Re: [Distutils] Role of setuptools and eggs in "modern" distributing...

2014-12-31 Thread Reinout van Rees
Chris Barker schreef op 31-12-14 om 01:42: The combination we use now is to use buildout (instead of pip) in combination with the "syseggrecipe" (https://pypi.python.org/pypi/__syseggrecipe ) buildout add-on. Syseggrecipe allows us to

Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

2014-12-31 Thread Vladimir Diaz
On Wed, Dec 31, 2014 at 2:26 AM, Donald Stufft wrote: > > On Dec 10, 2014, at 10:16 PM, Vladimir Diaz > wrote: > > Hello everyone, > > I am a research programmer at the NYU School of Engineering. My > colleagues (Trishank Kuppusamy and Justin Cappos) and I are requesting > community feedback on

Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

2014-12-31 Thread Paul Moore
On 31 December 2014 at 16:08, Vladimir Diaz wrote: > Let me know exactly what needs to change in the PEPs to make everything > explained above clearer. For example, in PEP 458 we provide a > link/reference (last paragraph of this subsection) to the Metadata document > indicating the content of th

Re: [Distutils] Role of setuptools and eggs in "modern" distributing...

2014-12-31 Thread Nick Coghlan
On 31 Dec 2014 10:43, "Chris Barker" wrote: > > But the core problem here is that the scipy folks have been going to conda and enthought to solve their pacakgeing problems, and the web folks have been doing pip, and maybe buildout -- so you get a bit of mess when you mix them. The problem always

Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

2014-12-31 Thread Nick Coghlan
On 1 January 2015 at 02:54, Paul Moore wrote: > I appreciate that the target audience for these PEPs is really PyPI > admins, at the moment, so maybe it's not the right time to look at > them from a project author perspective - if so, then feel free to > ignore these points for now :-) > I think

Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

2014-12-31 Thread Vladimir Diaz
In the PEP 458 world, package authors are not required to do anything. On Wed, Dec 31, 2014 at 11:54 AM, Paul Moore wrote: > On 31 December 2014 at 16:08, Vladimir Diaz > wrote: > > Let me know exactly what needs to change in the PEPs to make everything > > explained above clearer. For example

Re: [Distutils] Role of setuptools and eggs in "modern" distributing...

2014-12-31 Thread Chris Barker
On Wed, Dec 31, 2014 at 9:10 AM, Nick Coghlan wrote: > The problem always existed - it's the longstanding conflict between > "platform independent, language specific" tooling and "platform specific, > language independent" tooling. > > The former is often preferred on the developer side (since th

Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

2014-12-31 Thread Paul Moore
On 31 December 2014 at 17:43, Vladimir Diaz wrote: > PEP 480 includes a section that discusses a potential approach to packages > signed by package authors: > https://www.python.org/dev/peps/pep-0480/#automated-signing-solution > > Let us know what you think. Thanks for the pointer. I read the se

Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

2014-12-31 Thread Nick Coghlan
On 1 January 2015 at 04:04, Paul Moore wrote: > Anyway, I'll leave further comment to people with a better > understanding of the issue, although I'm happy to clarify if any of > the above isn't clear. > Expert blindness can be a serious problem when it comes to security design, so please keep t

Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

2014-12-31 Thread Donald Stufft
> On Dec 31, 2014, at 1:04 PM, Paul Moore wrote: > > On 31 December 2014 at 17:43, Vladimir Diaz wrote: >> PEP 480 includes a section that discusses a potential approach to packages >> signed by package authors: >> https://www.python.org/dev/peps/pep-0480/#automated-signing-solution >> >> Let

Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

2014-12-31 Thread Paul Moore
On 31 December 2014 at 18:42, Donald Stufft wrote: > Just to speak to these two points. The purpose behind having a developer > sign some files is that you can verify that those files were signed by > the person holding the private key belonging to that developer. [...] Thanks for the explanation

Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

2014-12-31 Thread Donald Stufft
> On Dec 31, 2014, at 2:05 PM, Paul Moore wrote: > > On 31 December 2014 at 18:42, Donald Stufft wrote: >> Just to speak to these two points. The purpose behind having a developer >> sign some files is that you can verify that those files were signed by >> the person holding the private key bel

Re: [Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

2014-12-31 Thread Donald Stufft
> On Dec 31, 2014, at 11:08 AM, Vladimir Diaz wrote: > > > > > > On Wed, Dec 31, 2014 at 2:26 AM, Donald Stufft > wrote: > >> On Dec 10, 2014, at 10:16 PM, Vladimir Diaz > > wrote: >> >> Hello everyone, >> >> I am a research prog