From lists at zopyx.com  Sat Aug  1 17:05:37 2009
From: lists at zopyx.com (Andreas Jung)
Date: Sat, 01 Aug 2009 17:05:37 +0200
Subject: [Catalog-sig] package with the longest version string
In-Reply-To: <op.uxwrhpchbrrvlq@double>
References: <op.uxwrhpchbrrvlq@double>
Message-ID: <4A7459C1.1070704@zopyx.com>

On 31.07.09 03:23, Sridhar Ratnakumar wrote:
> .. must be this:
>
>  
> http://pypi.python.org/pypi/softwarefabrica.django.crud/1.0dev-BZR-r79-panta-elasticworld.org-20090316230356-bp41wibodhmypvep

PyPI, the package toilet :->

Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lists.vcf
Type: text/x-vcard
Size: 316 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20090801/f16c599f/attachment.vcf>

From chris at simplistix.co.uk  Wed Aug 19 13:54:02 2009
From: chris at simplistix.co.uk (Chris Withers)
Date: Wed, 19 Aug 2009 12:54:02 +0100
Subject: [Catalog-sig] Problems uploading a .msi
In-Reply-To: <1250681687.3962.6.camel@sverker-laptop>
References: <4A8ABC2A.30805@simplistix.co.uk>
	<1250681687.3962.6.camel@sverker-laptop>
Message-ID: <4A8BE7DA.4050300@simplistix.co.uk>

Sverker Nilsson wrote:
> Yes, I could see you attachaed a Windows installer.
> But I could not upload it. PyPi complained:
> 
> Error processing form
> 
> invalid distribution file

This was a .msi and I experienced the same thing.
Is this a known problem?

Chris

-- 
Simplistix - Content Management, Batch Processing & Python Consulting
            - http://www.simplistix.co.uk

From martin at v.loewis.de  Wed Aug 19 21:39:26 2009
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Wed, 19 Aug 2009 21:39:26 +0200
Subject: [Catalog-sig] Problems uploading a .msi
In-Reply-To: <4A8BE7DA.4050300@simplistix.co.uk>
References: <4A8ABC2A.30805@simplistix.co.uk>	<1250681687.3962.6.camel@sverker-laptop>
	<4A8BE7DA.4050300@simplistix.co.uk>
Message-ID: <4A8C54EE.1020202@v.loewis.de>

> This was a .msi and I experienced the same thing.
> Is this a known problem?

PyPI didn't support MSI files, but it does now.

Please try again.

Regards,
Martin

From martin at v.loewis.de  Fri Aug 21 16:33:14 2009
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Fri, 21 Aug 2009 16:33:14 +0200
Subject: [Catalog-sig] HTML in long description
Message-ID: <4A8EB02A.9070001@v.loewis.de>

Should PyPI support HTML in the long_description field?

The current implementation tries to pass the long_description
to docutils, with the settings raw_enabled=0, file_insertion_enabled=0,
halt_level=2, report_level=5. If parsing fails, it will wrap
the long_description with a <PRE> element.

As a side effect of that, HTML in long_description seems to work,
but it isn't really supported.

Which way should PyPI go: escape all markup if ReST rendering fails?
Or else allow arbitrary HTML to be embedded? I'm worried that somebody
would create a cross-site attack out of that...

Regards,
Martin

From fdrake at gmail.com  Fri Aug 21 16:35:25 2009
From: fdrake at gmail.com (Fred Drake)
Date: Fri, 21 Aug 2009 10:35:25 -0400
Subject: [Catalog-sig] HTML in long description
In-Reply-To: <4A8EB02A.9070001@v.loewis.de>
References: <4A8EB02A.9070001@v.loewis.de>
Message-ID: <9cee7ab80908210735l67039347w2ccd13a5e822275b@mail.gmail.com>

On Fri, Aug 21, 2009 at 10:33 AM, "Martin v. L?wis"<martin at v.loewis.de> wrote:
> Which way should PyPI go: escape all markup if ReST rendering fails?
> Or else allow arbitrary HTML to be embedded? I'm worried that somebody
> would create a cross-site attack out of that...

Same here; the text in the <pre> should be properly escaped.


  -Fred

-- 
Fred L. Drake, Jr.    <fdrake at gmail.com>
"Chaos is the score upon which reality is written." --Henry Miller

From ziade.tarek at gmail.com  Fri Aug 21 16:51:37 2009
From: ziade.tarek at gmail.com (=?ISO-8859-1?Q?Tarek_Ziad=E9?=)
Date: Fri, 21 Aug 2009 16:51:37 +0200
Subject: [Catalog-sig] HTML in long description
In-Reply-To: <9cee7ab80908210735l67039347w2ccd13a5e822275b@mail.gmail.com>
References: <4A8EB02A.9070001@v.loewis.de>
	<9cee7ab80908210735l67039347w2ccd13a5e822275b@mail.gmail.com>
Message-ID: <94bdd2610908210751w6e35f03ct4bac396b4c008037@mail.gmail.com>

On Fri, Aug 21, 2009 at 4:35 PM, Fred Drake<fdrake at gmail.com> wrote:
> On Fri, Aug 21, 2009 at 10:33 AM, "Martin v. L?wis"<martin at v.loewis.de> wrote:
>> Which way should PyPI go: escape all markup if ReST rendering fails?
>> Or else allow arbitrary HTML to be embedded? I'm worried that somebody
>> would create a cross-site attack out of that...
>
> Same here; the text in the <pre> should be properly escaped.

FWIW lxml.html is pretty convenient to remove any dangerous tag, it's
a one-liner
that will get rid of any <form> <script> <embed> etc..

But in any case, I find the current situation fuzzy :

The reStructuredText format is an implicit rule from pypi and trying an
rst2html process on server side, no matter what long_description contains,
seem like a bad practice to me.

I'd like to see the nature of long_description explicitely declared in
the metadata

For example we could have a "long_description_format" field that would
be 'text',
'html' or 'restructuredtext'

If present, PyPI could use this info to decide what it should do with
long_description
(although this does not remove the need to clean it up on server side
for security reasons
of course)

Last, notice that there's a new command in distutils called "check" ,
that can be used
to check if the long_description field content compiles well in reStructuredText
This client-side process is convenient to avoid any error or warning
on the PyPI page.

(it's available only docutils is installed of course)


>
>
> ?-Fred
>
> --
> Fred L. Drake, Jr. ? ?<fdrake at gmail.com>
> "Chaos is the score upon which reality is written." --Henry Miller
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>



-- 
Tarek Ziad? | http://ziade.org

From martin at v.loewis.de  Fri Aug 21 17:05:47 2009
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Fri, 21 Aug 2009 17:05:47 +0200
Subject: [Catalog-sig] HTML in long description
In-Reply-To: <94bdd2610908210751w6e35f03ct4bac396b4c008037@mail.gmail.com>
References: <4A8EB02A.9070001@v.loewis.de>	
	<9cee7ab80908210735l67039347w2ccd13a5e822275b@mail.gmail.com>
	<94bdd2610908210751w6e35f03ct4bac396b4c008037@mail.gmail.com>
Message-ID: <4A8EB7CB.6040609@v.loewis.de>

> FWIW lxml.html is pretty convenient to remove any dangerous tag, it's
> a one-liner
> that will get rid of any <form> <script> <embed> etc..

Hmm. Is there a library whose *explicit* purpose is to create "safe"
HTML. I would be hesitating to implement it myself.

> The reStructuredText format is an implicit rule from pypi and trying an
> rst2html process on server side, no matter what long_description contains,
> seem like a bad practice to me.

I think it's not too bad. Since the long_description is either plain
text or ReST, the cost of misinterpretation is really low - ReST may
get mis-rendered as preformatted plain text, in which case it will
remain readable still.

> I'd like to see the nature of long_description explicitely declared in
> the metadata
> 
> For example we could have a "long_description_format" field that would
> be 'text', 'html' or 'restructuredtext'

Sounds fairly complex to me. I think I could accept it - but if html
is removed from the list of allowed formats (which I think it should),
then I don't think this this overhead is really needed.

> Last, notice that there's a new command in distutils called "check" ,
> that can be used
> to check if the long_description field content compiles well in reStructuredText
> This client-side process is convenient to avoid any error or warning
> on the PyPI page.

That could be done, either way, IMO. It might also be useful to have a
distutils command that generates a pypi-like page, so that people can
preview the rendered description.

Regards,
Martin

From ziade.tarek at gmail.com  Fri Aug 21 17:15:36 2009
From: ziade.tarek at gmail.com (=?ISO-8859-1?Q?Tarek_Ziad=E9?=)
Date: Fri, 21 Aug 2009 17:15:36 +0200
Subject: [Catalog-sig] HTML in long description
In-Reply-To: <4A8EB7CB.6040609@v.loewis.de>
References: <4A8EB02A.9070001@v.loewis.de>
	<9cee7ab80908210735l67039347w2ccd13a5e822275b@mail.gmail.com>
	<94bdd2610908210751w6e35f03ct4bac396b4c008037@mail.gmail.com>
	<4A8EB7CB.6040609@v.loewis.de>
Message-ID: <94bdd2610908210815j6c37dc4cr62d8c55399b049dc@mail.gmail.com>

2009/8/21 "Martin v. L?wis" <martin at v.loewis.de>:
>> FWIW lxml.html is pretty convenient to remove any dangerous tag, it's
>> a one-liner
>> that will get rid of any <form> <script> <embed> etc..
>
> Hmm. Is there a library whose *explicit* purpose is to create "safe"
> HTML. I would be hesitating to implement it myself.

Well, that's *one* of the explicit goal of lxml.html, see
http://codespeak.net/lxml/lxmlhtml.html#cleaning-up-html

I used to do it myself using SGMLParser (based on the well known
active state recipe), then I discovered this one,
which do the work fine.


>> The reStructuredText format is an implicit rule from pypi and trying an
>> rst2html process on server side, no matter what long_description contains,
>> seem like a bad practice to me.
>
> I think it's not too bad. Since the long_description is either plain
> text or ReST, the cost of misinterpretation is really low - ReST may
> get mis-rendered as preformatted plain text, in which case it will
> remain readable still.
>

Sure we can live with it,

> [..]
>
> That could be done, either way, IMO. It might also be useful to have a
> distutils command that generates a pypi-like page, so that people can
> preview the rendered description.

yes that's basically :

$ python setup.py --long-description | rst2html.py > preview.html

Maybe that could be a '--preview' option to the existing "register" command,
to create that preview, to avoid adding an extra command for such a
specific need

Regards
Tarek

-- 
Tarek Ziad? | http://ziade.org

From chris at simplistix.co.uk  Mon Aug 24 18:00:08 2009
From: chris at simplistix.co.uk (Chris Withers)
Date: Mon, 24 Aug 2009 17:00:08 +0100
Subject: [Catalog-sig] Problems uploading a .msi
In-Reply-To: <4A8C54EE.1020202@v.loewis.de>
References: <4A8ABC2A.30805@simplistix.co.uk>	<1250681687.3962.6.camel@sverker-laptop>	<4A8BE7DA.4050300@simplistix.co.uk>
	<4A8C54EE.1020202@v.loewis.de>
Message-ID: <4A92B908.5000609@simplistix.co.uk>

Martin v. L?wis wrote:
>> This was a .msi and I experienced the same thing.
>> Is this a known problem?
> 
> PyPI didn't support MSI files, but it does now.
> 
> Please try again.

Cool, it works :-)

Chris

-- 
Simplistix - Content Management, Batch Processing & Python Consulting
            - http://www.simplistix.co.uk

From mramm at corp.sourceforge.com  Wed Aug 26 02:10:48 2009
From: mramm at corp.sourceforge.com (Mark Ramm-christensen)
Date: Tue, 25 Aug 2009 20:10:48 -0400
Subject: [Catalog-sig] SourceForge mirroring
Message-ID: <56db523f0908251710v314a3b19gdbe06e963acf650c@mail.gmail.com>

I've been working at SourceForge for the last few months, and we've
got an interest in helping out the python community as much as we can.
   And now that big sections of SourceForge run on python, using
packages from pypi, we've got a vested interest in making sure that
there is a high availability global mirror network for pypi packages.
 Fortunately we've got a network of people who have volunteered to
host open source projects for sourceforge.net.  And at EuroPython
somebody mentioned to me that we could work together to improve pypi
package delivery, which seems obvious in retrospect.

So, here's my proposal, we could mirror any open source packages on
pypi onto the sourceforge.net mirror network.   We can get most of the
data we need from the DOAP feed, and we could get the rest from
crawling the site, though it would be great if we could add an api for
getting the files for a project and perhaps a bit more project
metadata from pypi directly.

We can then provide a consistent link structure with a redirector to
the "best" mirror based on geo-ip data and mirror utilization, so that
you can programatically know how to get packages from our mirror
network.

My goal here is to help increase the robustness and reliability of the
pypi end of our package delivery system, and to help give back to the
python community.

Anyway, I just wanted to raise the idea here and see if there is any
interest in this idea.

--Mark Ramm

From r1chardj0n3s at gmail.com  Wed Aug 26 02:30:18 2009
From: r1chardj0n3s at gmail.com (Richard Jones)
Date: Wed, 26 Aug 2009 10:30:18 +1000
Subject: [Catalog-sig] SourceForge mirroring
In-Reply-To: <56db523f0908251710v314a3b19gdbe06e963acf650c@mail.gmail.com>
References: <56db523f0908251710v314a3b19gdbe06e963acf650c@mail.gmail.com>
Message-ID: <0EF101A9-AFCB-4005-AE70-165B2F3B337E@gmail.com>

On 26/08/2009, at 10:10 AM, Mark Ramm-christensen wrote:
>   And now that big sections of SourceForge run on python, using
> packages from pypi, we've got a vested interest in making sure that
> there is a high availability global mirror network for pypi packages.

I'm all for high availability of PyPI. Fortunately the current hosting  
runs pretty reliably, but we've already realised that some people are  
expecting it to be available 100%. This can really only be achieved  
through mirroring. Of course there's other benefits to mirroring (as  
someone living on "the wrong side of the Pacific" I can vouch for the  
coolness of having local Sourceforge mirroring).

There's a bunch of PyPI mirroring efforts already; "pypi mirror" in  
Google shows up some.


      Richard


From martin at v.loewis.de  Wed Aug 26 08:12:28 2009
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Wed, 26 Aug 2009 08:12:28 +0200
Subject: [Catalog-sig] SourceForge mirroring
In-Reply-To: <56db523f0908251710v314a3b19gdbe06e963acf650c@mail.gmail.com>
References: <56db523f0908251710v314a3b19gdbe06e963acf650c@mail.gmail.com>
Message-ID: <4A94D24C.1020504@v.loewis.de>

> So, here's my proposal, we could mirror any open source packages on
> pypi onto the sourceforge.net mirror network.   We can get most of the
> data we need from the DOAP feed, and we could get the rest from
> crawling the site, though it would be great if we could add an api for
> getting the files for a project and perhaps a bit more project
> metadata from pypi directly.

I think the APIs are all there already. Please take a look at PEP 381;
this is the propotocol that PyPI mirrors should follow.

Please don't consider crawling the site - there are much better ways
to get the data.

Regards,
Martin

P.S. Please don't take that as an offense: SourceForge is not on
the record for having a reliable and performant infrastructure. So
if a mirror on SF would look like the current sf.net and its download
facility, I'm skeptical that users would want to use it.

From ziade.tarek at gmail.com  Wed Aug 26 08:13:20 2009
From: ziade.tarek at gmail.com (=?ISO-8859-1?Q?Tarek_Ziad=E9?=)
Date: Wed, 26 Aug 2009 08:13:20 +0200
Subject: [Catalog-sig] SourceForge mirroring
In-Reply-To: <0EF101A9-AFCB-4005-AE70-165B2F3B337E@gmail.com>
References: <56db523f0908251710v314a3b19gdbe06e963acf650c@mail.gmail.com>
	<0EF101A9-AFCB-4005-AE70-165B2F3B337E@gmail.com>
Message-ID: <94bdd2610908252313l6387f211yd581adf1b491fbd0@mail.gmail.com>

On Wed, Aug 26, 2009 at 2:30 AM, Richard Jones<r1chardj0n3s at gmail.com> wrote:
> On 26/08/2009, at 10:10 AM, Mark Ramm-christensen wrote:
>>
>> ?And now that big sections of SourceForge run on python, using
>> packages from pypi, we've got a vested interest in making sure that
>> there is a high availability global mirror network for pypi packages.
>
> I'm all for high availability of PyPI. Fortunately the current hosting runs
> pretty reliably, but we've already realised that some people are expecting
> it to be available 100%. This can really only be achieved through mirroring.
> Of course there's other benefits to mirroring (as someone living on "the
> wrong side of the Pacific" I can vouch for the coolness of having local
> Sourceforge mirroring).
>
> There's a bunch of PyPI mirroring efforts already; "pypi mirror" in Google
> shows up some.

I've been working for this in PEP 381 - http://www.python.org/dev/peps/pep-0381/
And we started the implementation in PyPI code with MvL during the last Pycon,

It's not far from ready, but I had other topics to finish. But if
there's interest
we can finish its implementation, so sourceforge could be one of those mirrors.

>
>
> ? ? Richard
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>



-- 
Tarek Ziad? | http://ziade.org

From martin at v.loewis.de  Sat Aug 29 14:41:58 2009
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Sat, 29 Aug 2009 14:41:58 +0200
Subject: [Catalog-sig] OpenID
Message-ID: <4A992216.5070600@v.loewis.de>

I have been looking into providing OpenID login to PyPI.
I came up with the following list of requirements for an acceptable
provider:
- must support OpenID 2.0 and directed identity
- must provide at least a verified email (better also either fullname
  or nickname), through either AX or SREG
- must provide direct service requests over https

Does anybody know OpenID providers meeting these requirements, except
for Google?

Regards,
Martin

From lac at openend.se  Sat Aug 29 15:31:34 2009
From: lac at openend.se (Laura Creighton)
Date: Sat, 29 Aug 2009 15:31:34 +0200
Subject: [Catalog-sig] OpenID
In-Reply-To: Message from =?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=
	<martin@v.loewis.de> 
	of "Sat, 29 Aug 2009 14:41:58 +0200." <4A992216.5070600@v.loewis.de> 
References: <4A992216.5070600@v.loewis.de> 
Message-ID: <200908291331.n7TDVYTM005380@theraft.openend.se>

In a message of Sat, 29 Aug 2009 14:41:58 +0200, "Martin v. L?wis" writes:
>I have been looking into providing OpenID login to PyPI.
>I came up with the following list of requirements for an acceptable
>provider:
>- must support OpenID 2.0 and directed identity
>- must provide at least a verified email (better also either fullname
>  or nickname), through either AX or SREG
>- must provide direct service requests over https
>
>Does anybody know OpenID providers meeting these requirements, except
>for Google?
>
>Regards,
>Martin

I think that http://www.janrain.com/openid does, but I haven't
invesigated it.  Simon Willison claimed that it did in a talk he
gave at PyCON UK.  (Or at least that was the understanding I
took from attending the talk.)

Laura

From martin at v.loewis.de  Sat Aug 29 16:58:25 2009
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Sat, 29 Aug 2009 16:58:25 +0200
Subject: [Catalog-sig] OpenID
In-Reply-To: <200908291331.n7TDVYTM005380@theraft.openend.se>
References: <4A992216.5070600@v.loewis.de>
	<200908291331.n7TDVYTM005380@theraft.openend.se>
Message-ID: <4A994211.7030802@v.loewis.de>

> I think that http://www.janrain.com/openid does, but I haven't
> invesigated it.  Simon Willison claimed that it did in a talk he
> gave at PyCON UK.  (Or at least that was the understanding I
> took from attending the talk.)

Thanks a lot. IUC, that's myOpenID. I just tried myOpenID, and it
provides SREG data optionally (at the user's choice).
So I'll need to deal with the case that no data were provided.

Regards,
Martin

From gary.poster at gmail.com  Sat Aug 29 18:15:55 2009
From: gary.poster at gmail.com (Gary Poster)
Date: Sat, 29 Aug 2009 12:15:55 -0400
Subject: [Catalog-sig] OpenID
In-Reply-To: <4A992216.5070600@v.loewis.de>
References: <4A992216.5070600@v.loewis.de>
Message-ID: <AE0DA5B8-B238-4D72-8037-4ABC894DC2F7@gmail.com>


On Aug 29, 2009, at 8:41 AM, Martin v. L?wis wrote:

> I have been looking into providing OpenID login to PyPI.
> I came up with the following list of requirements for an acceptable
> provider:
> - must support OpenID 2.0 and directed identity
> - must provide at least a verified email (better also either fullname
>  or nickname), through either AX or SREG
> - must provide direct service requests over https
>
> Does anybody know OpenID providers meeting these requirements, except
> for Google?

Launchpad may meet these, or come close to them.  I'll ask someone to  
verify.

Gary

From martin at v.loewis.de  Sat Aug 29 18:22:36 2009
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Sat, 29 Aug 2009 18:22:36 +0200
Subject: [Catalog-sig] OpenID
In-Reply-To: <AE0DA5B8-B238-4D72-8037-4ABC894DC2F7@gmail.com>
References: <4A992216.5070600@v.loewis.de>
	<AE0DA5B8-B238-4D72-8037-4ABC894DC2F7@gmail.com>
Message-ID: <4A9955CC.1070807@v.loewis.de>

>> I have been looking into providing OpenID login to PyPI.
>> I came up with the following list of requirements for an acceptable
>> provider:
>> - must support OpenID 2.0 and directed identity
>> - must provide at least a verified email (better also either fullname
>>  or nickname), through either AX or SREG
>> - must provide direct service requests over https
>>
>> Does anybody know OpenID providers meeting these requirements, except
>> for Google?
> 
> Launchpad may meet these, or come close to them.  I'll ask someone to
> verify.

The question is then what Launchpad's OP ID is. It's not
http://launchpad.net (AFAICT)

Regards,
Martin

From gary.poster at gmail.com  Sat Aug 29 18:30:54 2009
From: gary.poster at gmail.com (Gary Poster)
Date: Sat, 29 Aug 2009 12:30:54 -0400
Subject: [Catalog-sig] OpenID
In-Reply-To: <4A9955CC.1070807@v.loewis.de>
References: <4A992216.5070600@v.loewis.de>
	<AE0DA5B8-B238-4D72-8037-4ABC894DC2F7@gmail.com>
	<4A9955CC.1070807@v.loewis.de>
Message-ID: <223AC5A8-892D-4C32-9985-8B51D3848D59@gmail.com>


On Aug 29, 2009, at 12:22 PM, Martin v. L?wis wrote:

>>> I have been looking into providing OpenID login to PyPI.
>>> I came up with the following list of requirements for an acceptable
>>> provider:
>>> - must support OpenID 2.0 and directed identity
>>> - must provide at least a verified email (better also either  
>>> fullname
>>> or nickname), through either AX or SREG
>>> - must provide direct service requests over https
>>>
>>> Does anybody know OpenID providers meeting these requirements,  
>>> except
>>> for Google?
>>
>> Launchpad may meet these, or come close to them.  I'll ask someone to
>> verify.
>
> The question is then what Launchpad's OP ID is. It's not
> http://launchpad.net (AFAICT)

I'm afraid I don't understand the question, but that may be because  
I'm on the periphery of our support.

This page is very simple, but might answer some questions: https://help.launchpad.net/YourAccount/OpenID 
  .

For example, my Launchpad openid is https://launchpad.net/~gary .

If this doesn't help, let me know, and I'll pass the question along to  
someone more knowledgeable.

Gary


From martin at v.loewis.de  Sat Aug 29 19:49:26 2009
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Sat, 29 Aug 2009 19:49:26 +0200
Subject: [Catalog-sig] OpenID
In-Reply-To: <223AC5A8-892D-4C32-9985-8B51D3848D59@gmail.com>
References: <4A992216.5070600@v.loewis.de>
	<AE0DA5B8-B238-4D72-8037-4ABC894DC2F7@gmail.com>
	<4A9955CC.1070807@v.loewis.de>
	<223AC5A8-892D-4C32-9985-8B51D3848D59@gmail.com>
Message-ID: <4A996A26.6070802@v.loewis.de>

> I'm afraid I don't understand the question, but that may be because I'm
> on the periphery of our support.
> 
> This page is very simple, but might answer some questions:
> https://help.launchpad.net/YourAccount/OpenID .
> 
> For example, my Launchpad openid is https://launchpad.net/~gary .
> 
> If this doesn't help, let me know, and I'll pass the question along to
> someone more knowledgeable.

That's the OpenID 1 view of the world. In the OpenID 2 world, you don't
need to know your OpenID - you just need to know you have a Launchpad ID.

When asked in an OpenID login box, you *don't* enter
"https://launchpad.net/~gary" anymore. Instead, you just enter
"https://launchpad.net" (or click on the Launchpad icon). The OpenID
machinery will then steer you through the login process. You may have
to confirm that you want to login into PyPI (*), but you won't have to
tell anywhere explicitly that you are gary - assuming you had logged
into Launchpad before.

This much improved user experience is the key feature of OpenID 2.0.

Regards,
Martin

(*) if you had confirmed this before, you may get logged in
immediately after clicking the Launchpad icon.

From gary.poster at gmail.com  Sat Aug 29 20:04:14 2009
From: gary.poster at gmail.com (Gary Poster)
Date: Sat, 29 Aug 2009 14:04:14 -0400
Subject: [Catalog-sig] OpenID
In-Reply-To: <4A996A26.6070802@v.loewis.de>
References: <4A992216.5070600@v.loewis.de>
	<AE0DA5B8-B238-4D72-8037-4ABC894DC2F7@gmail.com>
	<4A9955CC.1070807@v.loewis.de>
	<223AC5A8-892D-4C32-9985-8B51D3848D59@gmail.com>
	<4A996A26.6070802@v.loewis.de>
Message-ID: <31E67B16-8266-4020-A7DB-8C4FA8D8B7ED@gmail.com>


On Aug 29, 2009, at 1:49 PM, Martin v. L?wis wrote:

>> I'm afraid I don't understand the question, but that may be because  
>> I'm
>> on the periphery of our support.
>>
>> This page is very simple, but might answer some questions:
>> https://help.launchpad.net/YourAccount/OpenID .
>>
>> For example, my Launchpad openid is https://launchpad.net/~gary .
>>
>> If this doesn't help, let me know, and I'll pass the question along  
>> to
>> someone more knowledgeable.
>
> That's the OpenID 1 view of the world. In the OpenID 2 world, you  
> don't
> need to know your OpenID - you just need to know you have a  
> Launchpad ID.
>
> When asked in an OpenID login box, you *don't* enter
> "https://launchpad.net/~gary" anymore. Instead, you just enter
> "https://launchpad.net" (or click on the Launchpad icon). The OpenID
> machinery will then steer you through the login process. You may have
> to confirm that you want to login into PyPI (*), but you won't have to
> tell anywhere explicitly that you are gary - assuming you had logged
> into Launchpad before.
>
> This much improved user experience is the key feature of OpenID 2.0.
>
> Regards,
> Martin
>
> (*) if you had confirmed this before, you may get logged in
> immediately after clicking the Launchpad icon.

Ah gotcha.  Thank you very much for the explanation.

If you encounter any problems with using Launchpad for this, I would  
appreciate it if you let me know.  There's a reasonable chance I'd be  
able to help arrange a resolution.

Gary

From martin at v.loewis.de  Sat Aug 29 20:45:28 2009
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Sat, 29 Aug 2009 20:45:28 +0200
Subject: [Catalog-sig] OpenID
In-Reply-To: <31E67B16-8266-4020-A7DB-8C4FA8D8B7ED@gmail.com>
References: <4A992216.5070600@v.loewis.de>
	<AE0DA5B8-B238-4D72-8037-4ABC894DC2F7@gmail.com>
	<4A9955CC.1070807@v.loewis.de>
	<223AC5A8-892D-4C32-9985-8B51D3848D59@gmail.com>
	<4A996A26.6070802@v.loewis.de>
	<31E67B16-8266-4020-A7DB-8C4FA8D8B7ED@gmail.com>
Message-ID: <4A997748.9000206@v.loewis.de>

>> When asked in an OpenID login box, you *don't* enter
>> "https://launchpad.net/~gary" anymore. Instead, you just enter
>> "https://launchpad.net" (or click on the Launchpad icon). The OpenID
>> machinery will then steer you through the login process. You may have
>> to confirm that you want to login into PyPI (*), but you won't have to
>> tell anywhere explicitly that you are gary - assuming you had logged
>> into Launchpad before.
>>
>> This much improved user experience is the key feature of OpenID 2.0.
>>
>> Regards,
>> Martin
>>
>> (*) if you had confirmed this before, you may get logged in
>> immediately after clicking the Launchpad icon.
> 
> Ah gotcha.  Thank you very much for the explanation.
> 
> If you encounter any problems with using Launchpad for this, I would
> appreciate it if you let me know.  There's a reasonable chance I'd be
> able to help arrange a resolution.

As I said before: yes, I did encounter problems - it isn't supported
at all, AFAICT. The reference https://launchpad.net was theoretical -
launchpad doesn't appear to support OpenID 2.0.

Regards,
Martin

From gary.poster at gmail.com  Sun Aug 30 00:34:15 2009
From: gary.poster at gmail.com (Gary Poster)
Date: Sat, 29 Aug 2009 18:34:15 -0400
Subject: [Catalog-sig] OpenID
In-Reply-To: <4A997748.9000206@v.loewis.de>
References: <4A992216.5070600@v.loewis.de>
	<AE0DA5B8-B238-4D72-8037-4ABC894DC2F7@gmail.com>
	<4A9955CC.1070807@v.loewis.de>
	<223AC5A8-892D-4C32-9985-8B51D3848D59@gmail.com>
	<4A996A26.6070802@v.loewis.de>
	<31E67B16-8266-4020-A7DB-8C4FA8D8B7ED@gmail.com>
	<4A997748.9000206@v.loewis.de>
Message-ID: <3C7C0077-227B-4C8B-9464-777D761E6C4B@gmail.com>


On Aug 29, 2009, at 2:45 PM, Martin v. L?wis wrote:

>>> When asked in an OpenID login box, you *don't* enter
>>> "https://launchpad.net/~gary" anymore. Instead, you just enter
>>> "https://launchpad.net" (or click on the Launchpad icon). The OpenID
>>> machinery will then steer you through the login process. You may  
>>> have
>>> to confirm that you want to login into PyPI (*), but you won't  
>>> have to
>>> tell anywhere explicitly that you are gary - assuming you had logged
>>> into Launchpad before.
>>>
>>> This much improved user experience is the key feature of OpenID 2.0.
>>>
>>> Regards,
>>> Martin
>>>
>>> (*) if you had confirmed this before, you may get logged in
>>> immediately after clicking the Launchpad icon.
>>
>> Ah gotcha.  Thank you very much for the explanation.
>>
>> If you encounter any problems with using Launchpad for this, I would
>> appreciate it if you let me know.  There's a reasonable chance I'd be
>> able to help arrange a resolution.
>
> As I said before: yes, I did encounter problems - it isn't supported
> at all, AFAICT. The reference https://launchpad.net was theoretical -
> launchpad doesn't appear to support OpenID 2.0.

Ah, OK.  Since we claim we do, I expect we care about that.  :-)  I'll  
investigate and report back (probably Monday).

Thanks

Gary


From martin at v.loewis.de  Mon Aug 31 05:05:36 2009
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Mon, 31 Aug 2009 05:05:36 +0200
Subject: [Catalog-sig] OpenID on PyPI
Message-ID: <4A9B3E00.1020402@v.loewis.de>

PyPI users can now login with OpenID. For existing accounts, you can
associate (claim) an OpenID on Your details page; new users can create
an account by just trying to login.

Regards,
Martin

From fdrake at gmail.com  Mon Aug 31 05:22:06 2009
From: fdrake at gmail.com (Fred Drake)
Date: Sun, 30 Aug 2009 23:22:06 -0400
Subject: [Catalog-sig] OpenID on PyPI
In-Reply-To: <4A9B3E00.1020402@v.loewis.de>
References: <4A9B3E00.1020402@v.loewis.de>
Message-ID: <9cee7ab80908302022r5fd742b0u877d5151e6d5fa16@mail.gmail.com>

On Sun, Aug 30, 2009 at 11:05 PM, "Martin v. L?wis"<martin at v.loewis.de> wrote:
> PyPI users can now login with OpenID. For existing accounts, you can
> associate (claim) an OpenID on Your details page; new users can create
> an account by just trying to login.

This is very cool, Martin.  Thanks!


  -Fred

-- 
Fred L. Drake, Jr.    <fdrake at gmail.com>
"Chaos is the score upon which reality is written." --Henry Miller

From michael at d2m.at  Mon Aug 31 07:48:18 2009
From: michael at d2m.at (Michael Haubenwallner)
Date: Mon, 31 Aug 2009 07:48:18 +0200
Subject: [Catalog-sig] OpenID on PyPI
In-Reply-To: <4A9B3E00.1020402@v.loewis.de>
References: <4A9B3E00.1020402@v.loewis.de>
Message-ID: <4A9B6422.40304@d2m.at>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin v. L?wis wrote:
> PyPI users can now login with OpenID. For existing accounts, you can
> associate (claim) an OpenID on Your details page; new users can create
> an account by just trying to login.
> 

I hope i am wrong, but it looks like you take the OpenID userid and
associate it with existing PyPI useraccounts.
I tried to login with my myOpenId account, got an error message, stating
that the provider did not send an email address, then logged in the old
way (HTTP BasicAuth) and found the myOpenId account associated with my
account.

I found no way to remove the existing association, and there is also no
way to associate another account (e.g. i want to use both Google and
OpenId to login to PypI).

Hth to debug the problem
Michael

- --
http://blog.d2m.at
http://planetzope.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFKm2Qil0uAvQJUKVYRAr2mAKCyIyOqBTu9LakZU7vHapK7x9/gNgCdGiV/
HDg9L25/+6UVUFR0JtsSf5g=
=x5Hl
-----END PGP SIGNATURE-----


From lac at openend.se  Mon Aug 31 08:53:02 2009
From: lac at openend.se (Laura Creighton)
Date: Mon, 31 Aug 2009 08:53:02 +0200
Subject: [Catalog-sig] OpenID on PyPI
In-Reply-To: Message from Fred Drake <fdrake@gmail.com> of "Sun,
	30 Aug 2009 23:22:06 EDT."
	<9cee7ab80908302022r5fd742b0u877d5151e6d5fa16@mail.gmail.com> 
References: <4A9B3E00.1020402@v.loewis.de>
	<9cee7ab80908302022r5fd742b0u877d5151e6d5fa16@mail.gmail.com> 
Message-ID: <200908310653.n7V6r28w032276@theraft.openend.se>

In a message of Sun, 30 Aug 2009 23:22:06 EDT, Fred Drake writes:
>On Sun, Aug 30, 2009 at 11:05 PM, "Martin v. L?wis"<martin at v.loewis.de> wr
>ote:
>> PyPI users can now login with OpenID. For existing accounts, you can
>> associate (claim) an OpenID on Your details page; new users can create
>> an account by just trying to login.
>
>This is very cool, Martin.  Thanks!
>
>
>  -Fred

Yes, thank you.  Would it be a good idea to integrate this with 
'how to log into the python.org wiki?'

Laura

From martin at v.loewis.de  Mon Aug 31 10:09:26 2009
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Mon, 31 Aug 2009 10:09:26 +0200
Subject: [Catalog-sig] OpenID on PyPI
In-Reply-To: <200908310653.n7V6r28w032276@theraft.openend.se>
References: <4A9B3E00.1020402@v.loewis.de>	<9cee7ab80908302022r5fd742b0u877d5151e6d5fa16@mail.gmail.com>
	<200908310653.n7V6r28w032276@theraft.openend.se>
Message-ID: <4A9B8536.5070301@v.loewis.de>

> Yes, thank you.  Would it be a good idea to integrate this with 
> 'how to log into the python.org wiki?'

I don't quite understand the question. What is "how to log into the
python.org wiki?" ? If it is a document to read, what is its url?

Regards,
Martin

From lac at openend.se  Mon Aug 31 12:40:45 2009
From: lac at openend.se (Laura Creighton)
Date: Mon, 31 Aug 2009 12:40:45 +0200
Subject: [Catalog-sig] OpenID on PyPI
In-Reply-To: Message from =?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=
	<martin@v.loewis.de> 
	of "Mon, 31 Aug 2009 10:09:26 +0200." <4A9B8536.5070301@v.loewis.de> 
References: <4A9B3E00.1020402@v.loewis.de>
	<9cee7ab80908302022r5fd742b0u877d5151e6d5fa16@mail.gmail.com>
	<200908310653.n7V6r28w032276@theraft.openend.se>
	<4A9B8536.5070301@v.loewis.de> 
Message-ID: <200908311040.n7VAejVI022068@theraft.openend.se>

In a message of Mon, 31 Aug 2009 10:09:26 +0200, "Martin v. L?wis" writes:
>> Yes, thank you.  Would it be a good idea to integrate this with 
>> 'how to log into the python.org wiki?'
>
>I don't quite understand the question. What is "how to log into the
>python.org wiki?" ? If it is a document to read, what is its url?
>
>Regards,
>Martin
>_______________________________________________
>Catalog-SIG mailing list
>Catalog-SIG at python.org
>http://mail.python.org/mailman/listinfo/catalog-sig

I thought it would be neat if when you wanted to log into
http://wiki.python.org/moin/

you could use your MyOpenID

instead of being directed here
http://wiki.python.org/moin/FrontPage?action=login

Laura


From chris at simplistix.co.uk  Mon Aug 31 14:09:34 2009
From: chris at simplistix.co.uk (Chris Withers)
Date: Mon, 31 Aug 2009 13:09:34 +0100
Subject: [Catalog-sig] HTML in long description
Message-ID: <4A9BBD7E.1070103@simplistix.co.uk>

Hi All,

Just bumped into this discussion from the opposite end of things ;-)

I was about to come over and explicitly ask *for* html long_descriptions 
since I want to have captioned literal blocks in the long_description 
for a package I'm writing.

The problem is that ReST doesn't support captioned blocks, and so I'll 
probably have to do it as a Sphinx extension or some such.

This then had me worried since I thought PyPI *only* supported ReST.
It would be great to be able to say "my long_description is html" and 
pass a .html file to setup.py.

I think all PyPI would need is the ability to guess that the 
long_description was html (starts with <html> perhaps?) and then extract 
the contents of the <body> tag to use as the long description.

As far as the XSS and spam risks go, people will find ways to abuse ReST 
if it's the only option, just give them time...

cheers,

Chris

-- 
Simplistix - Content Management, Batch Processing & Python Consulting
            - http://www.simplistix.co.uk

From chris at simplistix.co.uk  Mon Aug 31 14:11:39 2009
From: chris at simplistix.co.uk (Chris Withers)
Date: Mon, 31 Aug 2009 13:11:39 +0100
Subject: [Catalog-sig] HTML in long description
Message-ID: <4A9BBDFB.8040201@simplistix.co.uk>

Tarek wrote:
>> That could be done, either way, IMO. It might also be useful to have a
>> distutils command that generates a pypi-like page, so that people can
>> preview the rendered description.
> 
> yes that's basically :
> 
> $ python setup.py --long-description | rst2html.py > preview.html

I find the following gives better results:

# bin/buildout -q setup setup.py --long-description | rst2html.py 
--link-stylesheet --stylesheet=http://www.python.org/styles/styles.css > 
dist/desc.html

I just wish it didn't rely on rst2html being globally available...

cheers,

Chris

-- 
Simplistix - Content Management, Batch Processing & Python Consulting
            - http://www.simplistix.co.uk

From gary.poster at gmail.com  Mon Aug 31 16:08:16 2009
From: gary.poster at gmail.com (Gary Poster)
Date: Mon, 31 Aug 2009 10:08:16 -0400
Subject: [Catalog-sig] OpenID
In-Reply-To: <4A997748.9000206@v.loewis.de>
References: <4A992216.5070600@v.loewis.de>
	<AE0DA5B8-B238-4D72-8037-4ABC894DC2F7@gmail.com>
	<4A9955CC.1070807@v.loewis.de>
	<223AC5A8-892D-4C32-9985-8B51D3848D59@gmail.com>
	<4A996A26.6070802@v.loewis.de>
	<31E67B16-8266-4020-A7DB-8C4FA8D8B7ED@gmail.com>
	<4A997748.9000206@v.loewis.de>
Message-ID: <15BF10F3-FF65-4085-8B2A-A71C283353C2@gmail.com>


On Aug 29, 2009, at 2:45 PM, Martin v. L?wis wrote:

>>> When asked in an OpenID login box, you *don't* enter
>>> "https://launchpad.net/~gary" anymore. Instead, you just enter
>>> "https://launchpad.net" (or click on the Launchpad icon). The OpenID
>>> machinery will then steer you through the login process. You may  
>>> have
>>> to confirm that you want to login into PyPI (*), but you won't  
>>> have to
>>> tell anywhere explicitly that you are gary - assuming you had logged
>>> into Launchpad before.
>>>
>>> This much improved user experience is the key feature of OpenID 2.0.
>>>
>>> Regards,
>>> Martin
>>>
>>> (*) if you had confirmed this before, you may get logged in
>>> immediately after clicking the Launchpad icon.
>>
>> Ah gotcha.  Thank you very much for the explanation.
>>
>> If you encounter any problems with using Launchpad for this, I would
>> appreciate it if you let me know.  There's a reasonable chance I'd be
>> able to help arrange a resolution.
>
> As I said before: yes, I did encounter problems - it isn't supported
> at all, AFAICT. The reference https://launchpad.net was theoretical -
> launchpad doesn't appear to support OpenID 2.0.

Hi Martin.  Very cool that you added the OpenID support to PyPI.   
Thank you for this and your other PyPI work.

I have the information for Launchpad's OpenID support.  We do in fact  
support OpenID 2.0.  The address to use is https:// 
login.launchpad.net/ .  We also meet your other requirements.

Launchpad currently only supports SREG. We do send the nickname by  
default to any RP. We would need to add a RP record for PyPI and allow  
it to receive email and fullname.  If you can let me know the  
trust_root that you would be using for that, we can set it up.

I'll create a SourceForge bug for this now.  Thanks.

Gary



From gary.poster at canonical.com  Mon Aug 31 15:56:01 2009
From: gary.poster at canonical.com (Gary Poster)
Date: Mon, 31 Aug 2009 09:56:01 -0400
Subject: [Catalog-sig] PyPI permissions are broken: cannot manage packages I
	own
Message-ID: <70F393D3-86A3-4064-AF8B-806BC084BDA4@canonical.com>

Trying to manage package details for packages I own is broken.  I  
tried with an old-style non-OpenID login and then linked my Google  
OpenID and it failed again in the same way.

More concretely, I log in; click on a link for one of the packages on  
the right, for which I have privileges, such as http://pypi.python.org/pypi?%3Aaction=pkg_edit&name=lazr.uri 
  ; and get the following.

Forbidden

You are not allowed to edit 'lazr.uri' package information

I'm currently going through the dance to be able to create a bug  
report on sourceforge, but meanwhile I wanted to report here.

Gary

From martin at v.loewis.de  Mon Aug 31 22:09:09 2009
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Mon, 31 Aug 2009 22:09:09 +0200
Subject: [Catalog-sig] OpenID on PyPI
In-Reply-To: <200908311040.n7VAejVI022068@theraft.openend.se>
References: <4A9B3E00.1020402@v.loewis.de>
	<9cee7ab80908302022r5fd742b0u877d5151e6d5fa16@mail.gmail.com>
	<200908310653.n7V6r28w032276@theraft.openend.se>
	<4A9B8536.5070301@v.loewis.de>
	<200908311040.n7VAejVI022068@theraft.openend.se>
Message-ID: <4A9C2DE5.3020809@v.loewis.de>

> I thought it would be neat if when you wanted to log into
> http://wiki.python.org/moin/
> 
> you could use your MyOpenID
> 
> instead of being directed here
> http://wiki.python.org/moin/FrontPage?action=login

Ah, ok. This is indeed on my agenda, but it may take a few month
until I get to it (same for the bug tracker).

Regards,
Martin

From lac at openend.se  Mon Aug 31 22:13:36 2009
From: lac at openend.se (Laura Creighton)
Date: Mon, 31 Aug 2009 22:13:36 +0200
Subject: [Catalog-sig] OpenID on PyPI
In-Reply-To: Message from =?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=
	<martin@v.loewis.de> 
	of "Mon, 31 Aug 2009 22:09:09 +0200." <4A9C2DE5.3020809@v.loewis.de> 
References: <4A9B3E00.1020402@v.loewis.de>
	<9cee7ab80908302022r5fd742b0u877d5151e6d5fa16@mail.gmail.com>
	<200908310653.n7V6r28w032276@theraft.openend.se>
	<4A9B8536.5070301@v.loewis.de>
	<200908311040.n7VAejVI022068@theraft.openend.se>
	<4A9C2DE5.3020809@v.loewis.de> 
Message-ID: <200908312013.n7VKDa9P026857@theraft.openend.se>

In a message of Mon, 31 Aug 2009 22:09:09 +0200, "Martin v. L?wis" writes:
>> I thought it would be neat if when you wanted to log into
>> http://wiki.python.org/moin/
>> 
>> you could use your MyOpenID
>> 
>> instead of being directed here
>> http://wiki.python.org/moin/FrontPage?action=login
>
>Ah, ok. This is indeed on my agenda, but it may take a few month
>until I get to it (same for the bug tracker).

grin -- that would be my next request.  And then mailman.

Thank you Martin,
Laura

>Regards,
>Martin

From gary.poster at canonical.com  Mon Aug 31 23:26:56 2009
From: gary.poster at canonical.com (Gary Poster)
Date: Mon, 31 Aug 2009 17:26:56 -0400
Subject: [Catalog-sig] PyPI permissions are broken: cannot manage
	packages I own
In-Reply-To: <70F393D3-86A3-4064-AF8B-806BC084BDA4@canonical.com>
References: <70F393D3-86A3-4064-AF8B-806BC084BDA4@canonical.com>
Message-ID: <568631B5-A48B-4213-A683-C0505C2F70C2@canonical.com>


On Aug 31, 2009, at 9:56 AM, Gary Poster wrote:

> Trying to manage package details for packages I own is broken.  I  
> tried with an old-style non-OpenID login and then linked my Google  
> OpenID and it failed again in the same way.
>
> More concretely, I log in; click on a link for one of the packages  
> on the right, for which I have privileges, such as http://pypi.python.org/pypi?%3Aaction=pkg_edit&name=lazr.uri 
>  ; and get the following.
>
> Forbidden
>
> You are not allowed to edit 'lazr.uri' package information
>
> I'm currently going through the dance to be able to create a bug  
> report on sourceforge, but meanwhile I wanted to report here.

Martin, Sourceforge's tracker did not allow me to add another comment  
to confirm that everything worked after I cleared my pypi cookies  
there, so here I am.  It works now.  Thanks!

Gary