Donald Stufft added the comment:
This looks OK to me.
I'm not a Windows person are there changes in pip that would make sense to make
it work without this patch?
--
nosy: +Marcus.Smith, pmoore
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
The development version of pip switches things over to using the Python logging
framework instead of a homegrown one which more or less relies on print().
Probably we could detect if we don't have a stdout and just not output
anything? People can p
Donald Stufft added the comment:
It is configured using salt, see
https://github.com/python/psf-salt/blob/master/salt/pythontest/init.sls.
A separate domain just makes it easier to do whatever we need with it without
needing to worry about getting confused between live sites and test sites
New submission from Donald Stufft:
As specified in PEP 477, this backports PEP 453 (ensurepip) to the Python 2.7
branch. Key differences from PEP 453 are:
* It is not run by default in the Makefile
* There is no venv modules, so downstream can remove it (though are asked to
patch it to
New submission from Donald Stufft:
As specified in PEP 477, this backports PEP 453 (ensurepip) to the Python 2.7
branch. Key differences from PEP 453 are:
* It is not run by default in the Makefile
* There is no venv modules, so downstream can remove it (though are asked to
patch it to
Donald Stufft added the comment:
Closing this in favor of http://bugs.python.org/issue22827
--
resolution: -> duplicate
status: open -> closed
___
Python tracker
<http://bugs.python.org/i
Changes by Donald Stufft :
--
nosy: +steve.dower
___
Python tracker
<http://bugs.python.org/issue22827>
___
___
Python-bugs-list mailing list
Unsubscribe:
Donald Stufft added the comment:
Second patch just fixes the docs to specify the correct behavior for 2.7 and it
fixes ensurepip.bootstrap() to match the default 2.7 behavior when executing
python -m ensurepip.
--
Added file: http://bugs.python.org/file37155/pep-477-2.patch
Donald Stufft added the comment:
The backport is taken from Python 3.4 so it's the same license as everything
else.
--
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
IOW it's literally Lib/unittest/mock.py from the 3.x series.
--
___
Python tracker
<http://bugs.python.org/issue22827>
___
___
Donald Stufft added the comment:
I've updated the patch with Nick's comments, except for pulling in the latest
versions of the documentation.
--
Added file: http://bugs.python.org/file37175/pep-477-3.patch
___
Python tracker
<http://bu
Donald Stufft added the comment:
Merged in https://hg.python.org/cpython/rev/592a5414fabd, I forgot to mention
the issue number.
I'm going to leave this open for the docs changes, however the OSX installer
and Windows installer changes should be able to be mad
Donald Stufft added the comment:
I don't know anything about msi or this script so I can't offer any help there,
but thanks!
--
___
Python tracker
<http://bugs.python.o
Donald Stufft added the comment:
I've attached a patch which I believe updates the 2.x docs with what 3.x has. I
ran ``make html`` and the only errors I got were in relation to pyporting which
I don't believe has anything to do with this ticket.
If someone can sanity check this fo
Donald Stufft added the comment:
Is this ticket able to be closed now or is there more to do?
--
___
Python tracker
<http://bugs.python.org/issue22850>
___
___
Donald Stufft added the comment:
Note: I removed the references to pyvenv in these docs because 2.7 doesn't have
that.
--
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
Updated the docs patch to address Nick's comments.
--
Added file: http://bugs.python.org/file37236/pep-477-docs-2.patch
___
Python tracker
<http://bugs.python.org/is
Changes by Donald Stufft :
--
resolution: -> fixed
status: open -> closed
___
Python tracker
<http://bugs.python.org/issue22827>
___
___
Python-bugs-list
Donald Stufft added the comment:
Assigning this to myself, it'll get fixed when pip 6.0 is released and I
upgrade ensurepip to it.
--
assignee: vinay.sajip -> dstufft
___
Python tracker
<http://bugs.python.org
Donald Stufft added the comment:
So here's a thought:
pip does have a CLI flag --force-reinstall which will uninstall and then
reinstall whatever is being installed. If we modified things so that ensurepip
supported this flag (or always used it with --upgrade) then it would fix this
Donald Stufft added the comment:
Right, they did that because Debian has disabled SSLv3 in OpenSSL in Jessie.
--
___
Python tracker
<http://bugs.python.org/issue22
Donald Stufft added the comment:
Yea see: http://sources.debian.net/src/openssl/1.0.2~beta3-1/debian/rules/#L29
The configure options they are running with are: no-idea no-mdc2 no-rc5 no-zlib
enable-tlsext no-ssl2 no-ssl3 no-ssl3-method enable-unit-test
New submission from Donald Stufft:
The SSLContext().wrap_socket() method allows you to pass in a server_hostname
option which will be used for two purposes, it will be used as the server name
for SNI and it will be used to verify the server name of the certificate.
However currently if the
Donald Stufft added the comment:
I tested this patch on Python 3.5 compiled on CentOS 5.11 which does not have
SNI enabled. The end result is that you can use server_hostname even when SNI
isn't there to enable the SSL certificate checks. Of course the check will fail
if the host
Donald Stufft added the comment:
Added docs.
--
Added file:
http://bugs.python.org/file37258/check-hostname-no-sni-with-docs.patch
___
Python tracker
<http://bugs.python.org/issue22
Donald Stufft added the comment:
A new patch that achieves the same thing in a simpler way at benjamin's
suggestion.
--
Added file:
http://bugs.python.org/file37259/check-hostname-no-sni-with-docs-2.patch
___
Python tracker
<http://bugs.py
Donald Stufft added the comment:
Uploaded a third patch, this is the same technique as in the -2 patch, except
it fixes a missed spot in Lib/ssl.py where I needed a better error message.
Additionally this goes through and unskips all of the tests that were marked as
depending on HAS_SNI when
Donald Stufft added the comment:
Added a patch for Python 2.7
--
Added file:
http://bugs.python.org/file37262/check-hostname-no-sni-with-docs-py27.patch
___
Python tracker
<http://bugs.python.org/issue22
Donald Stufft added the comment:
I agree completely. This is something that should generally be discouraged all
together. See:
http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
--
nosy: +dstufft
___
Python tracker
<h
Donald Stufft added the comment:
>>
>> BTW: Having a way to change the SSL options globally would be useful
>> for Python 3.x as well, since OpenSSL often adds new options and
>> it's not unlikely we'll see an OP_NO_TLSv1 option soon, given its
>>
New submission from Donald Stufft:
Various browsers[1][2] are dropping support for wild card certificates which
are anything but a single "*" alone in the left most position. The other style
wildcards were deprecated previously and they should not appear in any public
certificate
Donald Stufft added the comment:
This should be fixed now as of https://hg.python.org/cpython/rev/651e1862dbed,
https://hg.python.org/cpython/rev/651e1862dbed, and
https://hg.python.org/cpython/rev/9f60d024e586.
--
resolution: -> fixed
status: open ->
Donald Stufft added the comment:
I'm not sure how to get a link to that, can you link it and I can see if I
think it's a permanent error or not?
--
___
Python tracker
<http://bugs.python.o
Donald Stufft added the comment:
If distlib 0.2.0 fixes this, then it should be fixed in pip 6+ when installing
from Wheels. If the same problem exists in setuptools then it'll need to get
fixed in setuptools (or pip will need to start writing it's own console scripts
when insta
Donald Stufft added the comment:
I do not know what setuptools plans on with regards to distlib sorry.
--
___
Python tracker
<http://bugs.python.org/issue23
Donald Stufft added the comment:
I just noticed this issue. I think all that really needs done here is changing
the venv module to use subprocess.check_call instead of subprocess.check_output
when calling ensurepip.
--
___
Python tracker
<h
Donald Stufft added the comment:
+1, This sounds completely reasonable to do to me.
--
___
Python tracker
<http://bugs.python.org/issue23143>
___
___
Python-bug
Donald Stufft added the comment:
This is a pip problem and should be filed against the pip issue tracker at
https://github.com/pypa/pip/issues.
--
___
Python tracker
<http://bugs.python.org/issue23
Donald Stufft added the comment:
We should probably pass ``-s`` to the ensurepip call.
Adding 2.7 here as well because I think this will probably affect more than
just the Makefile, probably the Windows installers and OSX installers too.
--
versions: +Python 2.7
Donald Stufft added the comment:
I think the only way to actually fix this, is to stop using the OpenSSL
provided by OSX.
--
nosy: +dstufft
___
Python tracker
<http://bugs.python.org/issue24
Donald Stufft added the comment:
For what it's worth, the El Capitan Beta's apparently don't ship with OpenSSL
headers anymore though they do still ship with the dylibs.
--
___
Python tracker
<http://bugs.pyt
Donald Stufft added the comment:
This looks more like lib2to3 doesn't support running from a .zip archive.
--
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
I'm all for deprecating asyncore/asynchat but should deprecating them wait
until asyncio is no longer provisional?
--
nosy: +dstufft
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
pip doesn't really support being called as an API, there's been requests for it
before but nobody has yet come forward to specify what parts in particular they
need. The practical effect of this is that there's no backwards compatibility
promis
Changes by Donald Stufft :
--
nosy: +steve.dower
___
Python tracker
<http://bugs.python.org/issue23551>
___
___
Python-bugs-list mailing list
Unsubscribe:
Donald Stufft added the comment:
Yea ``pip.main(args)`` won't change. I'm not sure how well parts of pip will
handle being in a persistent-ish process, but the API itself will work.
--
___
Python tracker
<http://bugs.python.o
Donald Stufft added the comment:
There is a "site" config file which works for all installs on that particular
machine, there is not a per Python configuration file, though I don't see why
we couldn't add one.
--
___
P
Donald Stufft added the comment:
Yea, we'd be willing to fix things where we can. I think the biggest problem
you'll run into is probably going to be pkg_resources and it's module scoped
cache of the sys.path and what item
Donald Stufft added the comment:
(A)RC4 and ChaCha are just two stream ciphers that let you encrypt some data,
they work by essentially producing a psuedo-random stream of data in a
deterministic manner based off of a key, and than that is XOR'd with the data
you want to encrypt. arc4r
Donald Stufft added the comment:
Oh yea, and (A)RC4 is broken and shouldn't be used for anything anymore, ChaCha
is much better and is pretty great.
--
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
You probably need to either pass --ignore-installed to pip when invoking it
inside of venv, or you need to disable system_site_packages (internally to
venv) until after pip is installed.
--
___
Python tracker
<h
Donald Stufft added the comment:
Now that 3.5 is out, does that mean we can sync 2.7 with the 3.5 ssl again and
land this patch?
--
___
Python tracker
<http://bugs.python.org/issue22
Donald Stufft added the comment:
This looks like a good idea to me, faster and more secure seems like a total
win.
--
___
Python tracker
<http://bugs.python.org/issue25
Donald Stufft added the comment:
This isn't a CPython issue and doesn't really belong on the issue tracker.
To answer the question though, PyPI will support IPv6 as soon as our CDN
provider has support for IPv6 and until they do, it will be IPv4 only.
--
resolution: ->
Donald Stufft added the comment:
Our provider is Fastly, I don't believe contacting them will do any good
though. They are working on getting IPv6 support but there is no ETA at the
moment.
--
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
Upstream issue for this is https://github.com/pypa/pip/issues/3383.
--
___
Python tracker
<http://bugs.python.org/issue26
Donald Stufft added the comment:
Hey,
This is actually a bug with pip not with CPython and is being tracked by
https://github.com/pypa/pip/issues/3408. It's fixed in pip's repository and
we'll soon have an 8.0.1 release out to fix it.
--
nosy: +dstufft
resolution:
Donald Stufft added the comment:
Yes, it should have been. Sorry forgot this issue was opened.
--
___
Python tracker
<http://bugs.python.org/issue26164>
___
___
Donald Stufft added the comment:
If you're trying to use PyCrypto then you need to install PyCrypto, crypto is a
different package. Try ``pip install PyCrypto``.
--
nosy: +dstufft
___
Python tracker
<http://bugs.python.org/is
Changes by Donald Stufft :
--
nosy: +dstufft
___
Python tracker
<http://bugs.python.org/issue26252>
___
___
Python-bugs-list mailing list
Unsubscribe:
Donald Stufft added the comment:
It shouldn't be hard to make ctypes optional in pip, it's only used to check if
the OS we're running on is "manylinux" compatible, roughly checking the glibc
version number. Worst case we can just conditon that
Donald Stufft added the comment:
> Right now all the hashlib algorithms are backed by OpenSSL.
As far as I know, hashlib ships it's own implementations of anything that is a
guaranteed algorithms (currently md5, sha1, and sha2, presumably sha3 too once
that gets added).
So I g
Donald Stufft added the comment:
I don't know if this should be part of IDLE or not, but I've long wondered if
we should make a GUI frontend for pip. To be clear, I'm not against this being
in IDLE either, but just saying I've thought about making a pip-gui project in
the
Donald Stufft added the comment:
I'm unlikely to have the time or motivation to do this anytime soon (just to be
clear). I would be able to advise anyone who does feel like doing it the best
ways to interact with pip itself though.
--
___
P
Donald Stufft added the comment:
There actually *is* an API that can be set that will cause OpenSSL to use the
shortest trust path it can, however it's only available in OpenSSL 1.0.2+ which
means it'll solve it for a handful of people but not the bulk
Changes by Donald Stufft :
--
keywords: +needs review
resolution: not a bug ->
stage: resolved -> patch review
status: closed -> open
___
Python tracker
<http://bugs.python.or
Changes by Donald Stufft :
--
nosy: +dstufft
___
Python tracker
<http://bugs.python.org/issue23593>
___
___
Python-bugs-list mailing list
Unsubscribe:
Donald Stufft added the comment:
It was merged to the 2.7 branch, so it'll be released as part of 2.7.10.
--
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
I'm not sure what you mean by "Siphash isn't cryptographically secure". One of
the key points of Siphash is that it *is* cryptographically secure. It has a
smaller space than your typical hash function (MD5, SHA1, SHA2, etc) which
m
Donald Stufft added the comment:
To be clear, I have no opinion on your specific proposal and I don't know if
the difference between "cryptographically secure" and "not cryptographically
secure" matters for it. I just wanted to be clear that with SipHash an attacker
New submission from Donald Stufft:
While working on PyPI 2.0 (which is currently running Python 3) I discovered
that ``setup.py upload`` was causing an exception. After tracing things I
determined that the reason for this is that Python 3 fails to handle leading
whitespace in a multipart body
Donald Stufft added the comment:
Added a patch that fixes this issue by reading lines until we find the line
that is our expected boundary marker.
--
keywords: +patch
Added file: http://bugs.python.org/file38722/cgi-read-until-boundary.diff
Donald Stufft added the comment:
Added R David Murray to the nosy list because this is kinda similar to the
email stuff and there doesn't seem to be anyone better to look at this patch
that I can find...
--
nosy: +r.david.murray
___
Python tr
Donald Stufft added the comment:
Also adding Berker Peksag because they've touched this module recently :)
--
nosy: +berker.peksag
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
@Benjamin
The reason I didn't do that to begin with, was the code currently checks if the
first line is a bytes object or not in order to be able to raise an error if
it's returning str instead of bytes. I didn't want to redo that check on every
Donald Stufft added the comment:
Thanks everyone for taking a look at this!
--
stage: resolved ->
___
Python tracker
<http://bugs.python.org/issue23801>
___
_
Changes by Donald Stufft :
--
stage: -> resolved
___
Python tracker
<http://bugs.python.org/issue23801>
___
___
Python-bugs-list mailing list
Unsubscrib
Donald Stufft added the comment:
I'd really rather not add this to Python itself. If downstream wants to patch
their Pythons to do it that is their prerogative. There's some legacy at play
here of course, however I don't think that Python upstream is the right place
to deal
Donald Stufft added the comment:
On it's own I think this switch is a bad idea because it's too big of a hammer.
Someone shouldn't accidentally disable TLS verification in pip for instance
because they wanted to disable TLS verification for some random tool that only
hit i
Donald Stufft added the comment:
> Now, I knew how to fix this, but the solution was not
> an obvious one. I had to use truss to figure out where OpenSSL
> was looking for certificates and the added the Mozilla cert
> bundle from our egenix-pyopenssl package to make things work
&
Donald Stufft added the comment:
> No, I want to be able to easily disable the newly added
> checks in 2.7.9+ to get systems such as these behave the
> same as with 2.7.8, since without this option, people
> using these system are going to be forced to stick with
> buggy 2.7.8 s
Donald Stufft added the comment:
> I don't consider monkey patching a proper way to configure a Python
> installation.
The point is that that TLS validation on/off isn't conceptually a Python level
configuration option, that's going to be a per application conf
Donald Stufft added the comment:
I wonder if it's this?
https://github.com/python/cpython/commit/453f86c6977bab18fe4a9c58a4155253375adc8e#diff-ff7dba04c5ad252aa440598d6c88067a
--
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
I think 1.0.2 is the only version of OpenSSL that has the ability to short
circuit the chain validation which is something that makes it easier for
libraries like requests to remove the weak 1024 bit roots from their SSL
certificate store.
It's also n
Donald Stufft added the comment:
PyPI should already handle it fine, and Warehouse certainly does.
--
nosy: +dstufft
___
Python tracker
<http://bugs.python.org/issue16
Donald Stufft added the comment:
> Perhaps you can point me to some use cases where the triple
> platform tag is really useful.
If I understand correctly (and ABI isn't my strong suite), it would be useful
in the sense that you could utilize it to create a sort of "fat wheel
Donald Stufft added the comment:
> Well, it's even more wasteful if you have to download 100MB wheels
> with all the different platforms when the dedicated wheel would just
> need 1.5MB.
I think it's going to vary greatly based on how many platforms you're
attemptin
Donald Stufft added the comment:
> Whatever you do, you're still going to force all your main users to
> download things they don't need, so I don't see the argument of
> optimizing downloads or caches.
pip caches downloads by default, many systems are starting to utiliz
Donald Stufft added the comment:
I think it's worthwhile to maintain the ability to easily backport patches from
3.x to 2.7, especially given the security sensitive nature of the ssl module.
--
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
Hey,
This is actually a message that comes from a third party component, pip in this
case. I've opened up https://github.com/pypa/pip/issues/2773 with the pip
project and suggest that further discussion/tracking happen there. It will be
picked up by P
Donald Stufft added the comment:
Yea, I already upgraded pip. I did forget that we'll want to add
--disable-pip-version-check to the pip invocation inside of ensurepip.
--
___
Python tracker
<http://bugs.python.org/is
Donald Stufft added the comment:
rewheel is definitely some Fedora patches.
--
___
Python tracker
<http://bugs.python.org/issue27924>
___
___
Python-bugs-list m
Donald Stufft added the comment:
> I don't think "remove de-recommended cypher" qualifies as a security fix for
> 3.3 or 3.4. Certainly you're not permitted to add ChaCha20 to 3.3 or 3.4
I think that this is a bad stance to take here. The difference between a
secur
Donald Stufft added the comment:
We should backport OpenSSL 1.1.0 too *shrug*.
--
___
Python tracker
<http://bugs.python.org/issue27850>
___
___
Python-bugs-list m
Donald Stufft added the comment:
> > The difference between a security feature and a security fix
> > is incredibly hard to differentiate.
>
> I'm not buying this argument.
This touches on it http://web.mit.edu/tabbott/www/papers/hotos.pdf but I'm not
sure ho
Donald Stufft added the comment:
> Is switching to a different SSL library without OS vendor support any more
> reasonable than switching to a newer python without that same support?
There are OSs that ship with Python 3.4 and Li
Donald Stufft added the comment:
An implicit global SSL Context? It kinda sounds a bit gross.
--
___
Python tracker
<http://bugs.python.org/issue28022>
___
___
Donald Stufft added the comment:
Thinking about that more, it's a bit harder than the Random module as well. The
only state the random module has to worry about is the seed and internal state
of the RNG.
However, many of the arguments to ssl.wrap_socket change the SSLContext options
Donald Stufft added the comment:
We re-execute Python to run setup.py. Even from wheels we do it to compile pyc
files.
Sent from my iPhone
> On Oct 29, 2016, at 2:38 PM, R. David Murray wrote:
>
>
> R. David Murray added the comment:
>
> Yes, you are right; I was think
Donald Stufft added the comment:
Yea. I worked on trying to get this done over the weekend and I was l left with
one issue left. Hoping to get that done in the next day or two.
Sent from my iPhone
> On Nov 1, 2016, at 1:08 AM, Steve Dower wrote:
>
>
> Steve Dower added
601 - 700 of 700 matches
Mail list logo
