On May 9, 2014, at 12:34 AM, Donald Stufft wrote:
> The data has finished processing, it represents a time diff of approximately
> one year. The pip release that caused all of this was released about 4-5
> months
> ago.
Oh I forgot to mention:
In order to make the comparison as accurate as po
On May 8, 2014, at 5:22 PM, Donald Stufft wrote:
>> Socially, this change does not seem to be having the effect of
>> persuading more package developers to host on PyPI. The stick doesn't
>> appear to have worked, maybe we should be trying to find a carrot?
>
> Do you have any data to point to
On 9 May 2014 08:22, "Donald Stufft" wrote:
>
>
> On May 8, 2014, at 6:20 PM, Nick Coghlan wrote:
>>
>> I actually need to follow up on that, because the terms *were* legally
questionable last time I looked (also too hard to review, since as far as I
am aware, they're only presented during new u
On May 8, 2014, at 6:20 PM, Nick Coghlan wrote:
>
> On 9 May 2014 07:23, "Donald Stufft" wrote:
> > On May 8, 2014, at 5:02 PM, Paul Moore wrote:
> >
> > > Or
> > > maybe we have to accept that some developers have sound reasons for
> > > not hosting on PyPI and work with them to find an acce
On 9 May 2014 07:23, "Donald Stufft" wrote:
> On May 8, 2014, at 5:02 PM, Paul Moore wrote:
>
> > Or
> > maybe we have to accept that some developers have sound reasons for
> > not hosting on PyPI and work with them to find an acceptable
> > compromise? Has anyone checked what Stefan's reasons ar
On Thu, May 8, 2014 at 2:36 PM, "Martin v. Löwis" wrote:
> Am 08.05.14 18:59, schrieb Brian Curtin:
>> This is mostly a question for Martin, but perhaps someone else would also
>> know.
>>
>> I'm trying to build the 2.7 installers so I can backport the path
>> option from 3.3, but I can't seem to
On May 8, 2014, at 5:02 PM, Paul Moore wrote:
> On 8 May 2014 16:46, Donald Stufft wrote:
>> Anything can be changes or reconsidered of course. I feel pretty strongly
>> that
>> an installer should not install things from places other than the index
>> without
>> a specific opt in. That discu
On 8 May 2014 16:46, Donald Stufft wrote:
> Anything can be changes or reconsidered of course. I feel pretty strongly that
> an installer should not install things from places other than the index
> without
> a specific opt in. That discussion would be best done on distutils-sig as it
> would req
Am 08.05.14 18:59, schrieb Brian Curtin:
> This is mostly a question for Martin, but perhaps someone else would also
> know.
>
> I'm trying to build the 2.7 installers so I can backport the path
> option from 3.3, but I can't seem to figure out which version of Tix
> is necessary to have a comple
This is mostly a question for Martin, but perhaps someone else would also know.
I'm trying to build the 2.7 installers so I can backport the path
option from 3.3, but I can't seem to figure out which version of Tix
is necessary to have a complete build. So far any of them on
http://svn.python.org/
On May 8, 2014, at 12:42 PM, R. David Murray wrote:
> On Thu, 08 May 2014 11:32:28 -0400, Donald Stufft wrote:
>> On May 8, 2014, at 11:21 AM, R. David Murray wrote:
>>> Ah, I understand now.
>>>
>>> Your perspective is as someone who is using pip for *deployment*.
>>
>> Deployment, or any k
On Thu, 08 May 2014 11:32:28 -0400, Donald Stufft wrote:
> On May 8, 2014, at 11:21 AM, R. David Murray wrote:
> > Ah, I understand now.
> >
> > Your perspective is as someone who is using pip for *deployment*.
>
> Deployment, or any kind of situation where you want to have a reproducible
> bui
On May 8, 2014, at 12:03 PM, Stefan Krah wrote:
> Donald Stufft wrote:
>> I said ?meaningful?. Almost nobody is going to ever bother googling it and
>> the likelihood that someone is able to MITM *you* specifically is far lesser
>> than the likelihood that someone is going to MITM one of the cd
Donald Stufft wrote:
> I said ?meaningful?. Almost nobody is going to ever bother googling it and
> the likelihood that someone is able to MITM *you* specifically is far lesser
> than the likelihood that someone is going to MITM one of the cdecimal users.
I'm doing this for important installs. --
On May 8, 2014, at 11:37 AM, M.-A. Lemburg wrote:
> On 08.05.2014 16:42, M.-A. Lemburg wrote:
>> On 08.05.2014 15:58, Donald Stufft wrote:
>>>
>>> On May 8, 2014, at 9:39 AM, M.-A. Lemburg wrote:
>>>
Well, to be fair and leaving aside uptime concerns and the general
desire to always
On May 8, 2014, at 11:34 AM, Stefan Krah wrote:
> Donald Stufft wrote:
>>> Today I've switched to manual install mode with manual sha256sum
>>> verification
>>> which is *far* safer than anything you get via pip right now.
>>
>> It is not safer in any meaingful way.
>>
>> If someone is in a
On 08.05.2014 16:42, M.-A. Lemburg wrote:
> On 08.05.2014 15:58, Donald Stufft wrote:
>>
>> On May 8, 2014, at 9:39 AM, M.-A. Lemburg wrote:
>>
>>> Well, to be fair and leaving aside uptime concerns and the general
>>> desire to always install packages from some server instead of
>>> a safe and tr
Donald Stufft wrote:
> > Today I've switched to manual install mode with manual sha256sum
> > verification
> > which is *far* safer than anything you get via pip right now.
>
> It is not safer in any meaingful way.
>
> If someone is in a position to compromise the integrity of PyPI's TLS, they
On May 8, 2014, at 11:21 AM, R. David Murray wrote:
> On Thu, 08 May 2014 10:37:15 -0400, Donald Stufft wrote:
>> Most users are not going to care up until the point where the external server
>> is unavailable, and then they care a whole lot. On the tin it sounds
>> reasonable
>> to just downl
On May 8, 2014, at 11:19 AM, Stefan Krah wrote:
> Donald Stufft wrote:
>> hosted packages are brittle and more prone to failure. Every single external
>> server adds *another* SPOF into any particular install set. Even if every
>> external server has a 99.9% uptime, when you combine multiple of
On Thu, 08 May 2014 10:37:15 -0400, Donald Stufft wrote:
> Most users are not going to care up until the point where the external server
> is unavailable, and then they care a whole lot. On the tin it sounds
> reasonable
> to just download the external file if the server is up however we've done
Donald Stufft wrote:
> hosted packages are brittle and more prone to failure. Every single external
> server adds *another* SPOF into any particular install set. Even if every
> external server has a 99.9% uptime, when you combine multiple of them the
> total
> uptime of any particular set of req
On 9 May 2014 00:52, "M.-A. Lemburg" wrote:
>
> On 08.05.2014 15:57, Nick Coghlan wrote:
>
> > (even the question of "does this software actually work?" is in our
> > sights if you consider a long enough time span). That's hard enough
> > with just a couple of service providers (Fastly and Rackspa
On 8 May 2014, at 16:33, Brett Cannon wrote:
> On Thu May 08 2014 at 10:25:44 AM, Stéphane Wirtel
> wrote:
>
>> Hi all,
>>
>> What do you think about a CPython sprint at EuroPython 2014?
>>
>
> Great, although I think that answer would be considered obvious since there
> is no real negative to ho
On May 8, 2014, at 10:36 AM, Stefan Krah wrote:
> Donald Stufft wrote:
>> There is support for trusted externally hosted packages, you put the URL in
>> PyPI and include a hash in the fragment like so:
>>
>> http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=655f9fd72f
On 08.05.2014 15:57, Nick Coghlan wrote:
> On 8 May 2014 23:39, M.-A. Lemburg wrote:
>> However, for some reason there's a strong resistance against
>> doing this, which I frankly don't understand.
>
> Because we're taking responsibility for the end-to-end user experience
> of PyPI, and are expre
On 08.05.2014 15:58, Donald Stufft wrote:
>
> On May 8, 2014, at 9:39 AM, M.-A. Lemburg wrote:
>
>> Well, to be fair and leaving aside uptime concerns and the general
>> desire to always install packages from some server instead of
>> a safe and trusted local directory (probably too obvious ;-),
On May 8, 2014, at 10:31 AM, Antoine Pitrou wrote:
> On Thu, 08 May 2014 10:21:34 -0400
> "R. David Murray" wrote:
>>>
>>> "unreliable" reads as "not safe", ie: insecure.
>>>
>>> You probably want something like "and access to it may be unreliable".
>>
>> Actually, thinking about this some m
Donald Stufft wrote:
> There is support for trusted externally hosted packages, you put the URL in
> PyPI and include a hash in the fragment like so:
>
> http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=655f9fd72f7a21688f903900ebea6f56
That is exactly the mode I was us
On May 8, 2014, at 10:21 AM, R. David Murray wrote:
> On Thu, 08 May 2014 10:11:39 -0400, "R. David Murray"
> wrote:
>> On Thu, 08 May 2014 09:58:08 -0400, Donald Stufft wrote:
>>> I don't think the warning is FUD, and it doesn't mention anything security
>>> related at all. The exact text of
On Thu May 08 2014 at 10:25:44 AM, Stéphane Wirtel
wrote:
> Hi all,
>
> What do you think about a CPython sprint at EuroPython 2014?
>
Great, although I think that answer would be considered obvious since there
is no real negative to holding sprints. =) Are you indirectly asking if
anyone plans
On Thu, 08 May 2014 10:21:34 -0400
"R. David Murray" wrote:
> >
> > "unreliable" reads as "not safe", ie: insecure.
> >
> > You probably want something like "and access to it may be unreliable".
>
> Actually, thinking about this some more, *most* end-users aren't going
> to care that there's an
Hi all,
What do you think about a CPython sprint at EuroPython 2014?
Regards,
Stephane
--
Stéphane Wirtel - http://wirtel.be - @matrixise
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
On Thu, 08 May 2014 10:11:39 -0400, "R. David Murray"
wrote:
> On Thu, 08 May 2014 09:58:08 -0400, Donald Stufft wrote:
> > I don't think the warning is FUD, and it doesn't mention anything security
> > related at all. The exact text of the warning is in the subject of the email
> > here:
> >
>
On May 8, 2014, at 10:11 AM, R. David Murray wrote:
> On Thu, 08 May 2014 09:58:08 -0400, Donald Stufft wrote:
>> I don't think the warning is FUD, and it doesn't mention anything security
>> related at all. The exact text of the warning is in the subject of the email
>> here:
>>
>>cdecima
On Thu, 08 May 2014 09:58:08 -0400, Donald Stufft wrote:
> I don't think the warning is FUD, and it doesn't mention anything security
> related at all. The exact text of the warning is in the subject of the email
> here:
>
> cdecimal an externally hosted file and may be unreliable
>
> Which
On May 8, 2014, at 9:58 AM, Donald Stufft wrote:
> Now this does not mean that ``pip install cdecimal`` will automatically
> install
> this, because whether or not you're willing to install from servers other than
> PyPI[1] is a policy decision for the end user of pip.
I forgot to add, for ext
On May 8, 2014, at 9:39 AM, M.-A. Lemburg wrote:
> Well, to be fair and leaving aside uptime concerns and the general
> desire to always install packages from some server instead of
> a safe and trusted local directory (probably too obvious ;-),
> it would certainly be possible to add support fo
On 8 May 2014 23:39, M.-A. Lemburg wrote:
> However, for some reason there's a strong resistance against
> doing this, which I frankly don't understand.
Because we're taking responsibility for the end-to-end user experience
of PyPI, and are expressly trying to eliminate the elements of that
user
On Thu, May 8, 2014 at 11:39 PM, M.-A. Lemburg wrote:
> I agree with Stefan that the warning message wording is less
> than ideal. You'd normally call such blanket statements FUD,
> esp. since there are plenty external hosting services which
> are reliable and safe to use.
No, it's not FUD. Every
Well, to be fair and leaving aside uptime concerns and the general
desire to always install packages from some server instead of
a safe and trusted local directory (probably too obvious ;-),
it would certainly be possible to add support for
trusted externally hosted packages.
However, for some rea
On May 8, 2014, at 8:12 AM, Stefan Krah wrote:
> Victor Stinner wrote:
>> I don't understand your email. Can you please elaborate?
>
> There is nothing wrong with the package. The remark is a joke provoked by
> a long history of a campaign [1] against external packages on distutils-sig.
>
>
Victor Stinner wrote:
> I don't understand your email. Can you please elaborate?
There is nothing wrong with the package. The remark is a joke provoked by
a long history of a campaign [1] against external packages on distutils-sig.
Many tools (like crate.io, when it was still up) have made dero
43 matches
Mail list logo
