Victor Stinner wrote:
> I don't understand your email. Can you please elaborate?
There is nothing wrong with the package. The remark is a joke provoked by
a long history of a campaign [1] against external packages on distutils-sig.
Many tools (like crate.io, when it was still up) have made dero
On May 8, 2014, at 8:12 AM, Stefan Krah wrote:
> Victor Stinner wrote:
>> I don't understand your email. Can you please elaborate?
>
> There is nothing wrong with the package. The remark is a joke provoked by
> a long history of a campaign [1] against external packages on distutils-sig.
>
>
Well, to be fair and leaving aside uptime concerns and the general
desire to always install packages from some server instead of
a safe and trusted local directory (probably too obvious ;-),
it would certainly be possible to add support for
trusted externally hosted packages.
However, for some rea
On Thu, May 8, 2014 at 11:39 PM, M.-A. Lemburg wrote:
> I agree with Stefan that the warning message wording is less
> than ideal. You'd normally call such blanket statements FUD,
> esp. since there are plenty external hosting services which
> are reliable and safe to use.
No, it's not FUD. Every
On 8 May 2014 23:39, M.-A. Lemburg wrote:
> However, for some reason there's a strong resistance against
> doing this, which I frankly don't understand.
Because we're taking responsibility for the end-to-end user experience
of PyPI, and are expressly trying to eliminate the elements of that
user
On May 8, 2014, at 9:39 AM, M.-A. Lemburg wrote:
> Well, to be fair and leaving aside uptime concerns and the general
> desire to always install packages from some server instead of
> a safe and trusted local directory (probably too obvious ;-),
> it would certainly be possible to add support fo
On May 8, 2014, at 9:58 AM, Donald Stufft wrote:
> Now this does not mean that ``pip install cdecimal`` will automatically
> install
> this, because whether or not you're willing to install from servers other than
> PyPI[1] is a policy decision for the end user of pip.
I forgot to add, for ext
On Thu, 08 May 2014 09:58:08 -0400, Donald Stufft wrote:
> I don't think the warning is FUD, and it doesn't mention anything security
> related at all. The exact text of the warning is in the subject of the email
> here:
>
> cdecimal an externally hosted file and may be unreliable
>
> Which
On May 8, 2014, at 10:11 AM, R. David Murray wrote:
> On Thu, 08 May 2014 09:58:08 -0400, Donald Stufft wrote:
>> I don't think the warning is FUD, and it doesn't mention anything security
>> related at all. The exact text of the warning is in the subject of the email
>> here:
>>
>>cdecima
On Thu, 08 May 2014 10:11:39 -0400, "R. David Murray"
wrote:
> On Thu, 08 May 2014 09:58:08 -0400, Donald Stufft wrote:
> > I don't think the warning is FUD, and it doesn't mention anything security
> > related at all. The exact text of the warning is in the subject of the email
> > here:
> >
>
Hi all,
What do you think about a CPython sprint at EuroPython 2014?
Regards,
Stephane
--
Stéphane Wirtel - http://wirtel.be - @matrixise
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
On Thu, 08 May 2014 10:21:34 -0400
"R. David Murray" wrote:
> >
> > "unreliable" reads as "not safe", ie: insecure.
> >
> > You probably want something like "and access to it may be unreliable".
>
> Actually, thinking about this some more, *most* end-users aren't going
> to care that there's an
On Thu May 08 2014 at 10:25:44 AM, Stéphane Wirtel
wrote:
> Hi all,
>
> What do you think about a CPython sprint at EuroPython 2014?
>
Great, although I think that answer would be considered obvious since there
is no real negative to holding sprints. =) Are you indirectly asking if
anyone plans
On May 8, 2014, at 10:21 AM, R. David Murray wrote:
> On Thu, 08 May 2014 10:11:39 -0400, "R. David Murray"
> wrote:
>> On Thu, 08 May 2014 09:58:08 -0400, Donald Stufft wrote:
>>> I don't think the warning is FUD, and it doesn't mention anything security
>>> related at all. The exact text of
Donald Stufft wrote:
> There is support for trusted externally hosted packages, you put the URL in
> PyPI and include a hash in the fragment like so:
>
> http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=655f9fd72f7a21688f903900ebea6f56
That is exactly the mode I was us
On May 8, 2014, at 10:31 AM, Antoine Pitrou wrote:
> On Thu, 08 May 2014 10:21:34 -0400
> "R. David Murray" wrote:
>>>
>>> "unreliable" reads as "not safe", ie: insecure.
>>>
>>> You probably want something like "and access to it may be unreliable".
>>
>> Actually, thinking about this some m
On 08.05.2014 15:58, Donald Stufft wrote:
>
> On May 8, 2014, at 9:39 AM, M.-A. Lemburg wrote:
>
>> Well, to be fair and leaving aside uptime concerns and the general
>> desire to always install packages from some server instead of
>> a safe and trusted local directory (probably too obvious ;-),
On 08.05.2014 15:57, Nick Coghlan wrote:
> On 8 May 2014 23:39, M.-A. Lemburg wrote:
>> However, for some reason there's a strong resistance against
>> doing this, which I frankly don't understand.
>
> Because we're taking responsibility for the end-to-end user experience
> of PyPI, and are expre
On May 8, 2014, at 10:36 AM, Stefan Krah wrote:
> Donald Stufft wrote:
>> There is support for trusted externally hosted packages, you put the URL in
>> PyPI and include a hash in the fragment like so:
>>
>> http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=655f9fd72f
On 8 May 2014, at 16:33, Brett Cannon wrote:
> On Thu May 08 2014 at 10:25:44 AM, Stéphane Wirtel
> wrote:
>
>> Hi all,
>>
>> What do you think about a CPython sprint at EuroPython 2014?
>>
>
> Great, although I think that answer would be considered obvious since there
> is no real negative to ho
On 9 May 2014 00:52, "M.-A. Lemburg" wrote:
>
> On 08.05.2014 15:57, Nick Coghlan wrote:
>
> > (even the question of "does this software actually work?" is in our
> > sights if you consider a long enough time span). That's hard enough
> > with just a couple of service providers (Fastly and Rackspa
Donald Stufft wrote:
> hosted packages are brittle and more prone to failure. Every single external
> server adds *another* SPOF into any particular install set. Even if every
> external server has a 99.9% uptime, when you combine multiple of them the
> total
> uptime of any particular set of req
On Thu, 08 May 2014 10:37:15 -0400, Donald Stufft wrote:
> Most users are not going to care up until the point where the external server
> is unavailable, and then they care a whole lot. On the tin it sounds
> reasonable
> to just download the external file if the server is up however we've done
On May 8, 2014, at 11:19 AM, Stefan Krah wrote:
> Donald Stufft wrote:
>> hosted packages are brittle and more prone to failure. Every single external
>> server adds *another* SPOF into any particular install set. Even if every
>> external server has a 99.9% uptime, when you combine multiple of
On May 8, 2014, at 11:21 AM, R. David Murray wrote:
> On Thu, 08 May 2014 10:37:15 -0400, Donald Stufft wrote:
>> Most users are not going to care up until the point where the external server
>> is unavailable, and then they care a whole lot. On the tin it sounds
>> reasonable
>> to just downl
Donald Stufft wrote:
> > Today I've switched to manual install mode with manual sha256sum
> > verification
> > which is *far* safer than anything you get via pip right now.
>
> It is not safer in any meaingful way.
>
> If someone is in a position to compromise the integrity of PyPI's TLS, they
On 08.05.2014 16:42, M.-A. Lemburg wrote:
> On 08.05.2014 15:58, Donald Stufft wrote:
>>
>> On May 8, 2014, at 9:39 AM, M.-A. Lemburg wrote:
>>
>>> Well, to be fair and leaving aside uptime concerns and the general
>>> desire to always install packages from some server instead of
>>> a safe and tr
On May 8, 2014, at 11:34 AM, Stefan Krah wrote:
> Donald Stufft wrote:
>>> Today I've switched to manual install mode with manual sha256sum
>>> verification
>>> which is *far* safer than anything you get via pip right now.
>>
>> It is not safer in any meaingful way.
>>
>> If someone is in a
On May 8, 2014, at 11:37 AM, M.-A. Lemburg wrote:
> On 08.05.2014 16:42, M.-A. Lemburg wrote:
>> On 08.05.2014 15:58, Donald Stufft wrote:
>>>
>>> On May 8, 2014, at 9:39 AM, M.-A. Lemburg wrote:
>>>
Well, to be fair and leaving aside uptime concerns and the general
desire to always
Donald Stufft wrote:
> I said ?meaningful?. Almost nobody is going to ever bother googling it and
> the likelihood that someone is able to MITM *you* specifically is far lesser
> than the likelihood that someone is going to MITM one of the cdecimal users.
I'm doing this for important installs. --
On May 8, 2014, at 12:03 PM, Stefan Krah wrote:
> Donald Stufft wrote:
>> I said ?meaningful?. Almost nobody is going to ever bother googling it and
>> the likelihood that someone is able to MITM *you* specifically is far lesser
>> than the likelihood that someone is going to MITM one of the cd
On Thu, 08 May 2014 11:32:28 -0400, Donald Stufft wrote:
> On May 8, 2014, at 11:21 AM, R. David Murray wrote:
> > Ah, I understand now.
> >
> > Your perspective is as someone who is using pip for *deployment*.
>
> Deployment, or any kind of situation where you want to have a reproducible
> bui
On May 8, 2014, at 12:42 PM, R. David Murray wrote:
> On Thu, 08 May 2014 11:32:28 -0400, Donald Stufft wrote:
>> On May 8, 2014, at 11:21 AM, R. David Murray wrote:
>>> Ah, I understand now.
>>>
>>> Your perspective is as someone who is using pip for *deployment*.
>>
>> Deployment, or any k
This is mostly a question for Martin, but perhaps someone else would also know.
I'm trying to build the 2.7 installers so I can backport the path
option from 3.3, but I can't seem to figure out which version of Tix
is necessary to have a complete build. So far any of them on
http://svn.python.org/
Am 08.05.14 18:59, schrieb Brian Curtin:
> This is mostly a question for Martin, but perhaps someone else would also
> know.
>
> I'm trying to build the 2.7 installers so I can backport the path
> option from 3.3, but I can't seem to figure out which version of Tix
> is necessary to have a comple
On 8 May 2014 16:46, Donald Stufft wrote:
> Anything can be changes or reconsidered of course. I feel pretty strongly that
> an installer should not install things from places other than the index
> without
> a specific opt in. That discussion would be best done on distutils-sig as it
> would req
On May 8, 2014, at 5:02 PM, Paul Moore wrote:
> On 8 May 2014 16:46, Donald Stufft wrote:
>> Anything can be changes or reconsidered of course. I feel pretty strongly
>> that
>> an installer should not install things from places other than the index
>> without
>> a specific opt in. That discu
On Thu, May 8, 2014 at 2:36 PM, "Martin v. Löwis" wrote:
> Am 08.05.14 18:59, schrieb Brian Curtin:
>> This is mostly a question for Martin, but perhaps someone else would also
>> know.
>>
>> I'm trying to build the 2.7 installers so I can backport the path
>> option from 3.3, but I can't seem to
On 9 May 2014 07:23, "Donald Stufft" wrote:
> On May 8, 2014, at 5:02 PM, Paul Moore wrote:
>
> > Or
> > maybe we have to accept that some developers have sound reasons for
> > not hosting on PyPI and work with them to find an acceptable
> > compromise? Has anyone checked what Stefan's reasons ar
On May 8, 2014, at 6:20 PM, Nick Coghlan wrote:
>
> On 9 May 2014 07:23, "Donald Stufft" wrote:
> > On May 8, 2014, at 5:02 PM, Paul Moore wrote:
> >
> > > Or
> > > maybe we have to accept that some developers have sound reasons for
> > > not hosting on PyPI and work with them to find an acce
On 9 May 2014 08:22, "Donald Stufft" wrote:
>
>
> On May 8, 2014, at 6:20 PM, Nick Coghlan wrote:
>>
>> I actually need to follow up on that, because the terms *were* legally
questionable last time I looked (also too hard to review, since as far as I
am aware, they're only presented during new u
On May 8, 2014, at 5:22 PM, Donald Stufft wrote:
>> Socially, this change does not seem to be having the effect of
>> persuading more package developers to host on PyPI. The stick doesn't
>> appear to have worked, maybe we should be trying to find a carrot?
>
> Do you have any data to point to
On May 9, 2014, at 12:34 AM, Donald Stufft wrote:
> The data has finished processing, it represents a time diff of approximately
> one year. The pip release that caused all of this was released about 4-5
> months
> ago.
Oh I forgot to mention:
In order to make the comparison as accurate as po
43 matches
Mail list logo
