.org/psf/PackagingSprints Sprints have started and Packaging is in room 26C. We're starting a shared editable document of what people are working on at https://docs.google.com/document/d/1Wz2-ECkicJgAmQDxMFivWmU2ZunKvPZ2UfQ59zDGj7g/edit Shortlink: http://bit.ly/pypa2019 (Thanks Chris Wilcox for setting that up!) -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
PyPI security work: multifactor auth progress & help needed
Work has started on the Open Technology Fund-supported project to improve Warehouse security, accessibility, and internationalization. More details in today's progress report: https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042 best, Sumana Harihareswara Warehouse project manager Changeset Consulting
Fwd: [PSF-Community] Google Summer of Code 2019 needs you!
Packaging and distribution folks: would any of you like to mentor for GSoC? As a reminder, we have at least one current maintainer, Pradyun Gedam, who did an apprenticeship via GSoC -- probably there are more that I don't know about. If you can, consider investing in the future maintainability of your codebase by mentoring this year. :-) (Might be worth checking whether any of your current contributors are eligible to apply for GSoC -- for instance, graduate students are eligible. https://developers.google.com/open-source/gsoc/faq#what_are_the_eligibility_requirements_for_participation ) -- Sumana Harihareswara Changeset Consulting https://changeset.nyc Forwarded Message Subject: [PSF-Community] Google Summer of Code 2019 needs you! Date: Tue, 29 Jan 2019 18:50:12 -0800 From: Terri Oda Reply-To: gsoc-adm...@python.org To: PSF Community Hi Python community folk! As we've done for the past many years, Python is hoping to participate in Google Summer of Code. This is a neat program where students write code over the (northern hemisphere) summer under the tutelage of open source mentors and get paid: we provide the project ideas, mentors and choose the students, Google provides the program framework and the money to pay students. You can read more about GSoC here: https://summerofcode.withgoogle.com/ Python participates as an "umbrella org" where many different smaller projects ("sub orgs") that use Python can take part under our banner. You can also participate separately, but for people who've never done it before and want help or for whom the paperwork is a hassle, you're welcome to join up with us and let us show you the ropes! It's really fun, and we've gotten lots of new contributors to Python-based projects over the years, taking in as many as 70+ students in a single year. Last year we only had 15, though, so we've got lots of space for new mentors and new projects. We need a good set of sub-orgs and ideas by Feb 4th for our application, and if we're accepted by Google we'll be able to add a few more ideas and groups until March 5th or so. Sound intriguing? You can read all about what we're doing at http://python-gsoc.org/ (which has answers to questions like "what does it take to be a mentor?" and "what does it take to be a sub-org?") You can also send questions to gsoc-adm...@python.org (or just hit reply to this email!) Terri ___ PSF-Community mailing list psf-commun...@python.org https://mail.python.org/mailman/listinfo/psf-community
Re: Trying to outline the steps taken to go from "I want this package" to it being installed
Brett, did you end up making progress on this? If not, would you be open to someone else picking it up? Thanks! -- Sumana Harihareswara Changeset Consulting https://changeset.nyc On 3/5/18 1:01 PM, Brett Cannon wrote: > Thanks for the extra details, Nick! I have some documentation to read on > some projects now that I have a complete list, but once that's done I'll > come back here with my idea. ;) > > On Fri, 2 Mar 2018 at 21:50 Nick Coghlan wrote: > >> On 3 March 2018 at 06:55, Brett Cannon wrote: >> >>> I have a project idea, but before I start it I need to make sure that I >>> have the high-order steps necessary to go from `pip install pip=9.0.1` to >>> it actually ending up on disk. Now I'm only considered with >>> modern/bleeding-edge, spec-based stuff, so PEP 517/518 and no setup.py, etc. >>> >>> Anyway, if people can point out any steps the below outline is missing I >>> would appreciate it. Thanks! >>> >>> >>>1. Specify package requirement >>> 1. Translate name to PyPI-compatible name >>> 2. Tease out requirement details (e.g. version, markers, etc.) >>>2. Check if package is already installed >>> >>> >> Depending on the installer design, a local download/build cache may be >> checked before checking PyPI (and since you include a caching step later, >> you'll presumably want to cover the caching step as well). >> >> >>> >>>1. Check PyPI for package >>>2. Choose appropriate file >>> 1. Get list of files >>> 2. Calculate best-fitting wheel >>> 3. Fallback to .tar.gz sdist >>>3. Download file >>>4. If sdist: >>> 1. Extract >>> 2. Read pyproject.toml >>> 3. Create venv >>> 4. Install build dependencies >>> >>> >> After installing the static build dependencies, you also need to query for >> any dynamic build dependencies and install them if they're requested: >> https://www.python.org/dev/peps/pep-0517/#get-requires-for-build-wheel >> >> This build dependency installation step can get arbitrarily complicated if >> you allow build dependencies to be installed from source, so the initial >> implementation in pip requires that build dependencies already be available >> as wheel files (either on the index server or in the local artifact cache). >> >> Cheers, >> Nick. >> >> -- >> Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia >> >
Re: PyPI JSON API redirect loop for all unpublished packages
Donald and Dustin: have we been running into these kinds of Travis problems in the past few months or does it seem to have settled down? -- Sumana Harihareswara Changeset Consulting https://changeset.nyc On 5/19/18 4:35 PM, Brett Cannon wrote: > On Fri, May 18, 2018, 06:08 Dustin Ingram, wrote: > >> I did reach out to the one contact we had there from when GCP/Fastly >> were having issues that affected Travis/PyPI (Emma) on Monday, but got >> no response. >> > > If Travis doesn't work out then let Steve Dower and me know and we can see > if we can get you extra credits on VSTS (teammate of mine was already > working with Jason at the PyCon sprints to get setuptools up on > PyPA.visualstudio.com). > > -Brett > > >> D. >> >> On Fri, May 18, 2018 at 8:54 AM, Sumana Harihareswara >> wrote: >>> In my opinion, this kind of bottleneck is likely to happen more >> frequently as we increase PyPA development activity, so it'd be worth >> asking Travis to bump up our account's oomph. (I am very tired and on a >> train so please forgive handwavy wording.) Do we have a contact there? >>> >>> -- >>> Sumana Harihareswara >>> Changeset Consulting >>> https://changeset.nyc >>> >>> On 05/16/2018 04:36 PM, Dustin Ingram wrote: >>>> Thanks for the report. I reverted the commit that caused this in >>>> https://github.com/pypa/warehouse/pull/4015, however it might take a >>>> bit for this to get deployed to PyPI because there's currently a >>>> pretty long backlog in Travis due to all the PyPA development >>>> happening during the sprints. >>>> >>>> D.
Re: Documentation on running Warehouse in your own production evironment?
Hi and thanks for writing! And thanks for being clear and comprehensive about what you are looking for. I'm sorry you didn't come across https://warehouse.readthedocs.io/application/#usage-assumptions-and-concepts -- maybe we need to flag that better. As it mentions: > Warehouse is specifically the codebase for the official Python Package Index, > and thus focuses on architecture and features for PyPI and Test PyPI. People > and groups who want to run their own package indexes usually use other tools, > like devpi https://pypi.org/project/devpi-server/ . You might also consider https://github.com/pypiserver/pypiserver or one of the other similar projects: https://github.com/pypiserver/pypiserver#similar-projects I hope this helps! (Sorry, I originally (yesterday) sent this off-list by mistake.) -- Sumana Harihareswara Changeset Consulting https://changeset.nyc On 12/20/18 9:23 AM, Christoph Bischko wrote: > Hi all, > > currently, the only official warehouse documentation at > https://warehouse.readthedocs.io seems to be quite sparse. Also it seems to > be aimed at developers, not end users. A lot about features and the hows of > setting up a warehouse instance is left in the dark. > > For instance, there is the environment file > (https://github.com/pypa/warehouse/blob/master/dev/environment) that > contains some very necessary settings. I did not find out about it in the > documentation but by a painful reading of the Makefile. > Warehouse ships with "example data". I.e. on installation there are >40k > users and >30k dummy packages in the database by default - no instructions > on how to remove them. Again, I read the Makefile and altered the > example.sql database as a result. > HTTPS seems to be disabled by default, with no documentation on how to set > it up properly and securely. > Account verification Mails, do not work out of the box - again no docs on > setting that up. > Pip installation of packages on a client via the index on my local > Warehouse failed, because the links pointed to local host instead of the > actual fileserver. Again, the responsible setting FILES_BACKEND in the > environment is nowhere to be read about. > There is no information on whether it is possible and how, to set up > caching of the index at pypi.org with a local warehouse. > > As you can see, I was able to resolve some of these issues with some > digging, reading of the code, trial and error and a bit pain. But my > questions are: > > - Am I missing something here? Is warehouse not meant to be used in > setting up your own local package index, i.e. for a company or educational > facility? > - Is there additional documentation I'm not aware of, something aimed at > system administrators and end-users that want to setup their own pypi, > because searching the web gives precious little and nothing usable? > - Are there (maybe 3rd-party) example configurations and guides for > warehouse? > > The goal for a local instance of warehouse would be: > - Isolation of the local network from the internet (i.e. caching of pypi) > - Speedup of package installation via local network > - Having private packages locally that are not uploaded to pypi > > I hope you can help me, and maybe documenting warehouse for end users will > get a higher priority as a result. > Thanks, > Christoph > > >
Stepping away from Twine maintainership
Quick note to thank Ian Stapleton Cordasco and Thea Flowers for their work maintaining Twine! I realized I don't have time to help maintain it right now so I'm stepping away from that, and am grateful for their work, including new releases this month: https://pypi.org/project/twine/#history And thanks to Dustin Ingram for all his recent work on Twine as well. As he said https://twitter.com/di_codes/status/1044358639081975813 : > New twine subcommand: $ twine check dist/* > Use it to verify that the README for your package is valid and will be > rendered correctly on PyPI. > Between that and Markdown support, there's no excuse for mis-rendered PyPI > descriptions anymore! More details: > https://packaging.python.org/guides/making-a-pypi-friendly-readme/#validating-restructuredtext-markup -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
Re: Packaging/Warehouse sprint at PyCon 2018
Reminder: it's free to attend and participate in the PyCon development sprints (you don't need a Talks and Events PyCon registration to come to the sprints). If you live anywhere nearish Cleveland, even if you couldn't make it to the talks days, consider joining us at least for Monday May 14th, which will probably have the most discussion. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc On 05/01/2018 05:29 PM, Sumana Harihareswara wrote: > https://wiki.python.org/psf/PackagingSprints now has more info: > > * we'll have at least one Open Space/Birds of a Feather session on packaging > * folks representing Anaconda/conda-build, bandersnatch, Pipenv, GitHub, > the Python Packaging User Guide, & more will be at the sprints > * more things we'll work on > > Happy to take suggestions on things to talk about and work on during the > BoF and sprints! > -Sumana > > > On 03/13/2018 10:04 AM, Sumana Harihareswara wrote: >> https://wiki.python.org/psf/PackagingSprints is where I've started a >> list of our upcoming planned sprints (right now, PyCon North America and >> EuroPython), with who's attending each and what we might work on there. >> >> At PyCon in Cleveland, possible work includes: >> >> * User testing >> * Updating the PyPA roadmap >> * Packaging Problems triage >> * PyPI API keys and two-factor auth, with Luke Sneeringer & Donald Stufft >> * Architecture for new Warehouse API URL structure >> >> -Sumana >> >> On 02/13/2018 11:22 PM, Sumana Harihareswara wrote: >>> Reminder: this Thursday, Feb. 15th, is the last day to request financial >>> aid to attend PyCon https://us.pycon.org/2018/financial-assistance/ and >>> thus the sprints. If money's a reason you're assuming you can't come >>> join us and improve Warehouse and other Python packaging/distribution >>> tools, I hope you'll apply for financial assistance. >>> >>> On 01/30/2018 01:39 PM, Sumana Harihareswara wrote: >>>> In case you're planning your PyCon Cleveland travel: we are planning to >>>> hold a Warehouse/packaging sprint at PyCon (the sprints are Monday, May >>>> 14th - Thursday, May 17th 2018). >>>> >>>> We welcome package maintainers, backend and frontend web developers, >>>> infrastructure administrators, technical writers, and testers to help us >>>> make the new PyPI, and the packaging ecosystem more generally, as usable >>>> and robust as possible. I took the liberty of updating >>>> https://us.pycon.org/2018/community/sprints/ to say so. >>>> >>>> Once we're closer to the sprints I'll work on a more detailed list of >>>> things we'll work on in Cleveland. >>>>
has Warehouse had a security audit already?
I'm preparing requests for Warehouse's code to be audited by independent security experts.* I'd love help answering these questions to fill out the forms: * Has Warehouse been audited before? "If so please provide dates, a brief summary, who performed it, and any public outputs." (And that'll help me summarize the changes since then.) * Which repositories would we want to have audited? Off the top of my head I'm thinking we'd want Warehouse, readme_renderer, cabotage, and https://github.com/python/pypi-infra . (From there I can also determine the approximate number of lines of code.) * Does the project have any specific dates that are ideal for an audit? I believe: not particularly. As always, if you have an immediate security concern regarding PyPI, please email security at python dot org per the PyPI security policy https://pypi.org/security/ . * I'll submit these requests to https://www.opentech.fund/lab/red-team-lab and https://wiki.mozilla.org/MOSS/Secure_Open_Source ; the latter would also provide financial support for "remedial work to rectify the problems found". -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
Oct 27-28: Bloomberg sponsoring packaging sprint
The weekend of October 27-28, simultaneously in London, UK and New York City, USA, Bloomberg will host a Python packaging and distribution tools event. Please mark your calendars! If you live in North America or Europe and would need assistance to attend this as a mentor/helper, watch for more details in July. If you live outside of the US or UK and would need an invitation letter to get a visa to travel to one of these sprints, please write to Kevin P. Fleming at Bloomberg, kpfleming AT bloomberg DOT net, and he'll start setting you up. Details: Thanks to Bloomberg for their generosity. They're already a Platinum PSF sponsor, and they'll host this, pay for a maintainers'/mentors' dinner the night before, provide clusters of cloud virtual machines for the attendees to use, and book and pay for some contributors' lodging and travel. This'll be an opportunity to advance Python packaging/distro tools, teach new contributors (including many Bloomberg employees), and yeah, if you want to get to know Bloomberg for career reasons, that too. :) We hope mentors can arrive Thursday night 25 Oct, do prep, setup, and dinner on Friday, then participate Sat-Sun, then leave Sunday evening or Monday. We'll be putting more details on these lists (distutils-sig and pypa-dev) and at https://wiki.python.org/psf/PackagingSprints . Thanks to Bloomberg folks Mario Corchero and Henry Kleynhans in London and Kevin P. Fleming in New York City for coordinating this, and thanks especially to Mario and to Paul Ganssle for suggesting it! -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
Re: [Pythonmac-SIG] Upgrade to pip 9.0.3 (due to TLS deprecation)
A couple updates: https://twitter.com/mikeymikey/status/989420449485344768 says > As a reminder to anyone out there that's dealing with the TLS 1.2 cutover on > python's pypi on macOS 10.12: You may still get stung by it if you end up > unfortunately needing to deal with setuptools / easy_install packages that > you can't get through pip. and publicizes and discusses > a "tlsssl-1.1.0.pkg" package you can install on 10.12 that will hotfix ssl to > support TLS 1.1/1.2 in most situations. And yesterday, Benjamin Peterson announced the release of Python 2.7.15: https://mail.python.org/pipermail/python-list/2018-May/732755.html > Users of the macOS binaries should note that all python.org macOS installers > now ship with a builtin copy of OpenSSL. Additionally, there is a new > additional installer variant for macOS 10.9+ that includes a built-in version > of Tcl/Tk 8.6. See the installer README for more information. (Will cross-post to PyPA-dev per https://groups.google.com/forum/#!topic/pypa-dev/Oz6SGA7gefo .) -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
(Final) PyPI/Warehouse weekly report: legacy is shut down
As I announced yesterday[1], here and on the pypi-announce[2] and general Python announcement[3] lists, we have shut down legacy.pypi.org, on schedule. (See the notes from our final weekly call[4], a screenshot of all our closed milestones[5], a screenshot of the hit ratio for Legacy going to 0%[6], and Ernest pouring out a toast to the old codebase[7].) This is the last weekly report you'll get from me on this project, as the MOSS funding has nearly run out (we set aside a little for me to run the PyCon sprint and for Nicole to run the EuroPython sprint). Thanks so much to Mozilla's Open Source Support program for the award[8] that enabled this work[9]. And thanks to the PSF and its Packaging Working Group[10] for facilitating it. Highlights from the last week: The podcast Talk Python To Me released an episode interviewing Dustin Ingram, Nicole Harris, and Ernest W. Durbin III about Warehouse -- you can listen[11] or read the transcript[12]. And the Python Bytes podcast had a short chat about Warehouse[13] as well. Ernest sunset Legacy[14], fixed a subsequent outage[15] (my fault for putting a hostname in the title of a blog post!), updated a cabotage setting[16], updated CDN configuration[17], and fixed another service disruption[18]. And he improved search for XML-RPC endpoint users[19]. Since we got 1700+ responses to the "buy a feature" survey[20], we took down the banner[21] -- Nicole notes that the data is really useful and will really help with redesigning the project detail page! She also fixed modal alignment[22] and table alignment[23] in IE11. Dustin replaced our Twisted usage with gunicorn[24] and fixed an edge case concerning identical canonical versions of a release[25], and Dustin and Ernest made old pypi.python.org links for files, display actions[26], search and browse actions[27] redirect appropriately. And Dustin merged "Support XML-RPC multicall"[28] and then "Skip tweens for XML-RPC multicall subrequests"[29] then "Deprecate XML-RPC MultiCall"[30] and I think we've all had sequences like that in our lives. Laura Hampton and I ran a Warehouse sprint night[31] in New York City (giving participants several tasks at varying difficulty levels[32]), where Corey Girard helped us make profile pages display "you" versus a username more logically[33] -- thanks, Corey! -- and Kshitij Chawla found a setup issue[34]. And the team found some more developer experience snags and got to fixing them: PyPUG instructions[35], the README[36], Docker instructions[37], discoverability for the architecture overview[38]. We are slowing down a bit on pull request review and issue response as our dedicated time on Warehouse comes to a close, but we still did a lot of review and replying. Thanks to the volunteers who got pull requests merged in the past week: * nixjdm, who added description_content_type to the JSON API[39] * cheungnj, who improved how we display the "last released" date on a project[40] * aalmazan, who fixed how we handle tab cycling inside active modals[41] * alex, who fixed a pytest argument[42] * kpayson64, who updated wheel types Warehouse supports[43] (see the followup conversation, on whether PyPI should allow Linux wheel uploads for ARM[44]) Special shoutout to GitHub user jdufresne[45] who has submitted a bunch of pull requests to various projects, including setuptools[46], updating their URLs from pypi.python.org to pypi.org (example[47]). I've done some similar issue-opening (example[48]). And thanks to Donald Stufft for helping with the infrastructure changeover[49]! You can help by: * updating the distutils docs[50] to reflect how PyPI currently works * giving yeraydiazdiaz feedback on this approach to automated frontend testing[51] * keeping an eye on Warehouse pull requests and reviewing[52] them * telling hiring managers you know to consider hiring Ernest[53] and giving him paid time to work on PyPI * finding us at PyCon North America[54] and giving us friendly feedback Dustin, Ernest, Laura, Nicole and I will continue volunteering a few hours per week around here, just as many of us did before the project. We're all grateful we got to work together and make this happen, and hope to have further paid opportunities to dedicate time to this infrastructure and its symbiotic community. -- Sumana Harihareswara (basically my last note as) Warehouse/PyPI project manager PyPA member Packaging Working Group member Changeset Consulting -- open to new client engagements starting in June/jul...@changeset.nyc Links: 1. https://mail.python.org/mm3/archives/list/pypi-annou...@python.org/thread/2HTWYE4WPCOTIIIE3Z2IKLGDHYCWVR2J/ 2. https://mail.python.org/mm3/archives/list/pypi-annou...@python.org/thread/2HTWYE4WPCOTIIIE3Z2IKLGDHYCWVR2J/ 3. https://mail.python.org/pipermail/python-announce-list/2018-April/011916.html 4. https://wiki.python.org/psf/PackagingWG/20
Fwd: [pypi-announce] legacy.pypi.org shut down, please use pypi.org
Roadmap's updated https://wiki.python.org/psf/WarehouseRoadmap . We'd love your help for the next chapter, the post-legacy-shutdown tasks: https://github.com/pypa/warehouse/milestone/12 -- Sumana Harihareswara PyPI/Warehouse project manager Changeset Consulting https://changeset.nyc Forwarded Message Subject: [pypi-announce] legacy.pypi.org shut down, please use pypi.org Date: Mon, 30 Apr 2018 15:25:50 - From: s...@changeset.nyc Reply-To: distutils-...@python.org To: pypi-annou...@python.org We have sunset the original Python Package Index service, which was temporarily deployed at https://legacy.pypi.org . The new PyPI is at https://pypi.org . Browser and API calls to pypi.python.org will continue to redirect to pypi.org . If you have been using legacy.pypi.org directly, please start using pypi.org : https://warehouse.readthedocs.io/api-reference/integration-guide/#migrating-to-the-new-pypi If there is a feature that the new codebase does not support, you should file an issue at https://github.com/pypa/warehouse/issues as soon as possible. If you use JFrog Artifactory, please make sure you're running the latest version. Please see the guidance from JFrog https://jfrog.com/knowledge-base/why-am-i-not-able-to-connect-to-pypi-python-org/ and full discussion of the issue https://github.com/pypa/warehouse/issues/3275 . Maintenance report on the sunsetting: https://status.python.org/incidents/ptvp1wnn0jmq Historical context and future plans: https://lwn.net/Articles/751458/ Sincerely, Sumana Harihareswara on behalf of the PyPI team ___ pypi-announce mailing list pypi-annou...@python.org https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/
Re: PyPI update: legacy shutdown 30 April, new classifiers page, seeking funding
And thanks, as ever, to Mozilla for their support for the PyPI & Warehouse work, and to the PSF for facilitating this work! https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html https://blog.mozilla.org/blog/2018/01/23/moss-q4-supporting-python-ecosystem/ MOSS has a number of types of award that are open to different sorts of open source/free software projects. If your project is looking for financial support, check https://mozilla.org/moss to see if you qualify. The next application deadline is April 30th. -Sumana
PyPI update: legacy shutdown 30 April, new classifiers page, seeking funding
Almost the end. On Monday April 30th we're going to shut down https://legacy.pypi.org/ . The URL pypi.python.org will continue to redirect to Warehouse (pypi.org). As you can see from https://status.python.org/ , Warehouse has been holding up well, and we don't see any reason to delay the shutdown of Legacy. If you need to compare new Warehouse behavior with old Legacy behavior, tell us about a redirect that isn't working right, etc., please do that this week. Older versions of JFrog's Artifactory have trouble with the pypi.python.org redirect. Users whose instances proxy/mirror PyPI should upgrade before April 30th. https://www.jfrog.com/jira/browse/RTFACT-16223?focusedCommentId=54641=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-54641 (more context[1]) We've been fixing up search[2], dealing with memory consumption[3] and reliability, adding metrics and monitoring, replying to user issues, reviewing volunteers' contributions, and improving PyPI admins' ability to do things like deprecate classifiers[4]. Check out the new page listing classifiers and linking to a search for each one! https://pypi.org/classifiers/ And we've been working on user research to help guide future design decisions and work. We're grateful for the 59 volunteers who have stepped up to participate in Nicole's user tests. And if you have a spare 5 minutes, we'd like for you to play our "buy a feature" game via this Google form! https://docs.google.com/forms/d/e/1FAIpQLSfABpsRcVYt7RDJEsbL_2CnyH-IKXRCRwaBhCm4sYnNI6yB3A/viewform (short URL: bit.ly/2HpsAWd & tweet to RT[5]) More in our weekly meeting notes[6]. Some open issues that could use comments from you: * Why does warehouse allow linux_armv6l and linux_armv7l wheels?[7] * Derive list of classifiers from a public, version-controlled source[8] * Offer a discouraged/deprecated releases option?[9] Thanks to jonparrott for adding sticky caching for release descriptions[10], to contrepoint for adding a browser warning for IE 10[11], and browniebroke for customizing an email address verification message[12]. As I said last week[13], we're running out of MOSS money. We will probably be able to deal with any issues that come up immediately following the legacy shutdown, but then this project (and the weekly emails from me) will be done. Of course Warehouse could use further sustained effort, so the Packaging Working Group has submitted some grant proposals and requests to some funders for amounts ranging from about USD$35,000 to about USD$150,000. Depending on the funders and their objectives, we've mentioned chunks of work that could happen faster (or at all) with funding, such as: * Adding support for two-factor authentication via TOTP and U2F/Fido. * Adding application-specific tokens scoped to individual users/projects (also covering adding token-based login support to twine and setuptools). * Adding a more advanced audit trail of user actions beyond the current journal (allowing publishers to track all actions taken by third- party services * on their behalf). * Performing accessibility repair work to follow an accessibility audit. * Researching and implementing localization and internationalization features. * Recruiting translators and integrating translations into PyPI. We also would like to accelerate work on group/organization support[14], better notifications, better staging/testing workflow for project maintainers, GitHub signon, and more. If you want details on predicted costs and are interested in hooking the Packaging Working Group[15] up with potential funders, email cochair Ewa Jodlowska at ewa at python dot org -- and she may advise that PSF sponsorship[16] is the route to take! (Also if I'm wrong here about how the PSF wants to do money things, trust actual PSF staffers and not me.) So, things you can do: * check legacy.pypi.org for any behavior, links, etc. you need * upgrade Artifactory * play our "buy a feature" game * comment on issues that need discussion * help us get more funding for future work Thanks and best wishes. -- Sumana Harihareswara Warehouse/PyPI project manager Changeset Consulting s...@changeset.nyc Links: 1. https://github.com/pypa/warehouse/issues/3275 2. https://github.com/pypa/warehouse/pull/3772 3. https://github.com/pypa/warehouse/pull/3774 4. https://github.com/pypa/warehouse/pull/3771 5. https://twitter.com/nlhkabu/status/988856279526465537 6. https://wiki.python.org/psf/PackagingWG/2018-04-23-Warehouse 7. https://github.com/pypa/warehouse/issues/3668 8. https://github.com/pypa/warehouse/issues/3786 9. https://github.com/pypa/warehouse/issues/3709 10. https://github.com/pypa/warehouse/pull/3745 11. https://github.com/pypa/warehouse/pull/3764 12. https://github.com/pypa/warehouse/pull/3789 13. https://groups.google.com/forum/#!topic/pypa-dev/MBa5300VlI8 14. https://github.com/pypa/warehouse/issues/201 15.
Re: Impending silent breakage of pip / macOS likely to cause severe confusion
On 04/09/2018 02:43 PM, Donald Stufft wrote: > >> On Apr 6, 2018, at 5:06 PM, Matthew Brett <matthew.br...@gmail.com> wrote: >> >> OK - so our hard deadline is the planned Warehouse launch on April >> 16th? I would argue for going straight to the SSL error at that >> point, and turning off the current brownout and April 8th TLS 1.0 shut >> down. Is that possible? Do other Macolytes agree with me that that >> would be less confusing? In the mean time, would it be possible to >> put out some big announcements following up on the originals, giving >> the SSL error, to seed Google searches, and prime memories? > > > We’ve modified the plan so that instead of the brownout style error lasting > until the 16th, we’re going to switch to the hard failure tomorrow with the > 100% brownout failure happening today (and yesterday). We didn’t want to move > straight to the hard failure incase we needed to roll it back for some > reason. We don’t want to wait until the 16th to avoid lumping too many > changes onto a single day (so we don’t have to deal with potential fallout of > too many different changes on a single day). > > Hopefully that works for everyone. Users with older TLS support libraries (on various operating systems) are currently seeking support as they discover breakage, and we're seeing their support requests on IRC and in support requests filed as issues in multiple GitHub repositories (for virtualenv, pip, Warehouse, and pipenv, among others). I gathered some common symptoms and created a help item in the pypi.org FAQ: https://pypi.org/help/#tls-deprecation . Patch: https://github.com/pypa/warehouse/pull/3720 . In March, I was deciding whether to make a big publicity push about the TLS deprecation, and I decided not to spend several hours writing and publicizing announcements about it (and to instead focus on other Warehouse project management work). I made this decision (noted in https://mail.python.org/pipermail/distutils-sig/2018-March/032067.html ) based on my own misunderstanding about urgency (I believe I had not yet realized that the new deadline would be, at the latest, the Warehouse cutover, not June 30th) and based on percentage-type predictions about how few users would be affected by the cutover (I didn't think hard enough about how many people that would represent, and how hard to diagnose the breakage would be for them). I regret my earlier decision. I have now in fact spent several hours supporting users, writing documentation, and reaching out to people with platforms in the macOS user community to raise awareness and perhaps speed a platform-level solution, and I hope this partially makes up for my earlier mistake. -- Sumana Harihareswara Warehouse project manager Changeset Consulting https://changeset.nyc
Re: [Distutils] please mark good first issues in your projects
In my experience (not just here but within Zulip, Wikimedia, Mailman, and other projects), this depends on the project's maintainers. If maintainers actively put the word out that a project is seeking new volunteers, respond to new questions and patches within a few days, and comment on finished issues to say "great! want another?", volunteers work through the "good first issues" queue steadily and it needs regular replenishment. It is worth taking a fresh look at the queue every month or two to double-check whether any of the open issues labelled "good first issue" are harder than they first appeared, then remove the label with an explanatory comment. (My further advice on stuff like this -- "How To Improve Bus Factor In Your Open Source Project", "How to Teach And Include Volunteers who Write Poor Patches", "Inclusive-Or: Hospitality in Bug Tracking", etc. -- are at my resources page https://changeset.nyc/resources.html .) -- Sumana Harihareswara Warehouse project manager Changeset Consulting https://changeset.nyc On 04/13/2018 11:32 AM, C Anthony Risinger wrote: > Do these kind of issues ever linger on unreasonably, or do enough > voluneteers step up to keep them low? Do you expire that label after a few > months? > > I don't have any feedback on your actual request, I'm mostly curious of the > process/interplay around feeding new users work without introduce excessive > delay or otherwise. > > Thanks, > > On Fri, Apr 13, 2018, 9:55 AM Sumana Harihareswara <s...@changeset.nyc> wrote: > >> Warehouse is attracting several newer contributors including people new >> to open source, which is great. As Warehouse matures, we have fewer and >> fewer easy small bugs *in the Python side* left. (So, we have more work >> for new frontend contributors, and less for Pythonists.) >> >> I'd love to refer these folks to other parts of the Python packaging and >> distribution ecosystem so we can improve the whole toolchain. Right now >> there are 29 open issues in PyPA projects on GitHub marked "good first >> issue", 11 in Warehouse and most of the rest in pip: >> >> >> https://github.com/issues?utf8=%E2%9C%93=user%3Apypa+is%3Aopen+label%3A%22good+first+issue%22+ >> >> I'm totally fine with giving new volunteers teensy tiny doc fix tasks, >> "manually test this functionality" tasks, and "check whether this bug is >> still reproducible" tasks, in case you want to write up some of those. >> Here's a template we use to make good first issues in Warehouse, in case >> you want to emulate it: >> https://github.com/pypa/warehouse/issues/new?template=good-first-issue.md >> >> >> **Good First Issue**: This issue is good for first time contributors. If >> you've already contributed to Warehouse, please work on [another issue >> without this >> label]( >> https://github.com/pypa/warehouse/issues?utf8=%E2%9C%93=is%3Aissue+is%3Aopen+-label%3A%22good+first+issue%22 >> ) >> instead. If there is not a corresponding pull request for this issue, it >> is up for grabs. For directions for getting set up, see our [Getting >> Started Guide](https://warehouse.pypa.io/development/getting-started/). >> If you are working on this issue and have questions, please feel free to >> ask them here, [`#pypa-dev` on >> Freenode](https://webchat.freenode.net/?channels=%23pypa-dev), or the >> [pypa-dev mailing list](https://groups.google.com/forum/#!forum/pypa-dev). >> >> >> If your project isn't under https://github.com/pypa , but you want to >> publicize your good first issues, reply to this thread? Thanks. >> >> -- >> Sumana Harihareswara >> Warehouse project manager >> Changeset Consulting >> https://changeset.nyc
Re: Docker Memory usage on Mac. Suggestions wanted
On 04/03/2018 01:50 PM, Anurag Saxena wrote: > Hello, > > Does anyone have a well-known/best practice solution on how to manage > memory and cpu use by docker on mac? A lot of times my docker installation > uses up all the available memory and slows everything else down. The only > solution, then, is to quit and restart docker. I am new to using docker. My > mac has 8gb ram and runs a ssd. > > Thank you. Hi, Anurag. Sorry you haven't gotten any replies yet. What version of OS X are you using? -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
please mark good first issues in your projects
Warehouse is attracting several newer contributors including people new to open source, which is great. As Warehouse matures, we have fewer and fewer easy small bugs *in the Python side* left. (So, we have more work for new frontend contributors, and less for Pythonists.) I'd love to refer these folks to other parts of the Python packaging and distribution ecosystem so we can improve the whole toolchain. Right now there are 29 open issues in PyPA projects on GitHub marked "good first issue", 11 in Warehouse and most of the rest in pip: https://github.com/issues?utf8=%E2%9C%93=user%3Apypa+is%3Aopen+label%3A%22good+first+issue%22+ I'm totally fine with giving new volunteers teensy tiny doc fix tasks, "manually test this functionality" tasks, and "check whether this bug is still reproducible" tasks, in case you want to write up some of those. Here's a template we use to make good first issues in Warehouse, in case you want to emulate it: https://github.com/pypa/warehouse/issues/new?template=good-first-issue.md **Good First Issue**: This issue is good for first time contributors. If you've already contributed to Warehouse, please work on [another issue without this label](https://github.com/pypa/warehouse/issues?utf8=%E2%9C%93=is%3Aissue+is%3Aopen+-label%3A%22good+first+issue%22) instead. If there is not a corresponding pull request for this issue, it is up for grabs. For directions for getting set up, see our [Getting Started Guide](https://warehouse.pypa.io/development/getting-started/). If you are working on this issue and have questions, please feel free to ask them here, [`#pypa-dev` on Freenode](https://webchat.freenode.net/?channels=%23pypa-dev), or the [pypa-dev mailing list](https://groups.google.com/forum/#!forum/pypa-dev). If your project isn't under https://github.com/pypa , but you want to publicize your good first issues, reply to this thread? Thanks. -- Sumana Harihareswara Warehouse project manager Changeset Consulting https://changeset.nyc
Summary of PyPI overhaul in new LWN article
Today, LWN published my new article "A new package index for Python". https://lwn.net/Articles/751458/ In it, I discuss security, policy, UX and developer experience changes in the 15+ years since PyPI's founding, new features (and deprecated old features) in Warehouse, and future plans. Plus: screenshots! If you aren't already an LWN subscriber, you can use this subscriber link for the next week to read the article despite the LWN paywall. https://lwn.net/SubscriberLink/751458/81b2759e7025d6b9/ This summary should help occasional Python programmers -- and frequent Pythonists who don't follow packaging/distro discussions closely -- understand why a new application is necessary, what's new, what features are going away, and what to expect in the near future. I also hope it catches the attention of downstreams that ought to migrate. -- Sumana Harihareswara Warehouse project manager Changeset Consulting https://changeset.nyc
Re: IRC/Twitter livechats about Warehouse today & Thursday
The next chat will be in a little under half a day. We're also adding one more IRC livechat, for next week: Tuesday, April 10th, 19:00 UTC: https://www.timeanddate.com/worldclock/converter.html?iso=20180410T19=24=1440=179 . -Sumana On 04/03/2018 10:44 AM, Sumana Harihareswara wrote: > The next one starts in ~16 minutes. Links, etc. at > https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html#livechat > . > > -Sumana > > On 03/26/2018 05:13 PM, Sumana Harihareswara wrote: >> Warehouse developers will be in IRC, in #pypa-dev on Freenode, and on >> Twitter (hashtag: #newpypi), available to talk about problems you run >> into, or about how to hack on Warehouse, for four livechats over the >> next few weeks: >> >> >> 1. Tuesday, March 27th, 9am-10am PDT, noon-1pm EDT, 18:00-19:00 CEST, >> 9:30pm-10:30pm India, 16:00-17:00 UTC >> https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+chat=20180327T16=:=1 >> >> >> 2. Friday, March 30th, 10-11am EDT, 16:00-17:00 CEST, 7:30pm-8:30pm >> India, 14:00-15:00 UTC >> https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+live+chat=20180330T14=1440=1 >> >> >> 3. Tuesday, April 3rd, 8am-9am PDT, 11am-noon EDT, 17:00-18:00 CEST, >> 8:30pm-9:30pm India, 15:00-16:00 UTC >> https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+livechat=20180403T10=24=1 >> >> >> 4. Thursday, April 5th, 5pm-6pm PDT, 8pm-9pm EDT, (April 5th) 8am-9am >> Manila, (April 5th) 10am-11am Melbourne, (April 5th) 0:00-1:00 UTC >> https://www.timeanddate.com/worldclock/fixedtime.html?p1=24=20180405T19=Warehouse/PyPI%20beta%20livechat=1=4 >> >> >> Feel free to drop in! (By participating, you agree to abide by the PyPA >> Code of Conduct: https://www.pypa.io/en/latest/code-of-conduct/ .) >>
PyPI/Warehouse update: new advice & launch, shutdown dates
helping review each other's work, which helps everyone learn and improve PRs faster. How you can help: * forward the beta announcement[49] to downstreams * tell people on Macs to upgrade pip[50], and answer Guido's question[51] about which users are potentially affected * test[52] Warehouse pull requests, and consider making one[53] * talk with Nicole about being a subject or interviewer for user tests[54] * improve the official Python packaging guide[55] * remind well-off companies/foundations you know that further Warehouse work is more likely if they give the PSF donations[56], sponsorship[57], or grants Thanks again to the Mozilla Open Source Support grant[58] that makes this work possible. -- Sumana Harihareswara Warehouse project manager Changeset Consulting s...@changeset.nyc Links: 1. https://wiki.python.org/psf/WarehouseRoadmap 2. https://wiki.python.org/psf/PackagingWG/2018-04-02-Warehouse 3. https://github.com/pypa/warehouse/issues/3411 4. https://warehouse.readthedocs.io/api-reference/integration-guide/#migrating-to-the-new-pypi 5. https://warehouse.readthedocs.io/api-reference/integration-guide/#migrating-to-the-new-pypi 6. https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/ 7. https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html 8. http://status.python.org/ 9. https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/ 10. https://github.com/pypa/warehouse/milestones 11. https://github.com/pypa/warehouse/pull/3503 12. https://github.com/pypa/warehouse/pull/ 13. https://github.com/pypa/warehouse/pull/3327 14. https://github.com/pypa/warehouse/pull/3477 15. https://github.com/pypa/warehouse/pull/3393 16. https://github.com/pypa/warehouse/pull/3434 17. https://github.com/pypa/warehouse/pull/3418 18. https://github.com/pypa/warehouse/pull/3372 19. https://github.com/pypa/warehouse/pull/3396 20. https://github.com/pypa/warehouse/pull/3457 21. https://github.com/pypa/warehouse/pull/3459 22. https://github.com/pypa/warehouse/pull/3475 23. https://github.com/pypa/warehouse/pull/3429 24. https://github.com/pypa/warehouse/labels/cross%20browser%20bug%20%3Abug%3A 25. https://github.com/pypa/conveyor/pull/3 26. https://github.com/pypa/pypi-legacy/commits?author=ewdurbin=2018-03-01T05:00:00Z=2018-04-01T04:00:00Z 27. https://github.com/pypa/warehouse/pull/3522 28. https://github.com/pypa/warehouse/pull/3498 29. https://github.com/pypa/warehouse/pull/3320 30. https://github.com/pypa/warehouse/pull/3466 31. https://github.com/pypa/warehouse/pull/3493 32. https://github.com/pypa/warehouse/pull/3403 33. https://github.com/pypa/warehouse/pull/3354 34. http://kafka.dcpython.org/day/pypa-dev/2018-04-03 35. https://blog.python.org/2018/03/the-all-new-python-package-index-is-now.html 36. https://mail.python.org/pipermail/python-announce-list/2018-March/011883.html 37. https://lists.debian.org/debian-python/2018/04/msg0.html 38. https://groups.google.com/forum/#!topic/python-brasil/Synj27Fczww 39. https://www.facebook.com/groups/pythonpl/permalink/1680880335336289/ 40. http://lists.software-carpentry.org/pipermail/discuss/2018-March/005891.html 41. https://groups.google.com/forum/#!topic/numfocus/uu8aGRmQ-oc 42. https://changelog.com/news/the-new-pypi-is-finally-in-beta-l66G 43. https://twit.tv/shows/floss-weekly 44. https://www.google.com/calendar/event?eid=cTNzdDByZWxmOGRsaXRiMWo3ZXJvY2lwaW9fMjAxODAzMjdUMTkwMDAwWiA1dm90czZraGxlNm02dnNzdWFsdDJvZjg3MEBn=America/New_York 45. https://twitter.com/hashtag/newpypi?src=hash 46. https://mail.python.org/pipermail/python-announce-list/2018-April/011885.html 47. https://github.com/pypa/warehouse/issues/3293#issuecomment-378416605 48. https://github.com/pypa/warehouse/pulls?utf8=%E2%9C%93=3410+3448+3467+3322+3495+3412+3405+3485+3243+3535+2163+3533+3500+3415+3407+3314+3328+3202+3377+3388+3409+ 49. https://mail.python.org/pipermail/python-announce-list/2018-March/011883.html 50. https://mail.python.org/pipermail/python-announce-list/2018-April/011885.html 51. https://github.com/pypa/warehouse/issues/3293#issuecomment-378416605 52. https://warehouse.readthedocs.io/development/reviewing-patches/#testing-branches-on-your-local-machine 53. https://warehouse.readthedocs.io/development/getting-started/ 54. http://whoisnicoleharris.com/2018/03/13/user-testing-warehouse.html 55. https://github.com/pypa/python-packaging-user-guide/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22 56. https://donate.pypi.org/ 57. https://www.python.org/psf/sponsorship/ 58. https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html
IRC/Twitter livechats about Warehouse today & Thursday
The next one starts in ~16 minutes. Links, etc. at https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html#livechat . -Sumana On 03/26/2018 05:13 PM, Sumana Harihareswara wrote: > Warehouse developers will be in IRC, in #pypa-dev on Freenode, and on > Twitter (hashtag: #newpypi), available to talk about problems you run > into, or about how to hack on Warehouse, for four livechats over the > next few weeks: > > > 1. Tuesday, March 27th, 9am-10am PDT, noon-1pm EDT, 18:00-19:00 CEST, > 9:30pm-10:30pm India, 16:00-17:00 UTC > https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+chat=20180327T16=:=1 > > > 2. Friday, March 30th, 10-11am EDT, 16:00-17:00 CEST, 7:30pm-8:30pm > India, 14:00-15:00 UTC > https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+live+chat=20180330T14=1440=1 > > > 3. Tuesday, April 3rd, 8am-9am PDT, 11am-noon EDT, 17:00-18:00 CEST, > 8:30pm-9:30pm India, 15:00-16:00 UTC > https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+livechat=20180403T10=24=1 > > > 4. Thursday, April 5th, 5pm-6pm PDT, 8pm-9pm EDT, (April 5th) 8am-9am > Manila, (April 5th) 10am-11am Melbourne, (April 5th) 0:00-1:00 UTC > https://www.timeanddate.com/worldclock/fixedtime.html?p1=24=20180405T19=Warehouse/PyPI%20beta%20livechat=1=4 > > > Feel free to drop in! (By participating, you agree to abide by the PyPA > Code of Conduct: https://www.pypa.io/en/latest/code-of-conduct/ .) >
IRC/Twitter livechat hours March 27-April 5
Warehouse developers will be in IRC, in #pypa-dev on Freenode, and on Twitter (hashtag: #newpypi), available to talk about problems you run into, or about how to hack on Warehouse, for four livechats over the next few weeks: 1. Tuesday, March 27th, 9am-10am PDT, noon-1pm EDT, 18:00-19:00 CEST, 9:30pm-10:30pm India, 16:00-17:00 UTC https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+chat=20180327T16=:=1 2. Friday, March 30th, 10-11am EDT, 16:00-17:00 CEST, 7:30pm-8:30pm India, 14:00-15:00 UTC https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+live+chat=20180330T14=1440=1 3. Tuesday, April 3rd, 8am-9am PDT, 11am-noon EDT, 17:00-18:00 CEST, 8:30pm-9:30pm India, 15:00-16:00 UTC https://www.timeanddate.com/worldclock/fixedtime.html?msg=Warehouse/PyPI+beta+livechat=20180403T10=24=1 4. Thursday, April 5th, 5pm-6pm PDT, 8pm-9pm EDT, (April 5th) 8am-9am Manila, (April 5th) 10am-11am Melbourne, (April 5th) 0:00-1:00 UTC https://www.timeanddate.com/worldclock/fixedtime.html?p1=24=20180405T19=Warehouse/PyPI%20beta%20livechat=1=4 Feel free to drop in! (By participating, you agree to abide by the PyPA Code of Conduct: https://www.pypa.io/en/latest/code-of-conduct/ .) -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
suggestion: using "black" for Warehouse formatting
black <https://github.com/ambv/black> is an opinionated code formatter. It is currently a pre-release in alpha. https://github.com/pypa/warehouse/pull/3367 Donald would like to add black to our linter and format all Warehouse code with black going forward. Comment on the pull request if you have thoughts. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
PyPI/Warehouse: infrastructure hardening & the CAPTCHA conundrum
So we aren't quite at beta yet, but we'll be shouting about pypi.org *really soon*. We have nearly all the Warehouse improvements we need for beta, and nearly all the infrastructure improvements we believe we'll need for the switchover. I'll tell you how you can help, then talk about the current state of things. * The big blocker keeping us from beta: China & CAPTCHAs. Help advise us.[1] * Comment on a "needs discussion" issue[2]. * Help us with large-scope JavaScript issues[3], like our frontend testing approach. * Please talk with Nicole about being a subject or interviewer for user tests[4]. * Tell me if you're planning to join us at sprints at PyCon or EuroPython[5]. * Check out our open good first Warehouse issues[6] (we usually have 10+ open) and get started[7]. If you follow https://status.python.org/ you saw we did some load testing last week and learned from it! We redirected some traffic, for a few periods, for `pip install`, from the old server to Warehouse, and learned from it. For instance, people running Ubuntu 14.04 LTS (long term service release)[8] are usually using a pretty old version of pip, and people on some versions of the Mac OS[9] have older versions of Python and old versions of security-related libraries that don't support the version of TLS that we want them to use. Ernest, Donald and Dustin did a bunch of work addressing this, including Donald putting out pip 9.0.2[10]. (A thing to understand about Ernest's continuing work on PyPI and distribution infrastructure is that it's in a lot of places. It's cabotage[11] & a test cabotage app[12], configuration with salt[13], conveyor[14], pip[15] & get-pip[16], and he filed a bug in Kubernetes[17] which I personally find particularly impressive. And it's in user-facing communication in IRC and GitHub comments and on our statuspage and Twitter, plus a lot of internal discussion with infrastructure colleagues. I have a harder time gathering links for Ernest's work for these emails than for my other teammates; regrets.) As usual, a summary of the past week's work is in our meeting notes[18]. We have new features like letting PyPI administrators add new trove classifiers easily[19], infrastructure improvements like this complexity reduction[20], ton of polish and bug fixing around layout, description content types (Markdown!), a FAQ restructuring[21], a more useful collaboration page[22], etc. And we reviewed and merged a lot of volunteers' pull requests! Thanks to our prolific volunteers: * pgadige making sure an error message reflects whether you're on PyPI or Test PyPI[23] * waseem18 providing an error message for the password reset[24] * cryvate fixing form requirements for password reset[25] * waseem18 fixing disabled button CSS[26] * yeraydiazdiaz fixing modal window behavior[27], then refixing[28] * berkerpeksag adding a "public profile" link to the user dropdown[29] * Mariatta sending notification email when a project collaborator's added[30] * berkerpeksag hiding the "view project" button for no-release-yet projects in maintainers' project lists[31] * alexwlchan renaming a CSS class for consistency[32] * jMuzsik improving documentation of owners' and maintainers' privileges[33] * yeraydiazdiaz adding JavaScript validation to show the user if "new password" and "confirm new password" don't match[34] * alexwlchan documenting all the modifiers in our SASS directory[35] * alanbato and yeraydiazdiaz adding a check to stop someone from uploading a file whose blake2 hash matches an already- uploaded file[36] * cryvate improving sorting of package versions in our /simple/ API[37] * jMuzsik improving how PyPI links look on Twitter, adding an image to our Twitter cards[38] * years updating the Python Packaging User Guide[39] and sample project[40] for Markdown/PEP 566 And thanks to our many bug reporters, especially those who helped us learn from our load tests. Also, check out discussion on API key support/macaroons[41], supporting GitHub-flavored Markdown as Description-Content-Type[42], and project rating/ranking/stars[43]. And finally, we are ever closer to accepting PEP 541 (and planning followup tasks[44]) and are testing our PEP 566 compliance[45]. And I may start a PEP for a Python package index upload API specification[46]. More next week, as usual. *Thanks to Mozilla for their support[47] for the PyPI & Warehouse work[48]!* -- Sumana Harihareswara Warehouse project manager Changeset Consulting s...@changeset.nyc Links: 1. https://github.com/pypa/warehouse/issues/3174 2. https://github.com/pypa/warehouse/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3A%22needs+discussion%22 3. https://github.com/pypa/warehouse/issues/1297 4. http://whoisnicoleharris.com/2018/03/13/user-testing-warehouse.html 5. https://wiki.python.org/psf/PackagingSp
Twine 1.11.0 released
https://pypi.org/project/twine/1.11.0/ Twine 1.11.0 is now out (changelog at https://twine.readthedocs.io/en/latest/changelog.html ). Thanks in particular to Dustin Ingram, Jon Wayne Parrott, Donald Stufft, Ian Stapleton Cordasco, Leonard Richardson, Matthew Planchard, Holger Krekel, Jason R. Coombs, Maurits van Rees, and Florian Schulze for code, testing, review, documentation, and advice. On 03/18/2018 08:59 AM, Sumana Harihareswara wrote: subject: prepping PEP 566 support in Twine for tomorrow > Per > https://dustingram.com/articles/2018/03/16/markdown-descriptions-on-pypi > , currently, Markdown support for a package long_description depends on > a pre-release of Twine. I released Twine 1.11.0rc1 a few days ago. Today > I'm fixing more bugs and putting out another release candidate, and then > tomorrow I plan to release 1.11.0. Code review and testing is welcome, > as is camaraderie in #pypa-dev on Freenode. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
Re: release blockers for pip
Donald is handling the 9.0.x series. Paul just mentioned in IRC that he'll be doing the 10.x beta in 2 weeks time. Pip 9.0.2 is out, and the only change it carries is that it supports TLSv1.2 when running under system Python on macOS < 10.13. Official release notes: https://pip.pypa.io/en/stable/news/ Context: * https://pyfound.blogspot.com/2017/01/time-to-upgrade-your-python-tls-v12.html * https://github.com/pypa/warehouse/issues/3293 * https://status.python.org/incidents/btjtz01lzp88 -- Sumana Harihareswara Changeset Consulting https://changeset.nyc On 03/07/2018 03:13 PM, Paul Moore wrote: > Cool, that's good to know. The biggest admin issue I saw was tracking > "what's suitable for a maintenance release", but certainly my > impression is coloured by the big changes that went on since 9.0.1. > > Paul > > On 7 March 2018 at 17:59, Donald Stufft <don...@stufft.io> wrote: >> >> On Mar 7, 2018, at 12:39 PM, Paul Moore <p.f.mo...@gmail.com> wrote: >> >> At the moment,we don't have the infrastructure for doing bugfix >> releases - and in this specific situation, pulling out the "ready to >> go" parts of master to form an interim release isn't really practical, >> given the resources we have. Once pip 10 is out of the door, I'd like >> to investigate the possibility of having some sort of "maintenance >> branch" setup, but we're so thin on the ground at the moment (with >> Donald working on Warehouse and Xavier on leave of absence, it's >> basically just Pradyun and I, and I'm not managing to actually work on >> code much, just reviews and issue management) so I don't want to >> overload what little resource we have with admin. >> >> >> >> Doing a maintenance release is only a little bit harder than doing a regular >> release and I don’t think that maintenance branches fix it. >> >> If we wanted to we could create a maintenance branch *right now* by just >> doing ``git checkout -b release/9.0.2 9.0.1`` which would create a branch >> off of whatever was released as 9.0.1 that we can cherry-pick changes to. I >> don’t think pre-creating this branch at release time adds anything of value >> (and in fact I think it makes the situation generally worse). >> >> * If changes land to master first and then get cherry-picked into a >> maintenance branch, then it’s basically no different from what is available >> today. >> * If changes land to the maintenance branch first, and then get forward >> merged to `master`, then people will get confused and send backwards >> incompatible changes to the maintenance branch and need to be asked to >> rebase their branch onto master. >> * Having the branch exist at all will confuse people who don’t know where to >> send what branch where. >> * In the past, we’ve had bugs get fixed in a maintenance branch, then forget >> to merge that into master and “lose” the bug fix. >> >> Basically, I think sending changes to the maintenance branch first makes >> contributing to pip more confusing and more likely we lose things by >> accident and sending things to `master` branch then asking for a cherry-pick >> to a maintenance branch isn’t really much less effort than collecting issues >> at a hypothetical “we want to release 9.0.2” time, creating a branch then, >> and cherry-picking them all over at that time. >> >> In either case, a 9.0.2 release is hard because we vastly altered the >> structure of the code between 9.0.1 and `master`, so either solution doesn’t >> really help us get a hypothetical 9.0.2 released with whatever changes we >> think would be useful. When we don’t have big shifts like that, it’s pretty >> easy (I’ve done it more than once actually!).
prepping PEP 566 support in Twine for tomorrow
Per https://dustingram.com/articles/2018/03/16/markdown-descriptions-on-pypi , currently, Markdown support for a package long_description depends on a pre-release of Twine. I released Twine 1.11.0rc1 a few days ago. Today I'm fixing more bugs and putting out another release candidate, and then tomorrow I plan to release 1.11.0. Code review and testing is welcome, as is camaraderie in #pypa-dev on Freenode. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
new stuff overview, beta next week, user tests, & other Warehouse updates
The new PyPI is still working towards our big public beta[1]. We have 7 open issues till we'll declare beta and make an outreach push (probably late this week or early next week), and then 19 more open issues till we can redirect/launch PyPI[2] probably in April (overview[3]). I've started preparing a draft overview of what's new in PyPI/packaging/distribution[4] to publicize along with the beta; it says "not to be publicized" but I'll let you in on the secret early. Maybe something in it is new to you as well! As usual, we had a Warehouse core developers' meeting on Monday[5]. The last week has seen a lot of polish and bugfixing and documentation for Warehouse. For instance, project deletion is cleaner[6], we more consistently indicate dangerous actions on a page[7], and there's now a migration guide for third-party services[8] which we told several projects about[9]. We've done some infrastructural work, like Datadog instrumentation[10], "Conveyor" (a shim for URL redirects)[11], and Cabotage improvements[12]. Here's an animated GIF demo of release phase commands (scale up, scale down).[13] And we improved other codebases as well, to fix Travis docs[14], get our HTTPS proxy service to deal with big embedded images[15], and deal better with parsing invalid URLs in READMEs[16]. Thanks to volunteers who got pull requests merged this week: * waseem[17]: we now send an email to primary email whenever primary email is changed * mds325[18]: clear input when the user closes the modal * dirn[19]: create a shortlink and redirect all requests for /p// to /project// * cryvate[20]: clarify project counter for searches with tons of results * Mariatta[21]: fix an email-sending issue And thanks to our many bug reporters, such as Andrew Nesbitt who noticed an RSS feed discrepancy[22]. Check out the current discussion[23] of API keys, a bearer token authentication scheme, and Macaroons in future PyPI. Want to help? * Talk with Nicole about being a subject or interviewer for user tests![24] She's been focusing on user tests and it's paid off, with a lot of bugs found and designs validated. * Got a good workaround for our CAPTCHA being blocked in China[25]? * Consider joining us at sprints[26] in the next few months. * We have 24 good first issues open[27], and a "getting started"[28] guide, and quick turnaround on code review. *Thanks to Mozilla Open Source Support[29] for their funding[30] for the PyPI & Warehouse work.* -- Sumana Harihareswara Warehouse project manager Changeset Consulting s...@changeset.nyc P.S. Usually I compose these weekly report emails in plain text; here I'm doing it in HTML with a plaintext fallback. Let me know if it's better, awful, etc. Also nearly no one *replies* to these emails so I'd also welcome your "hey this is useful to me!" offlist reply. Links: 1. https://github.com/pypa/warehouse/milestone/10 2. https://github.com/pypa/warehouse/milestone/1 3. https://github.com/pypa/warehouse/projects/1 4. https://wiki.python.org/psf/PackagingWG/PyPIBetaAnnouncement 5. https://wiki.python.org/psf/PackagingWG/2018-03-12-Warehouse 6. https://github.com/pypa/warehouse/pull/3212 7. https://github.com/pypa/warehouse/pull/3166 8. https://warehouse.readthedocs.io/api-reference/integration-guide/#migrating-to-the-new-pypi 9. https://github.com/pypa/warehouse/issues/2935 10. https://github.com/pypa/warehouse/pull/3076 11. https://github.com/pypa/conveyor/commits?author=ewdurbin=2018-03-06T05:00:00Z=2018-03-15T04:00:00Z 12. https://github.com/cabotage/cabotage-app/commits?author=ewdurbin=2018-03-06T05:00:00Z=2018-03-15T04:00:00Z 13. https://ernest.ly/imgs/cabotage-release-scale-up-scale-down.gif 14. https://github.com/travis-ci/docs-travis-ci-com/pull/1726 15. https://github.com/pypa/warehouse-camo/pull/1 16. https://github.com/pypa/readme_renderer/pull/65 17. https://github.com/pypa/warehouse/pull/3158 18. https://github.com/pypa/warehouse/pull/3160 19. https://github.com/pypa/warehouse/pull/3165 20. https://github.com/pypa/warehouse/pull/3193 21. https://github.com/pypa/warehouse/pull/3214 22. https://github.com/pypa/warehouse/issues/3238 23. https://github.com/pypa/warehouse/issues/994 24. http://whoisnicoleharris.com/2018/03/13/user-testing-warehouse.html 25. https://github.com/pypa/warehouse/issues/3174 26. https://wiki.python.org/psf/PackagingSprints 27. https://github.com/pypa/warehouse/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22 28. https://warehouse.readthedocs.io/development/getting-started/ 29. https://blog.mozilla.org/blog/2018/01/23/moss-q4-supporting-python-ecosystem/ 30. https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html
Re: Packaging/Warehouse sprint at PyCon 2018
https://wiki.python.org/psf/PackagingSprints is where I've started a list of our upcoming planned sprints (right now, PyCon North America and EuroPython), with who's attending each and what we might work on there. At PyCon in Cleveland, possible work includes: * User testing * Updating the PyPA roadmap * Packaging Problems triage * PyPI API keys and two-factor auth, with Luke Sneeringer & Donald Stufft * Architecture for new Warehouse API URL structure -Sumana On 02/13/2018 11:22 PM, Sumana Harihareswara wrote: > Reminder: this Thursday, Feb. 15th, is the last day to request financial > aid to attend PyCon https://us.pycon.org/2018/financial-assistance/ and > thus the sprints. If money's a reason you're assuming you can't come > join us and improve Warehouse and other Python packaging/distribution > tools, I hope you'll apply for financial assistance. > > On 01/30/2018 01:39 PM, Sumana Harihareswara wrote: >> In case you're planning your PyCon Cleveland travel: we are planning to >> hold a Warehouse/packaging sprint at PyCon (the sprints are Monday, May >> 14th - Thursday, May 17th 2018). >> >> We welcome package maintainers, backend and frontend web developers, >> infrastructure administrators, technical writers, and testers to help us >> make the new PyPI, and the packaging ecosystem more generally, as usable >> and robust as possible. I took the liberty of updating >> https://us.pycon.org/2018/community/sprints/ to say so. >> >> Once we're closer to the sprints I'll work on a more detailed list of >> things we'll work on in Cleveland. >> > -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
Re: release blockers for pip
On 03/07/2018 11:22 AM, Sumana Harihareswara wrote: > I saw today that pip's last release, 9.0.1, was in November 2016. > https://pypi.org/project/pip/#history > > Since that release, 250+ PRs have been merged: > https://github.com/pypa/pip/pulls?utf8=%E2%9C%93=is%3Apr+is%3Amerged+updated%3A%3E%3D2016-11-06 > > I see that a few issues > https://github.com/pypa/pip/issues?q=is%3Aopen+is%3Aissue+label%3A%22release+blocker%22 > are marked as blocking the next release, but are they all blocking *any* > next release (such as a 9.0.2 bugfix release), or would it be possible > to release soon anyway, while working towards 10.0.0? Or are there > backwards-incompatible changes in trunk? > > -Sumana Of course, a few minutes after posting this, I see Pradyun's roadmap for releasing 10.0 in https://github.com/pypa/pip/issues/4981#issuecomment-369495847 . -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
release blockers for pip
I saw today that pip's last release, 9.0.1, was in November 2016. https://pypi.org/project/pip/#history Since that release, 250+ PRs have been merged: https://github.com/pypa/pip/pulls?utf8=%E2%9C%93=is%3Apr+is%3Amerged+updated%3A%3E%3D2016-11-06 I see that a few issues https://github.com/pypa/pip/issues?q=is%3Aopen+is%3Aissue+label%3A%22release+blocker%22 are marked as blocking the next release, but are they all blocking *any* next release (such as a 9.0.2 bugfix release), or would it be possible to release soon anyway, while working towards 10.0.0? Or are there backwards-incompatible changes in trunk? -Sumana -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
Re: Twine 1.10.0rc1 on Test PyPI
My current guess is that if the RC were on https://pypi.org, rather than https://test.pypi.org, Travis would be able to grab it using PIP_PRE. -Sumana On 03/03/2018 03:09 PM, Cosimo Lupo wrote: > Maybe you could try writing a pip configuration file in > $HOME/.config/pip/pip.conf (or /etc/pip.conf). Travis dpl must be using pip > to download twine, and pip should be able to look there for a `pre` option. > (I just guess, haven’t tried myself) > > -- > > > Cosimo > > Il 3 mar 2018, 18:30 +, Jason R. Coombs <jar...@jaraco.com>, ha scritto: >> I tried but as you can see in this job, the environment variables aren’t >> honored, so it seems I cannot test a twine release in Travis. At this point, >> I think I’ll just wait for the official release. >> >>> On 3 Mar, 2018, at 11:17, Jason R. Coombs <jar...@jaraco.com> wrote: >>> >>> This sender failed our fraud detection checks and may not be who they >>> appear to be. Learn about spoofing >>> Feedback >>> Thanks for working on this! >>> >>> In my particular use-case, I rarely run twine myself, but instead rely on >>> the Travis-CI DPL routine. Looking at that code, I don’t see any means I >>> have to test a pre-release version. >>> >>> Given the presumably broad impact this one use-case has, it would be nice >>> if there were a way to test it against pre-release versions of twine (and >>> maybe also wheel, pip, and setuptools). Perhaps it would be worthwhile to >>> propose a hook to that project to enable the versions of those projects to >>> be specified for selective testing. >>> >>> Oh, I just had an idea - perhaps one could set the PIP_PRE environment >>> variable and that would affect the install and allow the pre-release to be >>> tested. I’ll give that a go. >>> >>>> On 3 Mar, 2018, at 11:06, Sumana Harihareswara <s...@changeset.nyc> wrote: >>>> >>>> Wrong URL (did I mention I'm new at this?). View 1.10.0rc1, including a >>>> fairly spiffy new README, at: >>>> https://test.pypi.org/project/twine/1.10.0rc1/ -- and please pass word >>>> along to our downstreams. >>>> >>>> -Sumana >>>> >>>> On 03/02/2018 05:32 PM, Sumana Harihareswara wrote: >>>>> (So it turns out I've taken on a volunteer gig, which is that I'm now >>>>> one of the Twine maintainers. I may be wrong about how to do this - >>>>> please feel free to comment on https://github.com/pypa/twine/pull/314 >>>>> which is where I'm pulling together a new release checklist for myself.) >>>>> >>>>> https://test.pypi.org/manage/project/twine/release/1.10.0rc1/ >>>>> >>>>> This is a release candidate for Twine 1.10.0 which I'm planning to >>>>> release early next week. >>>>> >>>>> This release improves project registration usage text (in some cases >>>>> removing it where inapplicable), and updates `--repository[-url]` usage >>>>> text, prints progress to `stdout` instead of `stderr`, improves the >>>>> progressbar, and reorganizes and improves user and developer >>>>> documentation. >>>>> >>>>> Please see the changelog >>>>> https://twine.readthedocs.io/en/latest/changelog.html for detailed notes >>>>> under "Next feature release". >>>>> >>>>> I believe this is how you test it out: >>>>> >>>>> pip install --upgrade --pre --index-url https://test.pypi.org/simple/ >>>>> --extra-index-url https://pypi.org/simple twine >>>>> >>>>> Please check existing open issues at >>>>> https://github.com/pypa/twine/issues and open new ones if you have >>>>> problems. Thanks! >>>> >>>> >>>> -- >>>> Sumana Harihareswara >>>> Changeset Consulting >>>> https://changeset.nyc
Re: Twine 1.10.0rc1 on Test PyPI
Wrong URL (did I mention I'm new at this?). View 1.10.0rc1, including a fairly spiffy new README, at: https://test.pypi.org/project/twine/1.10.0rc1/ -- and please pass word along to our downstreams. -Sumana On 03/02/2018 05:32 PM, Sumana Harihareswara wrote: > (So it turns out I've taken on a volunteer gig, which is that I'm now > one of the Twine maintainers. I may be wrong about how to do this - > please feel free to comment on https://github.com/pypa/twine/pull/314 > which is where I'm pulling together a new release checklist for myself.) > > https://test.pypi.org/manage/project/twine/release/1.10.0rc1/ > > This is a release candidate for Twine 1.10.0 which I'm planning to > release early next week. > > This release improves project registration usage text (in some cases > removing it where inapplicable), and updates `--repository[-url]` usage > text, prints progress to `stdout` instead of `stderr`, improves the > progressbar, and reorganizes and improves user and developer documentation. > > Please see the changelog > https://twine.readthedocs.io/en/latest/changelog.html for detailed notes > under "Next feature release". > > I believe this is how you test it out: > > pip install --upgrade --pre --index-url https://test.pypi.org/simple/ > --extra-index-url https://pypi.org/simple twine > > Please check existing open issues at > https://github.com/pypa/twine/issues and open new ones if you have > problems. Thanks! -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
Twine 1.10.0rc1 on Test PyPI
(So it turns out I've taken on a volunteer gig, which is that I'm now one of the Twine maintainers. I may be wrong about how to do this - please feel free to comment on https://github.com/pypa/twine/pull/314 which is where I'm pulling together a new release checklist for myself.) https://test.pypi.org/manage/project/twine/release/1.10.0rc1/ This is a release candidate for Twine 1.10.0 which I'm planning to release early next week. This release improves project registration usage text (in some cases removing it where inapplicable), and updates `--repository[-url]` usage text, prints progress to `stdout` instead of `stderr`, improves the progressbar, and reorganizes and improves user and developer documentation. Please see the changelog https://twine.readthedocs.io/en/latest/changelog.html for detailed notes under "Next feature release". I believe this is how you test it out: pip install --upgrade --pre --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple twine Please check existing open issues at https://github.com/pypa/twine/issues and open new ones if you have problems. Thanks! -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
who owns pypa-announce?
I see https://groups.google.com/forum/#!forum/pypa-announce has never had a post and had 13 subscribers. :) I'm working on putting out Twine 1.10.0 early next week and pypa-announce seems like a logical place to announce it and similar PyPA-related releases. Who runs that list? -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
Re: Packaging/Warehouse sprint at PyCon 2018
Reminder: this Thursday, Feb. 15th, is the last day to request financial aid to attend PyCon https://us.pycon.org/2018/financial-assistance/ and thus the sprints. If money's a reason you're assuming you can't come join us and improve Warehouse and other Python packaging/distribution tools, I hope you'll apply for financial assistance. On 01/30/2018 01:39 PM, Sumana Harihareswara wrote: > In case you're planning your PyCon Cleveland travel: we are planning to > hold a Warehouse/packaging sprint at PyCon (the sprints are Monday, May > 14th - Thursday, May 17th 2018). > > We welcome package maintainers, backend and frontend web developers, > infrastructure administrators, technical writers, and testers to help us > make the new PyPI, and the packaging ecosystem more generally, as usable > and robust as possible. I took the liberty of updating > https://us.pycon.org/2018/community/sprints/ to say so. > > Once we're closer to the sprints I'll work on a more detailed list of > things we'll work on in Cleveland. > -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
Warehouse: package manager features & question about advertising
Here's your weekly update on Warehouse, powering the new PyPI.[0] Perhaps the biggest news is that the pace of our progress is making us optimistic; we expect to finish all the issues in the first milestone next week, which means Warehouse will have all the essential features package maintainers need.[1] When we get there, we'll be asking some active maintainers to take some time and poke at the site (in the browser and using the APIs) to let us know of any bugs or confusion. In the past week, we've made a ton of progress on, for instance, viewing releases[2] and managing user emails.[3] You can try those out right now at the pre-production site.[4] And the PyPI footer has various policies properly linked in the footer now -- thanks for your advice, PSF![5] Plus, a fix to human-friendly time indicators.[6] Also: Ever wonder how Twine is structured?[7] How does core metadata with multiple email addresses look?[8] And we continued our work on making our credentials handling for Kubernetes more robust.[9] Part of our work is setting up Warehouse on a good foundation for future work, so we spent some time sorting out stuff like: what API documentation do we need?[10] There's a new GitHub label for issues that ask: what APIs do we need?[11] And we restarted the discussion: How much work should we put into Warehouse localisation?[12] Luke Sneeringer volunteered to work on two-factor auth and PyPI API keys, which is great![13] As usual, the notes from our weekly meeting are on the Packaging Working Group wiki.[14] We've also introduced an overview of Warehouse's near-term progress using the GitHub "Projects" feature[15], in case you want to see what we're working on and what's next in a bit more detail than the roadmap.[16] Folks who want to help: we have several good first contribution issues[17] and a guide to getting started[18]. Also, as we prepare for future publicity pushes, please let me know (replying offlist is probably best): where should we advertise to reach occasional and non-Anglophone programmers?[19] Thanks to Mozilla and the PSF for their support for the PyPI & Warehouse work![20][21] [0] https://github.com/pypa/warehouse/ [1] https://github.com/pypa/warehouse/milestone/8 [2] https://github.com/pypa/warehouse/pull/2879 [3] https://github.com/pypa/warehouse/pull/2904 [4] https://pypi.org/ [5] https://github.com/pypa/warehouse/issues/1989 [6] https://github.com/pypa/warehouse/pull/2924 [7] https://github.com/pypa/twine/pull/296 [8] https://github.com/pypa/python-packaging-user-guide/pull/429 [9] https://github.com/cabotage/cabotage-app/commits/master [10] https://github.com/pypa/warehouse/issues/2913 [11] https://github.com/pypa/warehouse/labels/APIs%2Ffeeds [12] https://github.com/pypa/warehouse/issues/1453 [13] https://github.com/pypa/warehouse/issues/994 [14] https://wiki.python.org/psf/PackagingWG/2018-02-12-Warehouse [15] https://github.com/pypa/warehouse/projects/1 [16] https://wiki.python.org/psf/WarehouseRoadmap [17] https://github.com/pypa/warehouse/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22 [18] https://warehouse.readthedocs.io/development/getting-started/ [19] https://ask.metafilter.com/319055/How-do-I-reach-occasional-and-non-Anglophone-Python-programmers [20] https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html [21] https://blog.mozilla.org/blog/2018/01/23/moss-q4-supporting-python-ecosystem/ -- Sumana Harihareswara Warehouse project manager Changeset Consulting https://changeset.nyc
Re: barriers to Warehouse contribution
To reply to part of Matt's request: On 01/17/2018 10:29 AM, mbac...@gmail.com wrote: > I like the idea of creating resources to enable developers to understand > the product architecture better. I have been working at getting up to speed > on warehouse development and could have used just such a thing. I'm not a > web developer but do work with Python so understanding why/how some > decisions have been made about the design of the application would go a > long way to grokking the overall project. Also maybe providing a list of > technologies and methodologies that would be good to know to be most > effective when working on the project would help people level up on things > they should know in advance. I've just submitted a pull request https://github.com/pypa/warehouse/pull/2937 that starts addressing this, and welcome reviews. And I've created some open issues for some further types of documentation in https://github.com/pypa/warehouse/issues?q=is%3Aopen+is%3Aissue+label%3Adocumentation in case folks want to comment, +1, etc. I'm also working on the other things Matt mentioned -- having more people available to answer questions synchronously and clearing up the inventory of communication channels. Thanks! -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
Warehouse update: still on track, new features
Here's your weekly update on Warehouse, powering the new PyPI.[0] You can see some noticeable improvements to Warehouse right now compared to last week. There's a mobile UI for managing projects[1], and a project owner can now delete a project.[2] We also have several CSS tweaks and other continuing design improvements -- we're lucky to be working with Nicole on this.[3] Less visibly, we have further Kubernetes security work by Ernest in cabotage[4] and Dustin's work on a generic token service[5]. We're still on track to hit the Maintainer MVP milestone at the end of this month.[6] On the documentation and outreach side, Laura and I have been preparing to contact very active maintainers when we hit that milestone, and we've been improving the packaging user guide,[7] and working a bit on Twine (e.g., documentation for using python-keyring with Twine to avoid having to use a .pypirc).[8] Thanks to Jon Wayne Parrott for fixing an issue Dustin spotted[9] so that pypa.io gets fresh updates again.[10] In PEP progress, PEP 541 is moving forward again, with a pull request for a change in BDFL-Delegate.[11] As usual, meeting notes from our weekly discussion are on the wiki.[12] And if you want to get started contributing to Warehouse, Ernest wants to help you and give you stickers, and has 30-minute 1:1 slots available.[13] Right now we have eleven open issues marked as good for newcomers.[14] Thanks to Mozilla for their support for the PyPI & Warehouse work, and thanks to the PSF for facilitating and supporting this work![15][16] [0] https://pypi.org/ [1] https://github.com/pypa/warehouse/pull/2865 [2] https://github.com/pypa/warehouse/pull/2821 [3] http://whoisnicoleharris.com/warehouse/ [4] https://github.com/cabotage/cabotage-app/commits/master [5] https://github.com/pypa/warehouse/pull/2864 [6] https://github.com/pypa/warehouse/milestone/8 [7] https://github.com/pypa/python-packaging-user-guide/pull/426 [8] https://github.com/pypa/python-packaging-user-guide/issues/297#issuecomment-362426940 [9] https://groups.google.com/forum/#!topic/pypa-dev/jzXR3A3E-dw [10] https://www.pypa.io/en/latest/roadmap/ [11] https://github.com/python/peps/pull/566 [12] https://wiki.python.org/psf/PackagingWG/2018-02-05-Warehouse [13] https://twitter.com/EWDurbin/status/955415184339849217 [14] https://github.com/pypa/warehouse/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22 [15] https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html [16] https://blog.mozilla.org/blog/2018/01/23/moss-q4-supporting-python-ecosystem/ -- Sumana Harihareswara Warehouse project manager Changeset Consulting https://changeset.nyc
Re: pypa.io cert is being rejected by Chrome
On 10/16/2017 05:39 PM, Jon Wayne Parrott wrote: > Chrome recently blacklisted some CAs and pypa.io's SSL cert is now invalid. > > I'm not sure who can fix that, but I'm happy to help if I can. :) This is still a problem: https://github.com/pypa/pypa.io/issues/21 https://pypa.io does not display in Chrome because of a revoked certificate from Issuer: StartCom Class 3 OV Server CA. As the Warehouse project ramps up and I'm pointing more people to relevant PyPA pages on pypa.io I'd love for this to be addressed. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
Warehouse update: role management & welcoming first-time contributors
In the past week, the Warehouse team's continued making progress despite a few of us getting sick. The biggest news is that the master branch now includes the foundation for a bunch of useful UI for maintainers. Several people collaborated on a role management feature[0] so a project Owner can add and remove Maintainer and Owner roles for their projects. This enables us to work on further release management features. We made progress on more improvements, including to developer experience, that you'll see in future updates. And thanks to Srinivas Garlapati for starting a password reset feature PR that we were able to finish up and merge.[1] We've turned a number of umbrella issues into more specific issues for the maintainer MVP milestone[2] which we continue working on. And if you're looking for a good first issue as you start contributing to Warehouse, there's one in our current milestone we'd love help with: "Valid `Author-email` and `Maintainer-email` fields are rejected".[3] If you are or know someone who wants to be a first-time contributor, check out Ernest's offer of neat stickers and mentorship time![4] As we get closer to the maintainer MVP milestone, we're preparing to publicize it and future milestones, including to developers who don't usually watch distribution and packaging discussions. So we're making lists of places to post notices, and we're using PyPI data and libraries.io to find projects and maintainers to personally contact. And we're working on future announcement channels, e.g., banners and a special announcement mailing list.[5] Once again, thanks to Mozilla for their support for this project.[6] More next week! [0] https://github.com/pypa/warehouse/pull/2705 [1] https://github.com/pypa/warehouse/pull/2764 [2] https://github.com/pypa/warehouse/milestone/8 [3] https://github.com/pypa/warehouse/issues/2679 [4] https://twitter.com/EWDurbin/status/955413628408205313 [5] https://github.com/python/psf-infra-meta/issues/1 [6] https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html -- Sumana Harihareswara Changeset Consulting https://changeset.nyc