From pje at telecommunity.com Mon Aug 1 17:41:47 2005
From: pje at telecommunity.com (Phillip J. Eby)
Date: Mon, 01 Aug 2005 11:41:47 -0400
Subject: [Catalog-sig] PyPI update broke setuptools
In-Reply-To: <5.1.1.6.0.20050605180352.02208810@mail.telecommunity.com>
Message-ID: <5.1.1.6.0.20050801113700.026e1cf8@mail.telecommunity.com>
The new version of PyPI changed the third assumption below, breaking
setuptools' ability to do fallback searches for a request whose
upper/lowercase didn't precisely match the cases used by the package
author. Is there any chance someone could revert this, since this breaks a
ton of software in the field?
At 06:22 PM 6/5/2005 -0400, Phillip J. Eby wrote:
>For the benefit of the PyPI maintainers, here is a summary of EasyInstall's
>fairly minimal assumptions about PyPI's current behavior, assuming that
>"base-url" is the root URL of the package index:
>
> * Going to "base-url/SomePackage" produces an HTML page that either has
>a title containing "Index of Packages" and links to zero or more pages for
>specific versions, or else it is a single-version package page.
>
> * Single-version package pages may have a home page and download URL
>link, each of which occurs after '
Home Page' and '
Download URL'
>respectively, if present.
>
> * Going to "base-url/" (note trailing '/') produces an HTML page
>containing links to all active versions of registered packages
>
> * Links to package pages always have URLs of the form
>"base-url/SomePackage/itsVersion" - i.e., exactly two path parts following
>the base URL, with no query strings, parameters, fragments, etc.
>
>EasyInstall should continue to work with PyPI if these assumptions continue
>to hold.
From richardjones at optushome.com.au Tue Aug 2 00:00:11 2005
From: richardjones at optushome.com.au (Richard Jones)
Date: Tue, 2 Aug 2005 08:00:11 +1000
Subject: [Catalog-sig] PyPI update broke setuptools
In-Reply-To: <5.1.1.6.0.20050801113700.026e1cf8@mail.telecommunity.com>
References: <5.1.1.6.0.20050801113700.026e1cf8@mail.telecommunity.com>
Message-ID: <200508020800.11913.richardjones@optushome.com.au>
On Tue, 2 Aug 2005 01:41 am, Phillip J. Eby wrote:
> > * Going to "base-url/" (note trailing '/') produces an HTML page
> >containing links to all active versions of registered packages
Sorry, this didn't register when you first posted. You were relying on a
side-effect that I removed while we were trying to remove the "pypi" part of
the URL. It seemed wrong to me that PyPI would return totally different
results for:
http://cheeseshop.python.org/pypi
http://cheeseshop.python.org/pypi/
Is there any chance the software could be changed to use the more correct
"?:action=search" which is what the "/" side-effect was effectively doing?
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.python.org/pipermail/catalog-sig/attachments/20050802/45443e22/attachment.pgp
From richardjones at optushome.com.au Tue Aug 2 00:24:39 2005
From: richardjones at optushome.com.au (Richard Jones)
Date: Tue, 2 Aug 2005 08:24:39 +1000
Subject: [Catalog-sig] PyPI update broke setuptools
In-Reply-To: <200508020800.11913.richardjones@optushome.com.au>
References: <5.1.1.6.0.20050801113700.026e1cf8@mail.telecommunity.com>
<200508020800.11913.richardjones@optushome.com.au>
Message-ID: <200508020824.39254.richardjones@optushome.com.au>
On Tue, 2 Aug 2005 08:00 am, Richard Jones wrote:
> On Tue, 2 Aug 2005 01:41 am, Phillip J. Eby wrote:
> > > * Going to "base-url/" (note trailing '/') produces an HTML page
> > >containing links to all active versions of registered packages
>
> Sorry, this didn't register when you first posted. You were relying on a
> side-effect that I removed while we were trying to remove the "pypi" part
> of the URL. It seemed wrong to me that PyPI would return totally different
> results for:
>
> http://cheeseshop.python.org/pypi
> http://cheeseshop.python.org/pypi/
I can't revert the change as currently the web server redirects
http://cheeseshop.python.org to the latter, so people going directly to that
URL will get the not-so-useful list of packages, rather than the home page. I
don't have root access to fix it either, but we'll work on it.
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.python.org/pipermail/catalog-sig/attachments/20050802/33d640fa/attachment.pgp
From pje at telecommunity.com Tue Aug 2 02:42:17 2005
From: pje at telecommunity.com (Phillip J. Eby)
Date: Mon, 01 Aug 2005 20:42:17 -0400
Subject: [Catalog-sig] PyPI update broke setuptools
Message-ID: <5.1.1.6.0.20050801202252.02591430@mail.telecommunity.com>
>Sorry, this didn't register when you first posted. You were relying on a
>side-effect that I removed while we were trying to remove the "pypi" part of
>the URL. It seemed wrong to me that PyPI would return totally different
>results for:
>
> http://cheeseshop.python.org/pypi
> http://cheeseshop.python.org/pypi/
Well, it seemed quite *right* to me, with "pypi" being the front page, and
pypi/ being the directory listing of packages. It fit perfectly with the
rest of the URL scheme, and so I assumed it was an intentional feature, not
just a desirable one. :)
>Is there any chance the software could be changed to use the more correct
>"?:action=search" which is what the "/" side-effect was effectively doing?
Certainly it could be changed, but because the PyPI change breaks the
versions that are already in the field, it would require a new release,
which would be rather awkward at the moment, because I don't want to force
people to upgrade to the heavily refactored 0.6 series from the relatively
stable 0.5 series. I was planning to make a release of 0.6a1 this coming
weekend, but not upgrade ez_setup, so that people would need to make a
conscious decision to upgrade. Thus, I'm somewhat loathe to put an
upgraded version into wide release in order to fix an unrelated problem.
Also, the reason I didn't use the uglier search API in the first place was
because the more REST-like interface using a / seemed more compatible with
manually-created catalogs. i.e., somebody can simulate a catalog of their
own just by using static files and directories, whereas the :action=search
thing is pretty heavily tied to a single protocol version of PyPI and
requires the index to be implemented using some kind of dynamic
technology. I deliberately wanted to make EasyInstall's protocol
expectations modest enough that a wide variety of technologies could
fulfill them, so as to allow for small private or specialty indexes to
exist without needing to set up databases and such running the same
software as PyPI.
PyPI's existing URL-based API (including the '/' trick) seemed *perfect*
for this, and both python.org/pypi and cheeseshop.python.org/ seemed to
obey it.
If the software has to change, it has to change. But I'd much prefer it if
we could restore service to existing versions of the software, and it would
also be nice if I could continue to allow people to create interoperable
indexes based on static files, without EasyInstall having to do more
sophisticated (and therefore more fragile) sniffing to tell what version of
PyPI (or not) it's running against, or having to introduce command line
options to tell EasyInstall what PyPI protocol version to use, or whatever.
From richardjones at optushome.com.au Fri Aug 5 04:07:57 2005
From: richardjones at optushome.com.au (Richard Jones)
Date: Fri, 5 Aug 2005 12:07:57 +1000
Subject: [Catalog-sig] PyPI enhancement doc
In-Reply-To: <42941CE4.7070206@colorstudy.com>
References: <42941CE4.7070206@colorstudy.com>
Message-ID: <200508051207.57610.richardjones@optushome.com.au>
On Wed, 25 May 2005 04:36 pm, Ian Bicking wrote:
> This is an initial list of proposed methods for PyPI to support:
> search(field_specifiers, [operator='and']):
> package_releases(package_name):
> package_stable_version(package_name):
> package_urls(package_name, version):
> package_data(package_name, version):
I have implemented as per your spec except as follows:
> All keys are required. None/NULL is translated to ''.
Missing values are marked "UNKNOWN" at the moment. This is a hysterical oddity
introduced by the PKG-INFO format, IIRC.
> Open issues: will emails be obscured? Is keywords turned into a list?
No and no at the moment.
> I'm a little soft on these, since I don't know if specifiers and the
> necessary metadata is really ready:
>
> providing_packages(specifier):
> A list of (name, version) from release_provides. E.g.,
> providing_packages('PageTemplate>=1.0') == [('zpt', '1.0')]. This
> will only return non-hidden packages.
>
> requiring_packages(specifier):
> A list of (name, version) from release_requires.
I haven't implemented these since we don't have code that handles dependency
lookup. I believe the data and implementation spec are all ready to go
though.
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.python.org/pipermail/catalog-sig/attachments/20050805/7a379c44/attachment.pgp
From amk at amk.ca Fri Aug 5 14:28:30 2005
From: amk at amk.ca (A.M. Kuchling)
Date: Fri, 5 Aug 2005 08:28:30 -0400
Subject: [Catalog-sig] PyPI enhancement doc
In-Reply-To: <200508051207.57610.richardjones@optushome.com.au>
References: <42941CE4.7070206@colorstudy.com>
<200508051207.57610.richardjones@optushome.com.au>
Message-ID: <20050805122830.GB8968@rogue.amk.ca>
On Fri, Aug 05, 2005 at 12:07:57PM +1000, Richard Jones wrote:
> > This is an initial list of proposed methods for PyPI to support:
How should we document this API? DocXMLRPCserver.py could be used to
present a simple web page that used pydoc on the RPC methods, but we
should also have a few web pages describing it. Should it be a wiki
page, or an "official" page inside the pydotorg SVN tree?
(Describing the API would make a good oreillynet.com article. If no
one else wants to write one, I will...)
--amk
From pje at telecommunity.com Mon Aug 15 01:06:38 2005
From: pje at telecommunity.com (Phillip J. Eby)
Date: Sun, 14 Aug 2005 19:06:38 -0400
Subject: [Catalog-sig] File integrity checking and host blocking for
EasyInstall
Message-ID: <5.1.1.6.0.20050814183910.02704078@mail.telecommunity.com>
After thinking over the last week's distutils-sig discussion about
security, signatures, etc., I think I have a plan for handling basic file
integrity checking and (non-cryptographic) trust management for
EasyInstall. It is not a high-security end-to-end solution, but I think it
will allow security-conscious persons to take a more "locked down" approach
if they want to, while providing everyone else with some baseline
protection against corrupted files.
The first part of the plan is to add md5 digest checking to
EasyInstall. Because one of EasyInstall's design goals is to make it easy
for anybody to publish links to packages, we need to be able to include the
md5 signature in a package's URL. I'm thinking we could achieve this via
an '#md5=...' fragment identifier. For example, a setuptools source
archive URL might be:
http://www.python.org/packages/source/s/setuptools/setuptools-0.5a13.zip#md5=91f31a9058330174640a867cf5d4de57
The advantage of this approach is that it allows anyone to assert what the
md5 of the targeted file is, and it can be asserted in any web page, just
by pointing an HREF at the file. EasyInstall could detect the '#md5='
marker, and then use this to verify the file during download.
The disadvantage, of course, is that PyPI doesn't currently support this;
it creates a separate link to a page that displays the md5, and that URL
doesn't contain anything that connects it back to the distribution file it
refers to. I could probably create some kind of parsing hack to fix that
for PyPI, but it seems it might be worth adding the #md5 trick to PyPI to
support this.
EasyInstall would also need to grow a --require-md5 option, which would
refuse to install anything from a Subversion checkout or a distribution
without a known md5 signature.
In addition to md5 support in EasyInstall, I propose to also add it to
ez_setup; there, however, the md5 values for various distributions will be
hardcoded into ez_setup.py itself. (I'll make my "release" script append
the md5 signatures for new distributions to the end of ez_setup.py.) In
this way, the bootstrap installation of setuptools can also be reasonably
secured, as long as you trust a particular version of ez_setup.py.
The next part of the plan would be to add an --allow-hosts option to
EasyInstall. This would be a list of host wildcards that EasyInstall would
be allowed to contact. For example, --allow-hosts=*.python.org would let
EasyInstall download or scan pages from PyPI or www.python.org, but not
anywhere else. The default, if not specified, would be '*', meaning that
any host may be accessed. If EasyInstall finds itself about to download a
page or distribution from a host that isn't allowed, it will abort with a
message explaining the problem.
This would allow folks like Paul Moore to configure a default --allow-hosts
list in their pydistutils.cfg, to prevent EasyInstall from downloading
things from just any old place on the Internet. Once he's verified that he
trusts a particular site, he can edit pydistutils.cfg and add it, or else
manually download the blocked URL, publish it on a trusted intranet host, etc.
So, this is not a complete security solution, as it doesn't deal with
end-to-end file integrity, and could easily be subverted by taking over a
site somewhere in the middle (e.g. python.org). But until we have more of
the cryptographic infrastructure in place, I think this plan could provide
us with a good starting point. Comments, anyone?
From richardjones at optushome.com.au Mon Aug 15 01:37:31 2005
From: richardjones at optushome.com.au (Richard Jones)
Date: Mon, 15 Aug 2005 09:37:31 +1000
Subject: [Catalog-sig] File integrity checking and host blocking for
EasyInstall
In-Reply-To: <5.1.1.6.0.20050814183910.02704078@mail.telecommunity.com>
References: <5.1.1.6.0.20050814183910.02704078@mail.telecommunity.com>
Message-ID: <200508150937.35777.richardjones@optushome.com.au>
On Mon, 15 Aug 2005 09:06 am, Phillip J. Eby wrote:
> After thinking over the last week's distutils-sig discussion about
> security, signatures, etc., I think I have a plan for handling basic file
> integrity checking and (non-cryptographic) trust management for
> EasyInstall.
I'm not on the distutils-sig any more (not sure why - I thought I was and
there just wasn't any discussion going on ;) so I've missed that discussion.
> The first part of the plan is to add md5 digest checking to
> EasyInstall. Because one of EasyInstall's design goals is to make it easy
> for anybody to publish links to packages, we need to be able to include the
> md5 signature in a package's URL. I'm thinking we could achieve this via
> an '#md5=...' fragment identifier. For example, a setuptools source
> archive URL might be:
>
> http://www.python.org/packages/source/s/setuptools/setuptools-0.5a13.zip#md
>5=91f31a9058330174640a867cf5d4de57
Any idea what various "normal" browsers do when they encounter something like
this?
> The advantage of this approach is that it allows anyone to assert what the
> md5 of the targeted file is, and it can be asserted in any web page, just
> by pointing an HREF at the file. EasyInstall could detect the '#md5='
> marker, and then use this to verify the file during download.
>
> The disadvantage, of course, is that PyPI doesn't currently support this;
As with all things that "PyPI doesn't currently support" I'm happy to add
features, and even happier for others to add features :)
> So, this is not a complete security solution, as it doesn't deal with
> end-to-end file integrity, and could easily be subverted by taking over a
> site somewhere in the middle (e.g. python.org). But until we have more of
> the cryptographic infrastructure in place, I think this plan could provide
> us with a good starting point. Comments, anyone?
I presume the distutils discussion included the signing of packages that PyPI
supports?
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.python.org/pipermail/catalog-sig/attachments/20050815/5c3133f4/attachment.pgp
From ehs at pobox.com Mon Aug 15 03:30:37 2005
From: ehs at pobox.com (Edward Summers)
Date: Sun, 14 Aug 2005 20:30:37 -0500
Subject: [Catalog-sig] File integrity checking and host blocking for
EasyInstall
In-Reply-To: <200508150937.35777.richardjones@optushome.com.au>
References: <5.1.1.6.0.20050814183910.02704078@mail.telecommunity.com>
<200508150937.35777.richardjones@optushome.com.au>
Message-ID:
On Aug 14, 2005, at 6:37 PM, Richard Jones wrote:
> As with all things that "PyPI doesn't currently support" I'm happy
> to add
> features, and even happier for others to add features :)
Speaking of adding features, is the PyPI CheeseShop source code
available in svn somewhere? How about the leatest db snapshot? I've
been playing around with the xmlrpc interface a bit and wondered how
a few things were working. Consider this volunteering to help out if
any hands are needed :-)
//Ed
From richardjones at optushome.com.au Mon Aug 15 03:40:36 2005
From: richardjones at optushome.com.au (Richard Jones)
Date: Mon, 15 Aug 2005 11:40:36 +1000
Subject: [Catalog-sig] File integrity checking and host blocking for
EasyInstall
In-Reply-To:
References: <5.1.1.6.0.20050814183910.02704078@mail.telecommunity.com>
<200508150937.35777.richardjones@optushome.com.au>
Message-ID: <200508151140.43818.richardjones@optushome.com.au>
On Mon, 15 Aug 2005 11:30 am, Edward Summers wrote:
> On Aug 14, 2005, at 6:37 PM, Richard Jones wrote:
> > As with all things that "PyPI doesn't currently support" I'm happy
> > to add
> > features, and even happier for others to add features :)
>
> Speaking of adding features, is the PyPI CheeseShop source code
> available in svn somewhere?
The code is in the pydotorg svn repos:
https://svn.python.org/packages/trunk/pypi
> How about the leatest db snapshot?
We shouldn't really make db snapshots available as the db contains contact
info for all the submitters. If you'd like to write up a script that
generates dummy packages for testing, that'd be cool :)
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.python.org/pipermail/catalog-sig/attachments/20050815/c160b0d7/attachment.pgp
From ehs at pobox.com Thu Aug 18 17:43:32 2005
From: ehs at pobox.com (Edward Summers)
Date: Thu, 18 Aug 2005 10:43:32 -0500
Subject: [Catalog-sig] File integrity checking and host blocking for
EasyInstall
In-Reply-To: <200508151140.43818.richardjones@optushome.com.au>
References: <5.1.1.6.0.20050814183910.02704078@mail.telecommunity.com>
<200508150937.35777.richardjones@optushome.com.au>
<200508151140.43818.richardjones@optushome.com.au>
Message-ID: <83560D0C-3BF2-431D-9C34-FFD7B80549CD@pobox.com>
> We shouldn't really make db snapshots available as the db contains
> contact
> info for all the submitters. If you'd like to write up a script that
> generates dummy packages for testing, that'd be cool :)
That sounds like a good idea, and I'd be willing to take a stab at
it. Perhaps it would be easier to dump the existing db, and write a
program to obliterate the passwords in the snapshot? Are you worried
about people grabbing email addresses? Aren't those already available
via HTTP now?
It should be fairly trivial to write a program that copies the latest
text pgdump, obscures what needs to be obscured, and makes it
available for download no?
//Ed
From amk at amk.ca Fri Aug 19 00:22:18 2005
From: amk at amk.ca (A.M. Kuchling)
Date: Thu, 18 Aug 2005 18:22:18 -0400
Subject: [Catalog-sig] 'Hidden' field display bug
Message-ID: <20050818222218.GA23547@rogue.amk.ca>
For my packages on PyPI, the package editing page shows them as all
hidden; the 'Hide?' column is all "Yes". I went into the database and
toggled the hidden field for some of my packages, but that didn't make
any difference to what was displayed
Here's the relevant bit of the template. I don't know ZPT; is the
following excerpt correct?
Things like the version field are displayed correctly, so the variable
'release' seems to be defined. Is that attribute syntax correct?
--amk
From pje at telecommunity.com Fri Aug 19 01:08:23 2005
From: pje at telecommunity.com (Phillip J. Eby)
Date: Thu, 18 Aug 2005 19:08:23 -0400
Subject: [Catalog-sig] File integrity checking and host blocking for
EasyInstall
Message-ID: <5.1.1.6.0.20050818190358.01b3eeb0@mail.telecommunity.com>
On Mon, 15 Aug 2005, Richard Jones wrote:
>On Mon, 15 Aug 2005 09:06 am, Phillip J. Eby wrote:
> > The first part of the plan is to add md5 digest checking to
> > EasyInstall. Because one of EasyInstall's design goals is to make it easy
> > for anybody to publish links to packages, we need to be able to include the
> > md5 signature in a package's URL. I'm thinking we could achieve this via
> > an '#md5=...' fragment identifier. For example, a setuptools source
> > archive URL might be:
> >
> > http://www.python.org/packages/source/s/setuptools/setuptools-0.5a13.zip#md
> >5=91f31a9058330174640a867cf5d4de57
>
>Any idea what various "normal" browsers do when they encounter something like
>this?
Well, Firefox works fine. I haven't tried IE or Mozilla or anything
else. That is a valid link above, so if you still have the original email
you can click on it and see what happens. :)
> > So, this is not a complete security solution, as it doesn't deal with
> > end-to-end file integrity, and could easily be subverted by taking over a
> > site somewhere in the middle (e.g. python.org). But until we have more of
> > the cryptographic infrastructure in place, I think this plan could provide
> > us with a good starting point. Comments, anyone?
>
>I presume the distutils discussion included the signing of packages that PyPI
>supports?
Yes; I have yet to encounter a signed package yet, though, and I also don't
want to try to implement signature checking in the 0.6 series of
setuptools. I'll first need to learn to use GPG and get a real
understanding of how it deals with trust chains, and understand what
EasyInstall should do with them. Unless of course somebody already knows
what the design should be and can explain it well enough for me to
implement. :)
Even then though, I'd like to get 0.6a1 out the door first. I'm not 100%
sure 0.6a1 will even do any of the md5 stuff I proposed.
From richardjones at optushome.com.au Fri Aug 19 01:15:29 2005
From: richardjones at optushome.com.au (Richard Jones)
Date: Fri, 19 Aug 2005 09:15:29 +1000
Subject: [Catalog-sig] File integrity checking and host blocking for
EasyInstall
In-Reply-To: <5.1.1.6.0.20050818190358.01b3eeb0@mail.telecommunity.com>
References: <5.1.1.6.0.20050818190358.01b3eeb0@mail.telecommunity.com>
Message-ID: <200508190915.33852.richardjones@optushome.com.au>
On Fri, 19 Aug 2005 09:08 am, Phillip J. Eby wrote:
> On Mon, 15 Aug 2005, Richard Jones wrote:
> > On Mon, 15 Aug 2005 09:06 am, Phillip J. Eby wrote:
> > > http://www.python.org/packages/source/s/setuptools/setuptools-0.5a13.zi
> > >p#md 5=91f31a9058330174640a867cf5d4de57
> >
> >Any idea what various "normal" browsers do when they encounter something
> > like this?
>
> Well, Firefox works fine. I haven't tried IE or Mozilla or anything
> else. That is a valid link above, so if you still have the original email
> you can click on it and see what happens. :)
I'll be wanting to hear feedback from someone who has IE before I make the
jump. I just worry too much, probably :)
> > > So, this is not a complete security solution, as it doesn't deal with
> > > end-to-end file integrity, and could easily be subverted by taking over
> > > a site somewhere in the middle (e.g. python.org). But until we have
> > > more of the cryptographic infrastructure in place, I think this plan
> > > could provide us with a good starting point. Comments, anyone?
> >
> >I presume the distutils discussion included the signing of packages that
> > PyPI supports?
>
> Yes; I have yet to encounter a signed package yet
http://www.python.org/pypi/roundup :)
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.python.org/pipermail/catalog-sig/attachments/20050819/57b9350b/attachment.pgp
From pje at telecommunity.com Fri Aug 19 02:12:35 2005
From: pje at telecommunity.com (Phillip J. Eby)
Date: Thu, 18 Aug 2005 20:12:35 -0400
Subject: [Catalog-sig] File integrity checking and host blocking for
EasyInstall
In-Reply-To: <200508190915.33852.richardjones@optushome.com.au>
References: <5.1.1.6.0.20050818190358.01b3eeb0@mail.telecommunity.com>
<5.1.1.6.0.20050818190358.01b3eeb0@mail.telecommunity.com>
Message-ID: <5.1.1.6.0.20050818201200.01b34878@mail.telecommunity.com>
At 09:15 AM 8/19/2005 +1000, Richard Jones wrote:
>On Fri, 19 Aug 2005 09:08 am, Phillip J. Eby wrote:
> > Yes; I have yet to encounter a signed package yet
>
>http://www.python.org/pypi/roundup :)
FYI, the source package's signature file is empty.
From pje at telecommunity.com Fri Aug 19 03:11:21 2005
From: pje at telecommunity.com (Phillip J. Eby)
Date: Thu, 18 Aug 2005 21:11:21 -0400
Subject: [Catalog-sig] File integrity checking and host blocking for
EasyInstall
In-Reply-To: <200508191022.52333.richardjones@optushome.com.au>
References: <5.1.1.6.0.20050818201200.01b34878@mail.telecommunity.com>
<5.1.1.6.0.20050818190358.01b3eeb0@mail.telecommunity.com>
<5.1.1.6.0.20050818201200.01b34878@mail.telecommunity.com>
Message-ID: <5.1.1.6.0.20050818210951.01b349b0@mail.telecommunity.com>
At 10:22 AM 8/19/2005 +1000, Richard Jones wrote:
>On Fri, 19 Aug 2005 10:12 am, you wrote:
> > At 09:15 AM 8/19/2005 +1000, Richard Jones wrote:
> > >On Fri, 19 Aug 2005 09:08 am, Phillip J. Eby wrote:
> > > > Yes; I have yet to encounter a signed package yet
> > >
> > >http://www.python.org/pypi/roundup :)
> >
> > FYI, the source package's signature file is empty.
>
>Not for me it isn't.
How odd; my Firefox shows it consistently empty, but not for the binary
package, and if I try to access the file from a different machine, it's not
empty.
Browsers. Can't live with 'em, can't live without 'em.
From westside_indie at yahoo.com Sun Aug 21 18:27:32 2005
From: westside_indie at yahoo.com (John Walton)
Date: Sun, 21 Aug 2005 09:27:32 -0700 (PDT)
Subject: [Catalog-sig] networking programming
Message-ID: <20050821162732.30206.qmail@web31007.mail.mud.yahoo.com>
Hello, everyone. I just began school, and they
already assigned us science fair. Since I'm in 8th
grade, I get to do demonstrations for our projects.
I'm probably going to demonstrate Python's networking
capabilities by writing a simple instant messenger
program. I only have a few problems:
1. I know squat about Python network Programming
2. I know nothing about networks
So if any of you know of a good Python Networking
Tutorial or a website with lots of information on
networks and networking, please reply. Thanks!
__________________________________
Yahoo! Mail for Mobile
Take Yahoo! Mail with you! Check email on your mobile phone.
http://mobile.yahoo.com/learn/mail
From ianb at colorstudy.com Sun Aug 21 21:20:39 2005
From: ianb at colorstudy.com (Ian Bicking)
Date: Sun, 21 Aug 2005 14:20:39 -0500
Subject: [Catalog-sig] networking programming
In-Reply-To: <20050821162732.30206.qmail@web31007.mail.mud.yahoo.com>
References: <20050821162732.30206.qmail@web31007.mail.mud.yahoo.com>
Message-ID: <4308D407.9080200@colorstudy.com>
John Walton wrote:
> Hello, everyone. I just began school, and they
> already assigned us science fair. Since I'm in 8th
> grade, I get to do demonstrations for our projects.
> I'm probably going to demonstrate Python's networking
> capabilities by writing a simple instant messenger
> program. I only have a few problems:
>
> 1. I know squat about Python network Programming
>
> 2. I know nothing about networks
>
> So if any of you know of a good Python Networking
> Tutorial or a website with lots of information on
> networks and networking, please reply. Thanks!
It would probably be better to ask on the tutor or general python lists:
http://mail.python.org/mailman/listinfo/tutor
http://mail.python.org/mailman/listinfo/python-list
--
Ian Bicking / ianb at colorstudy.com / http://blog.ianbicking.org
From westside_indie at yahoo.com Mon Aug 22 05:49:51 2005
From: westside_indie at yahoo.com (John Walton)
Date: Sun, 21 Aug 2005 20:49:51 -0700 (PDT)
Subject: [Catalog-sig] Networking Information
Message-ID: <20050822034951.38527.qmail@web31011.mail.mud.yahoo.com>
Hello. It's me again. Thanks for all the help with
the Python Networking Resources, but does anyone know
what I'll need to know to write a paper on Network
Programming and Python. Like terminology and all
that. Maybe I'll have a section on socketets, TCP,
Clients (half of the stuff I don't even know what it
means). So, does anyone know any good websites with
Network Programming information. Thanks!
John
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
From pje at telecommunity.com Mon Aug 22 06:03:10 2005
From: pje at telecommunity.com (Phillip J. Eby)
Date: Mon, 22 Aug 2005 00:03:10 -0400
Subject: [Catalog-sig] setuptools/EasyInstall 0.6a1 candidate 1 snapshot
Message-ID: <5.1.1.6.0.20050821235458.01afafd8@mail.telecommunity.com>
This thing's been in limbo too long, so I've made a prerelease
snapshot. You can get it with:
easy_install -f http://peak.telecommunity.com/snapshots/ setuptools
I have fixed all reported bugs, and implemented quite a few new features
like MD5 checking (which works even with PyPI's md5 data) and an enhanced
"build_ext --inplace" that lets you switch between different Python
interpreters without having to recompile your extensions. (The extensions
are built in build/, then copied to the source tree whenever you
"build_ext" using a different interpreter than the last.)
If you have any projects using setuptools, I encourage you to give this
snapshot a try, so I can find out if there are still any lurking bugs. If
there are no bug reports by next weekend, this will get pushed out as 0.6a1.
If you want to look at the documentation, use CVS or browse the
EasyInstall.txt, setuptools.txt, and pkg_resources.txt files found at:
http://cvs.sourceforge.net/viewcvs.py/python/python/nondist/sandbox/setuptools/
(I just made some changes to these, however, that may take a few hours to
update in SourceForge's anonymous CVS.)
From richardjones at optushome.com.au Mon Aug 22 06:30:09 2005
From: richardjones at optushome.com.au (Richard Jones)
Date: Mon, 22 Aug 2005 14:30:09 +1000
Subject: [Catalog-sig] setuptools/EasyInstall 0.6a1 candidate 1 snapshot
In-Reply-To: <5.1.1.6.0.20050821235458.01afafd8@mail.telecommunity.com>
References: <5.1.1.6.0.20050821235458.01afafd8@mail.telecommunity.com>
Message-ID: <200508221430.10167.richardjones@optushome.com.au>
On Mon, 22 Aug 2005 02:03 pm, Phillip J. Eby wrote:
> I have fixed all reported bugs, and implemented quite a few new features
> like MD5 checking (which works even with PyPI's md5 data)
Glad you could get things going in spite of PyPI :)
I'm going to be busy with PyWeek for the next few weeks. Once that's out of
the way, I can do some PyPI stuff if need be (of course, anyone else is free
to work on PyPI too... :)
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.python.org/pipermail/catalog-sig/attachments/20050822/bd2ba436/attachment.pgp
From pje at telecommunity.com Mon Aug 22 14:59:41 2005
From: pje at telecommunity.com (Phillip J. Eby)
Date: Mon, 22 Aug 2005 08:59:41 -0400
Subject: [Catalog-sig] setuptools/EasyInstall 0.6a1 candidate 1 snapshot
In-Reply-To: <200508221430.10167.richardjones@optushome.com.au>
References: <5.1.1.6.0.20050821235458.01afafd8@mail.telecommunity.com>
<5.1.1.6.0.20050821235458.01afafd8@mail.telecommunity.com>
Message-ID: <5.1.1.6.0.20050822023224.01b22720@mail.telecommunity.com>
At 02:30 PM 8/22/2005 +1000, Richard Jones wrote:
>On Mon, 22 Aug 2005 02:03 pm, Phillip J. Eby wrote:
> > I have fixed all reported bugs, and implemented quite a few new features
> > like MD5 checking (which works even with PyPI's md5 data)
>
>Glad you could get things going in spite of PyPI :)
I didn't mean it *that* way. In fact, one of the other changes in this
release is that I took out the workarounds for .egg uploads not being
supported.
From ianb at colorstudy.com Mon Aug 22 20:26:27 2005
From: ianb at colorstudy.com (Ian Bicking)
Date: Mon, 22 Aug 2005 13:26:27 -0500
Subject: [Catalog-sig] setuptools or PyPI problem...?
Message-ID: <430A18D3.5040700@colorstudy.com>
I don't know which side this belongs to, but I had a problem when I
tried to create a package with a "-" in it ("Paste-Deploy"). setup.py
register worked fine, and created a "Paste-Deploy" project; however,
when I did an upload it created a "Paste_Deploy-0.1.tar.gz" file, and
PyPI wouldn't accept it, I believe because it thought it belonged to the
(nonexistant) Paste_Deploy project. In the end I just smushed the words
together, but I figure this really should work. I don't know if it's
setuptools (or distutils) that is uploading to PyPI incorrectly, or PyPI
that is mismatching projects.
--
Ian Bicking / ianb at colorstudy.com / http://blog.ianbicking.org
From pje at telecommunity.com Mon Aug 22 20:43:44 2005
From: pje at telecommunity.com (Phillip J. Eby)
Date: Mon, 22 Aug 2005 14:43:44 -0400
Subject: [Catalog-sig] [Distutils] setuptools or PyPI problem...?
In-Reply-To: <430A18D3.5040700@colorstudy.com>
Message-ID: <5.1.1.6.0.20050822143617.01b224a0@mail.telecommunity.com>
At 01:26 PM 8/22/2005 -0500, Ian Bicking wrote:
>I don't know which side this belongs to, but I had a problem when I
>tried to create a package with a "-" in it ("Paste-Deploy"). setup.py
>register worked fine, and created a "Paste-Deploy" project; however,
>when I did an upload it created a "Paste_Deploy-0.1.tar.gz" file, and
>PyPI wouldn't accept it, I believe because it thought it belonged to the
>(nonexistant) Paste_Deploy project. In the end I just smushed the words
>together, but I figure this really should work. I don't know if it's
>setuptools (or distutils) that is uploading to PyPI incorrectly, or PyPI
>that is mismatching projects.
Try the latest setuptools; you shouldn't have this problem as I changed it
not to create anything other than eggs with escaped '-' characters.
However, it would be very nice to have PyPI support escaped
nonalphanumerics in filenames, as they are a bitch to deal with
otherwise. Eggs absolutely have to have an unambiguously parseable
filename, and the only way to do that is by escaping '-' to '_'. This
means that you can't upload eggs for a project named e.g. 'Paste-Deploy',
if PyPI rejects a Paste_Deploy-whatever.egg file.
On the broader scope of things, I'd like to see PyPI smash all
non-alphanumeric runs in project names to a single '-', and use
case-insensitive project name comparison. I'd attempt to try my hand at
PyPI patches but at the moment don't have any obvious way to test them.
From martin at v.loewis.de Tue Aug 23 00:01:00 2005
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Tue, 23 Aug 2005 00:01:00 +0200
Subject: [Catalog-sig] setuptools or PyPI problem...?
In-Reply-To: <430A18D3.5040700@colorstudy.com>
References: <430A18D3.5040700@colorstudy.com>
Message-ID: <430A4B1C.8020900@v.loewis.de>
Ian Bicking wrote:
> I don't know which side this belongs to, but I had a problem when I
> tried to create a package with a "-" in it ("Paste-Deploy"). setup.py
> register worked fine, and created a "Paste-Deploy" project; however,
> when I did an upload it created a "Paste_Deploy-0.1.tar.gz" file, and
> PyPI wouldn't accept it, I believe because it thought it belonged to the
> (nonexistant) Paste_Deploy project. In the end I just smushed the words
> together, but I figure this really should work. I don't know if it's
> setuptools (or distutils) that is uploading to PyPI incorrectly, or PyPI
> that is mismatching projects.
Sounds like a PyPI problem to me.
Regards,
Martin
From pje at telecommunity.com Tue Aug 23 00:03:53 2005
From: pje at telecommunity.com (Phillip J. Eby)
Date: Mon, 22 Aug 2005 18:03:53 -0400
Subject: [Catalog-sig] setuptools/EasyInstall 0.6a1 candidate 1 snapshot
In-Reply-To: <200508230752.25321.richardjones@optushome.com.au>
References: <5.1.1.6.0.20050822023224.01b22720@mail.telecommunity.com>
<5.1.1.6.0.20050821235458.01afafd8@mail.telecommunity.com>
<5.1.1.6.0.20050822023224.01b22720@mail.telecommunity.com>
Message-ID: <5.1.1.6.0.20050822180055.01b22d78@mail.telecommunity.com>
At 07:52 AM 8/23/2005 +1000, Richard Jones wrote:
>On Mon, 22 Aug 2005 10:59 pm, you wrote:
> > At 02:30 PM 8/22/2005 +1000, Richard Jones wrote:
> > >On Mon, 22 Aug 2005 02:03 pm, Phillip J. Eby wrote:
> > > > I have fixed all reported bugs, and implemented quite a few new
> > > > features like MD5 checking (which works even with PyPI's md5 data)
> > >
> > >Glad you could get things going in spite of PyPI :)
> >
> > I didn't mean it *that* way.
>
>I was being silly, mostly :)
>
>
> > In fact, one of the other changes in this
> > release is that I took out the workarounds for .egg uploads not being
> > supported.
>
>I thought they were supported now....
They are! That's why I was able to remove the
workarounds! :) Previously, setuptools' "upload" command renamed egg
uploads to .egg.zip and pretended they were source distributions. I've
removed those hacks, because PyPI supports egg uploads just fine now.
From richardjones at optushome.com.au Tue Aug 23 00:29:31 2005
From: richardjones at optushome.com.au (Richard Jones)
Date: Tue, 23 Aug 2005 08:29:31 +1000
Subject: [Catalog-sig] [Distutils] setuptools or PyPI problem...?
In-Reply-To: <5.1.1.6.0.20050822143617.01b224a0@mail.telecommunity.com>
References: <5.1.1.6.0.20050822143617.01b224a0@mail.telecommunity.com>
Message-ID: <200508230829.31592.richardjones@optushome.com.au>
On Tue, 23 Aug 2005 04:43 am, Phillip J. Eby wrote:
> On the broader scope of things, I'd like to see PyPI smash all
> non-alphanumeric runs in project names to a single '-', and use
> case-insensitive project name comparison. I'd attempt to try my hand at
> PyPI patches but at the moment don't have any obvious way to test them.
I'm not sure I'm comfortable with this. The only key of uniqueness for
packages is / ... if we start messing with the package
name...
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.python.org/pipermail/catalog-sig/attachments/20050823/0bc65d7b/attachment.pgp
From pje at telecommunity.com Tue Aug 23 01:19:09 2005
From: pje at telecommunity.com (Phillip J. Eby)
Date: Mon, 22 Aug 2005 19:19:09 -0400
Subject: [Catalog-sig] [Distutils] setuptools or PyPI problem...?
In-Reply-To: <200508230829.31592.richardjones@optushome.com.au>
References: <5.1.1.6.0.20050822143617.01b224a0@mail.telecommunity.com>
<5.1.1.6.0.20050822143617.01b224a0@mail.telecommunity.com>
Message-ID: <5.1.1.6.0.20050822190414.01b19d98@mail.telecommunity.com>
At 08:29 AM 8/23/2005 +1000, Richard Jones wrote:
>On Tue, 23 Aug 2005 04:43 am, Phillip J. Eby wrote:
> > On the broader scope of things, I'd like to see PyPI smash all
> > non-alphanumeric runs in project names to a single '-', and use
> > case-insensitive project name comparison. I'd attempt to try my hand at
> > PyPI patches but at the moment don't have any obvious way to test them.
>
>I'm not sure I'm comfortable with this. The only key of uniqueness for
>packages is / ... if we start messing with the package
>name...
I'm just pointing out that these changes make the packaging system *more*
robust, not less -- as long as it's done relatively soon.
Right now, we have people creating packages with names like "Python Super
Whatchamacallit!" because they're not using the distutils and therefore
don't notice that it's impossible to build a sane distribution with that
name. At the opposite extreme, we have packages with VERYMixedCase that
nobody will ever remember how to type correctly except the package author. :)
Neither of these is a big problem when EasyInstall isn't a part of the mix,
because if the data's crap, who cares? However, for EasyInstall it's not
practical to try to type "easy_install 'Python Super Whatchamacallit!'" or
"easy_install VERYMixedCase" and get it right. It would be better if these
names were canonicalized (internal to PyPI) as
"python_super_whatchamacallit_" and "verymixedcase", with those values
being used as database keys. This would prevent having both a
"VeryMixedCase" and a "VERYMixedCase" at the same time (e.g. 'sqlobject'
and 'SQLObject').
Case-insensitivity is needed because some important platforms (Windows, Mac
OS X) have case-insensitive filesystems. Ergo, 'SQLObject-1.0-py2.3.egg'
and 'sqlobject-1.0-py2.3.egg' are the *same file* on such systems, which is
just not going to work.
Similarly, escaping non-alphanumerics as '_' (in both the project name and
version) is necessary to ensure that egg filenames are unambiguously
machine-readable. Currently the distutils happily produces distributions
with names like 'Paste-Deploy-1.2-prerelease.tar.gz', which are
ambiguous. A program can't tell with any certainty whether this is package
"Paste", version "Deploy-1.2-prerelease", or package "Paste-Deploy-1.2",
version "prerelease", or whatever else. Any rule you can think of that
would sort out the ambiguity, I can probably find an *actual*
counterexample for you in the PyPI database! (For example, there are
packages with numbers in their names, so you can't use that to figure out
where the version starts.)
Currently, I work around case-sensitivity and ambiguity on PyPI by doing a
full index search if there's no correct case match. I also build an index
that contains all possible interpretations(!) of ambiguous filenames, so
that I can match against what a user asked for. Luckily, the odds of
somebody mistakenly requesting version "Deploy-1.2-prerelease" of "Paste"
and thereby getting Paste-Deploy version 1.2-prerelease instead are fairly
low. :)
However, while I can do that workaround for indexing PyPI's contents, it
doesn't work for installed eggs; the names *must* be unambiguous in order
to avoid the overhead of opening or extracting PKG-INFO in order to find
out the distribution's name. So egg files at least need to turn '-' to '_'
in their filenames.