Re: [python-committers] IMPORTANT: Strip your repos if you pulled recently

[Terry Reedy]

On 7/15/2013 11:46 PM, Benjamin Peterson wrote:

If you have c3a510b22218 in your repo, you will need to strip it like this

$ hg strip c3a510b22218

(make sure to have the mq extension enabled)


Does the subject mean that if I have not pulled recently (a day, at 
least), it will not get pulled? (because of having been stripped from 
the repo)?


___
python-committers mailing list
python-committers@python.org
http://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] IMPORTANT: Strip your repos if you pulled recently

[Ronald Oussoren]

On 16 Jul, 2013, at 5:46, Benjamin Peterson  wrote:

> If you have c3a510b22218 in your repo, you will need to strip it like this
> 
> $ hg strip c3a510b22218
> 
> (make sure to have the mq extension enabled)
> 
> Sorry for the trouble.

If I do that and run "hg incoming" I get a number of incoming changes (see 
below). 
I did do some work before seeing your message, does that mean I've accidently 
reverted your fix to the repository?

Ronald


ronald@gondolin[0]$ hg pull -u
pulling from ssh://h...@hg.python.org/cpython
searching for changes
adding changesets
adding manifests
adding file changes
added 5 changesets with 4 changes to 1 files
1 files updated, 0 files merged, 0 files removed, 0 files unresolved

[~/Projects/python/rw/default]
ronald@gondolin[0]$ hg strip c3a510b22218
1 files updated, 0 files merged, 0 files removed, 0 files unresolved
saved backup bundle to 
/Users/ronald/Projects/python/rw/default/.hg/strip-backup/c3a510b22218-backup.hg

[~/Projects/python/rw/default]
ronald@gondolin[0]$ hg incoming
comparing with ssh://h...@hg.python.org/cpython
searching for changes
changeset:   84653:c3a510b22218
branch:  3.3
parent:  84651:e22dd5fda5a8
user:Benjamin Peterson 
date:Mon Jul 15 19:15:34 2013 -0700
summary: check the return value of new_string() (closes #18470)

changeset:   84654:2650127ce034
parent:  84652:8a078bf3cf14
parent:  84653:c3a510b22218
user:Benjamin Peterson 
date:Mon Jul 15 20:47:47 2013 -0700
summary: merge 3.3 (closes #18470)

changeset:   84655:72312ff5f712
branch:  3.3
parent:  84653:c3a510b22218
user:Benjamin Peterson 
date:Mon Jul 15 20:50:22 2013 -0700
summary: move declaration to top of block

changeset:   84656:daf9ea42b610
parent:  84654:2650127ce034
parent:  84655:72312ff5f712
user:Benjamin Peterson 
date:Mon Jul 15 20:50:25 2013 -0700
summary: merge 3.3

changeset:   84657:7272ef213b7c
tag: tip
user:Ronald Oussoren 
date:Tue Jul 16 08:32:05 2013 +0200
summary: Also remove a (broken) leaker test for the code removed in issue 
#18393.


___
python-committers mailing list
python-committers@python.org
http://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] IMPORTANT: Strip your repos if you pulled recently

[Benjamin Peterson]

It should be safe to continue pulling. Those revisions you see below
are ones committed after I stripped the repo.

2013/7/16 Ronald Oussoren :
>
> On 16 Jul, 2013, at 5:46, Benjamin Peterson  wrote:
>
>> If you have c3a510b22218 in your repo, you will need to strip it like this
>>
>> $ hg strip c3a510b22218
>>
>> (make sure to have the mq extension enabled)
>>
>> Sorry for the trouble.
>
> If I do that and run "hg incoming" I get a number of incoming changes (see 
> below).
> I did do some work before seeing your message, does that mean I've accidently
> reverted your fix to the repository?
>
> Ronald
>
>
> ronald@gondolin[0]$ hg pull -u
> pulling from ssh://h...@hg.python.org/cpython
> searching for changes
> adding changesets
> adding manifests
> adding file changes
> added 5 changesets with 4 changes to 1 files
> 1 files updated, 0 files merged, 0 files removed, 0 files unresolved
>
> [~/Projects/python/rw/default]
> ronald@gondolin[0]$ hg strip c3a510b22218
> 1 files updated, 0 files merged, 0 files removed, 0 files unresolved
> saved backup bundle to 
> /Users/ronald/Projects/python/rw/default/.hg/strip-backup/c3a510b22218-backup.hg
>
> [~/Projects/python/rw/default]
> ronald@gondolin[0]$ hg incoming
> comparing with ssh://h...@hg.python.org/cpython
> searching for changes
> changeset:   84653:c3a510b22218
> branch:  3.3
> parent:  84651:e22dd5fda5a8
> user:Benjamin Peterson 
> date:Mon Jul 15 19:15:34 2013 -0700
> summary: check the return value of new_string() (closes #18470)
>
> changeset:   84654:2650127ce034
> parent:  84652:8a078bf3cf14
> parent:  84653:c3a510b22218
> user:Benjamin Peterson 
> date:Mon Jul 15 20:47:47 2013 -0700
> summary: merge 3.3 (closes #18470)
>
> changeset:   84655:72312ff5f712
> branch:  3.3
> parent:  84653:c3a510b22218
> user:Benjamin Peterson 
> date:Mon Jul 15 20:50:22 2013 -0700
> summary: move declaration to top of block
>
> changeset:   84656:daf9ea42b610
> parent:  84654:2650127ce034
> parent:  84655:72312ff5f712
> user:Benjamin Peterson 
> date:Mon Jul 15 20:50:25 2013 -0700
> summary: merge 3.3
>
> changeset:   84657:7272ef213b7c
> tag: tip
> user:Ronald Oussoren 
> date:Tue Jul 16 08:32:05 2013 +0200
> summary: Also remove a (broken) leaker test for the code removed in issue 
> #18393.
>
>



-- 
Regards,
Benjamin
___
python-committers mailing list
python-committers@python.org
http://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] IMPORTANT: Strip your repos if you pulled recently

[Benjamin Peterson]

You should be completely safe if you didn't pull at all yesterday.

2013/7/16 Terry Reedy :
>
>
> On 7/15/2013 11:46 PM, Benjamin Peterson wrote:
>>
>> If you have c3a510b22218 in your repo, you will need to strip it like this
>>
>> $ hg strip c3a510b22218
>>
>> (make sure to have the mq extension enabled)
>
>
> Does the subject mean that if I have not pulled recently (a day, at least),
> it will not get pulled? (because of having been stripped from the repo)?
>
> ___
> python-committers mailing list
> python-committers@python.org
> http://mail.python.org/mailman/listinfo/python-committers



-- 
Regards,
Benjamin
___
python-committers mailing list
python-committers@python.org
http://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] IMPORTANT: Strip your repos if you pulled recently

[Ronald Oussoren]

On 16 Jul, 2013, at 18:03, Benjamin Peterson  wrote:

> It should be safe to continue pulling. Those revisions you see below
> are ones committed after I stripped the repo.

Isn't the first one the stripped changeset? 

Ronald

> 
> 2013/7/16 Ronald Oussoren :
>> 
>> On 16 Jul, 2013, at 5:46, Benjamin Peterson  wrote:
>> 
>>> If you have c3a510b22218 in your repo, you will need to strip it like this
>>> 
>>> $ hg strip c3a510b22218
>>> 
>>> (make sure to have the mq extension enabled)
>>> 
>>> Sorry for the trouble.
>> 
>> If I do that and run "hg incoming" I get a number of incoming changes (see 
>> below).
>> I did do some work before seeing your message, does that mean I've accidently
>> reverted your fix to the repository?
>> 
>> Ronald
>> 
>> 
>> ronald@gondolin[0]$ hg pull -u
>> pulling from ssh://h...@hg.python.org/cpython
>> searching for changes
>> adding changesets
>> adding manifests
>> adding file changes
>> added 5 changesets with 4 changes to 1 files
>> 1 files updated, 0 files merged, 0 files removed, 0 files unresolved
>> 
>> [~/Projects/python/rw/default]
>> ronald@gondolin[0]$ hg strip c3a510b22218
>> 1 files updated, 0 files merged, 0 files removed, 0 files unresolved
>> saved backup bundle to 
>> /Users/ronald/Projects/python/rw/default/.hg/strip-backup/c3a510b22218-backup.hg
>> 
>> [~/Projects/python/rw/default]
>> ronald@gondolin[0]$ hg incoming
>> comparing with ssh://h...@hg.python.org/cpython
>> searching for changes
>> changeset:   84653:c3a510b22218
>> branch:  3.3
>> parent:  84651:e22dd5fda5a8
>> user:Benjamin Peterson 
>> date:Mon Jul 15 19:15:34 2013 -0700
>> summary: check the return value of new_string() (closes #18470)
>> 
>> changeset:   84654:2650127ce034
>> parent:  84652:8a078bf3cf14
>> parent:  84653:c3a510b22218
>> user:Benjamin Peterson 
>> date:Mon Jul 15 20:47:47 2013 -0700
>> summary: merge 3.3 (closes #18470)
>> 
>> changeset:   84655:72312ff5f712
>> branch:  3.3
>> parent:  84653:c3a510b22218
>> user:Benjamin Peterson 
>> date:Mon Jul 15 20:50:22 2013 -0700
>> summary: move declaration to top of block
>> 
>> changeset:   84656:daf9ea42b610
>> parent:  84654:2650127ce034
>> parent:  84655:72312ff5f712
>> user:Benjamin Peterson 
>> date:Mon Jul 15 20:50:25 2013 -0700
>> summary: merge 3.3
>> 
>> changeset:   84657:7272ef213b7c
>> tag: tip
>> user:Ronald Oussoren 
>> date:Tue Jul 16 08:32:05 2013 +0200
>> summary: Also remove a (broken) leaker test for the code removed in 
>> issue #18393.
>> 
>> 
> 
> 
> 
> -- 
> Regards,
> Benjamin

___
python-committers mailing list
python-committers@python.org
http://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] IMPORTANT: Strip your repos if you pulled recently

[Benjamin Peterson]

Oops, the bad one is actually

8889c9b5dd3a

2013/7/16 Ronald Oussoren :
>
> On 16 Jul, 2013, at 18:03, Benjamin Peterson  wrote:
>
>> It should be safe to continue pulling. Those revisions you see below
>> are ones committed after I stripped the repo.
>
> Isn't the first one the stripped changeset?
>
> Ronald
>
>>
>> 2013/7/16 Ronald Oussoren :
>>>
>>> On 16 Jul, 2013, at 5:46, Benjamin Peterson  wrote:
>>>
 If you have c3a510b22218 in your repo, you will need to strip it like this

 $ hg strip c3a510b22218

 (make sure to have the mq extension enabled)

 Sorry for the trouble.
>>>
>>> If I do that and run "hg incoming" I get a number of incoming changes (see 
>>> below).
>>> I did do some work before seeing your message, does that mean I've 
>>> accidently
>>> reverted your fix to the repository?
>>>
>>> Ronald
>>>
>>>
>>> ronald@gondolin[0]$ hg pull -u
>>> pulling from ssh://h...@hg.python.org/cpython
>>> searching for changes
>>> adding changesets
>>> adding manifests
>>> adding file changes
>>> added 5 changesets with 4 changes to 1 files
>>> 1 files updated, 0 files merged, 0 files removed, 0 files unresolved
>>>
>>> [~/Projects/python/rw/default]
>>> ronald@gondolin[0]$ hg strip c3a510b22218
>>> 1 files updated, 0 files merged, 0 files removed, 0 files unresolved
>>> saved backup bundle to 
>>> /Users/ronald/Projects/python/rw/default/.hg/strip-backup/c3a510b22218-backup.hg
>>>
>>> [~/Projects/python/rw/default]
>>> ronald@gondolin[0]$ hg incoming
>>> comparing with ssh://h...@hg.python.org/cpython
>>> searching for changes
>>> changeset:   84653:c3a510b22218
>>> branch:  3.3
>>> parent:  84651:e22dd5fda5a8
>>> user:Benjamin Peterson 
>>> date:Mon Jul 15 19:15:34 2013 -0700
>>> summary: check the return value of new_string() (closes #18470)
>>>
>>> changeset:   84654:2650127ce034
>>> parent:  84652:8a078bf3cf14
>>> parent:  84653:c3a510b22218
>>> user:Benjamin Peterson 
>>> date:Mon Jul 15 20:47:47 2013 -0700
>>> summary: merge 3.3 (closes #18470)
>>>
>>> changeset:   84655:72312ff5f712
>>> branch:  3.3
>>> parent:  84653:c3a510b22218
>>> user:Benjamin Peterson 
>>> date:Mon Jul 15 20:50:22 2013 -0700
>>> summary: move declaration to top of block
>>>
>>> changeset:   84656:daf9ea42b610
>>> parent:  84654:2650127ce034
>>> parent:  84655:72312ff5f712
>>> user:Benjamin Peterson 
>>> date:Mon Jul 15 20:50:25 2013 -0700
>>> summary: merge 3.3
>>>
>>> changeset:   84657:7272ef213b7c
>>> tag: tip
>>> user:Ronald Oussoren 
>>> date:Tue Jul 16 08:32:05 2013 +0200
>>> summary: Also remove a (broken) leaker test for the code removed in 
>>> issue #18393.
>>>
>>>
>>
>>
>>
>> --
>> Regards,
>> Benjamin
>



-- 
Regards,
Benjamin
___
python-committers mailing list
python-committers@python.org
http://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] IMPORTANT: Strip your repos if you pulled recently

[Barry Warsaw]

On Jul 16, 2013, at 09:31 AM, Benjamin Peterson wrote:

>Oops, the bad one is actually
>
>8889c9b5dd3a

Uh, then how do we unstrip the other one?  Or should we just re-clone and
ignore this ever happened? ;)

-Barry
___
python-committers mailing list
python-committers@python.org
http://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] IMPORTANT: Strip your repos if you pulled recently

[Serhiy Storchaka]

16.07.13 19:31, Benjamin Peterson написав(ла):

Oops, the bad one is actually

8889c9b5dd3a


Now I can pull!


___
python-committers mailing list
python-committers@python.org
http://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] IMPORTANT: Strip your repos if you pulled recently

[Benjamin Peterson]

You can just pull.

2013/7/16 Barry Warsaw :
> On Jul 16, 2013, at 09:31 AM, Benjamin Peterson wrote:
>
>>Oops, the bad one is actually
>>
>>8889c9b5dd3a
>
> Uh, then how do we unstrip the other one?  Or should we just re-clone and
> ignore this ever happened? ;)
>
> -Barry
> ___
> python-committers mailing list
> python-committers@python.org
> http://mail.python.org/mailman/listinfo/python-committers



-- 
Regards,
Benjamin
___
python-committers mailing list
python-committers@python.org
http://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] [Infrastructure] [Pydotorg] XSS security issue

[Ezio Melotti]

Hi,

On Mon, Jul 15, 2013 at 2:08 PM, R. David Murray  wrote:
> On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord  
> wrote:
>>
>> On 15 Jul 2013, at 11:05, "M.-A. Lemburg"  wrote:
>>
>> > Who would be the one to contact for issues like these ?
>> >
>> > The case is rather urgent, since the XSS can be used for stealing
>> > session cookies on *.python.org.
>> >
>> > The sorting by password issue is a more obscure one. Just removing
>> > the "feature" to sort by password should be enough to solve it.
>>
>> Technically it's an infrastructure issue (cc'd), but fixing the code of 
>> roundup is hardly their domain.
>>
>> Ezio Melotti (cc'd) did a lot of work on the Python installation of roundup, 
>> so he may have a better idea.
>>
>> We have a security mailing list but that is mainly intended for security 
>> issues in the language:
>>
>>   secur...@python.org 
>
> The OP also emailed security (which I heard about via IRC, I'm not
> on that list).
>
> Ezio is a Roundup developer, so he is indeed the best person to look
> at the XSS issue, since it is a Roundup problem and not specific to
> the Tracker.  I can take a look too but he is more knowledgeable
> than I about roundup itself.
>

I don't have time to look at this now, and it might take up to 2 weeks
before I find some time.
The fix is usually as simple as adding a call to escape() in the right
spot, but finding the right spot and testing that the fix works might
take some time.
Before doing this, our Roundup instance should be updated (1.5.0 has
been released recently, but AFAIK it doesn't included a fix for this).
FTR the issue has been reported upstream at
.

Best Regards,
Ezio Melotti

> There is another problem which is specific to our tracker and which is the
> bigger issue right at the moment.  We have a 'nobody' user with a blank
> password and Developer privileges.
>
> I'm about to go out, so I don't want to make a change that might break
> something right this moment, but anyone with the Coordinator role
> could take this on if they want to do it right now:  remove either the
> Developer role, or both roles, from that user and see what happens.
> I suspect that user should not exist at all, but I don't know for sure.
>
> --David
___
python-committers mailing list
python-committers@python.org
http://mail.python.org/mailman/listinfo/python-committers