On 4/15/15 9:28 AM, Justin Cappos wrote:
Yes, it's another way to solve the problem. Both backtracking
dependency resolution and ZYpp will always find a solution. The
tradeoff is really in how they function. ZYpp is faster if there are
a lot of dependencies that conflict. The backtracking
On 15 April 2015 at 11:15, David Cournapeau courn...@gmail.com wrote:
This is indeed the case. If you want to solve dependencies in a way that
works well, you want an index that describes all your available package
versions.
While solving dependencies is indeed NP complete, they can be
On 14 April 2015 at 11:16, Brett Cannon br...@python.org wrote:
I agree. Even something as simple as a boolean that triggers a banner
saying this project is looking for a new maintainer would be useful both
from the perspective of project owners who want to move on or from the
perspective of
I have nothing useful to add except to say: this thread is one of the most
courteous and productive series of arguments I have seen!
On Fri, May 9, 2014 at 6:02 PM, Paul Moore p.f.mo...@gmail.com wrote:
On 9 May 2014 22:33, Donald Stufft don...@stufft.io wrote:
On the flip side option (A)
Hello everyone,
Donald, Justin and I have co-authored a PEP that recommends a
comprehensive security solution to allow PyPI to secure its users
against a wide array of compromises.
The gist of the PEP is that the changes to PyPI are essentially
invisible to users and developers unless an attack
On Tue 22 Oct 2013 07:34:04 PM EDT, Richard Jones wrote:
Yay! Thanks everyone involved, especially Donald and Nick.
Congrats :)
___
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig
On 9/21/13 9:09 PM, Donald Stufft wrote:
On Sep 21, 2013, at 8:47 PM, Vladimir Diaz vladimir.v.d...@gmail.com
mailto:vladimir.v.d...@gmail.com wrote:
What about a precompiled Python extension? Bundling wheels?
The problem is when pip has a dependency on something and someone
accidentally
Hello Donald,
On 09/21/2013 05:54 PM, Donald Stufft wrote:
Is it possible to do this in a pure python library? I know there are pure
python libraries for ed25119 that are written by the author so they
should be good to use.
It should be possible to do in pure Python all the cryptography
On 09/21/2013 06:17 PM, Donald Stufft wrote:
Is it possible to do this in a pure python library? I know there are pure
python libraries for ed25119 that are written by the author so they
should be good to use.
It should be possible to do in pure Python all the cryptography that TUF needs.
On 8/28/13 8:37 AM, Christian Theune wrote:
I will also add a valid SSL certificate in the next minutes. What's your take
on enforcing SSL e.g. via redirects?
I am not an expert, but I guess this depends on who is enforcing the SSL
redirection. If someone untrusted can be a
On 08/28/2013 12:09 PM, Christian Theune wrote:
Right. It doesn't add any security on its own, but it's a way that
people can discover you're using SSL. :) I'll have to read up on how
to do HSTS actually …
That was my next question. Does pip honour HSTS? I could be wrong, but I
do not think
Hello everyone,
We now have a demonstration of pip that securely and efficiently
downloads with TUF any package from a PyPI mirror:
https://github.com/theupdateframework/pip/wiki/pip-over-TUF
We hope that you will try our demonstration with your favourite packages
and tell us about any
On 08/06/2013 09:59 PM, Donald Stufft wrote:
On Aug 6, 2013, at 9:50 PM, Michael Merickel mmeri...@gmail.com
mailto:mmeri...@gmail.com wrote:
How about building a deprecation period into the tooling? pip 1.5+
could warn users who are using *.pypi.python.org
http://pypi.python.org/ of the
On 08/01/2013 05:02 PM, holger krekel wrote:
thanks for the links. They contain code instructions but i am
not sure i get the overall picture yet. Do you have a whitepaper
or overview describing the approach wrt to PyPI?
We do, but it is not up-to-date with our latest thoughts. We will
Hello Nick and the PyPI community,
This is a brief status report on the integration of PyPI and pip with TUF.
(A quick reminder: TUF is a general plug-n-play update framework
designed to introduce usable security to community software repositories
such as PyPI. If you think of PyPI as HTTP,
Hello Holger,
On 07/31/2013 08:13 AM, holger krekel wrote:
thanks for the high level overview. Do you have a current web page with
more detailed technical info with respect to PyPI/TUF?
Good question! I think it is a good idea to put up a PyPI+pip+TUF
current status page on our web site,
On 07/17/2013 04:50 PM, Nick Coghlan wrote:
On 17 Jul 2013 18:17, holger krekel hol...@merlinux.eu
mailto:hol...@merlinux.eu wrote:
On Wed, Jul 17, 2013 at 07:48 +, Vinay Sajip wrote:
holger krekel holger at merlinux.eu http://merlinux.eu writes:
about existing schemes/efforts.
On 07/18/2013 03:24 AM, Ronald Oussoren wrote:
I'm trying to understand what this means for package maintainers. If I understand you
correctly maintainers would upload packages just like they do now, and packages are then
automaticly signed by the unstable role. Then some manual process by
On 07/18/2013 09:34 AM, Justin Cappos wrote:
My impression is this only holds for things signed directly by PyPI
because the developers have not registered a key. I think that
developers who register keys won't have this issue. Let's talk about
this when you return, but it's really projects
Christian,
I don't think I see 1.0.2 yet, it seems to be still 1.0.1 for me. I use
this command to upgrade --- is it obsolete?
pip install --upgrade -r
https://bitbucket.org/ctheune/bandersnatch/raw/stable/requirements.txt
On 07/08/2013 03:55 PM, Christian Theune wrote:
Hi,
over the last
On 6/2/13 9:01 AM, Nick Coghlan wrote:
On Sun, Jun 2, 2013 at 10:09 PM, Donald Stufft don...@stufft.io wrote:
If we deploy some sort of end to end signing I think TUF is a good
implementation of it.
I'm not sold on the possibility of reasonably doing end to end signing here
though.
I think
On Fri 31 May 2013 04:34:43 PM EDT, Tres Seaver wrote:
Why all the extras: if somebody wants to claim a project name, but can't
upload a release for six months, they should just lose. I would actually
be willing to have that cut down to a day: trying to grab the name
before registering /
On Fri 31 May 2013 06:16:28 PM EDT, Jim Fulton wrote:
I think Tres was referring to the first release.
Thanks for the clarification, but my argument remains for subsequent
releases.
___
Distutils-SIG maillist - Distutils-SIG@python.org
On Wed May 22 12:11:13 2013, Alexandr Romanov wrote:
i'm trying to make a new mirror and get following error:
Have you tried bandersnatch? It is so much nicer than pep381run.
https://bitbucket.org/ctheune/bandersnatch
___
Distutils-SIG maillist
On 04/09/2013 11:52 PM, Trishank Karthik Kuppusamy wrote:
I have finished generating the /simple metadata and they are about 52MB
--- not too far off from my estimate of 59MB. Remember: this is the
worst-case size for simple metadata.
Okay, so we have finished generating the TUF metadata
On 4/9/13 7:47 AM, Daniel Holth wrote:
What size keys?
2048 bits, which is the minimum key size TUF currently allows for
security purposes. Which range of key sizes do you think PyPI would be
comfortable with?
___
Distutils-SIG maillist -
I have finished generating the /simple metadata and they are about 52MB
--- not too far off from my estimate of 59MB. Remember: this is the
worst-case size for simple metadata.
I have now started generating the /packages metadata. If all goes well,
I should be able to test pip against a realistic
Hello everyone,
I have been testing and refining the pypi.updateframework.com automation
over the past week, and looking at how much TUF metadata is generated
for PyPI.
In this email, I am going to focus only on the PyPI data under /simple;
let us call that simple data.
Now, if we assume
On 4/9/13 1:17 AM, Justin Cappos wrote:
His 29MB and 58MB numbers assume that every developer has their own key
right now. We don't think this is likely to happen and propose
initially signing everything that the developers don't sign with a
single PyPI key.
It also assumes there are no
On 04/07/2013 09:36 AM, Christian Theune wrote:
I can see that this would be useful. However, my current knowledge is
that the way to authenticate the packages will change in the near
future: Richard Jones mentioned that the update framework would be
interesting for this. I do not know yet what
On Sun 07 Apr 2013 04:01:07 PM EDT, holger krekel wrote:
interpreted correctly. Also, uploading a 1.0 release to pypi
would allow to say pip install bandersnatch instead of getting
the hg repo and the setup.py install command.
I agree, a PyPI package would make it easy for pip users.
Hello PyPI,
Hope attendees had a great time at PyCon 2013! We certainly enjoyed
presenting to you our lightning talk on securing PyPI with TUF
(https://www.youtube.com/watch?v=2sx1lS6cT3g).
Since then, we have been busy improving TUF and implementing machinery
to automatically secure PyPI
32 matches
Mail list logo