From martin at v.loewis.de Thu Feb 4 22:35:13 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Thu, 04 Feb 2010 22:35:13 +0100 Subject: [Catalog-sig] PyPI and PEP 381 In-Reply-To: References: <4B4B80E2.60804@simplistix.co.uk> <4B54D90F.7020901@v.loewis.de> <9E8EAF43-DFF2-4FB3-A1B4-D23547942C71@leidel.info> <4B54DEAB.5010600@v.loewis.de> <4B54E9AF.4020105@v.loewis.de> <4B54F1E1.6050400@v.loewis.de> <951a972618365a1aafdad0615895f0e9@preisshare.net> <4B5517CD.2050406@v.loewis.de> <4B551D7E.50806@v.loewis.de> Message-ID: <4B6B3D91.5090806@v.loewis.de> > I can test it on the receiving end; I'm working on packaging up my > pymetamirror package and putting the results on S3. > > It'd be cool to have it get notifications of what to download instead > of doing a date based pull as is the current setup. Did you have a chance to test the pubsubhubbub notifications? Does it work for you? Regards, Martin From justin at justinlilly.com Fri Feb 5 14:52:15 2010 From: justin at justinlilly.com (Justin Lilly) Date: Fri, 5 Feb 2010 08:52:15 -0500 Subject: [Catalog-sig] PyPi & PSHB Message-ID: Hey guys. I coded up a quick pubsubhubbub client last night which will consume the feed that pypi puts out. Below is the script I used to test things out[0]. To trigger an action, I re-registered a previously registered package. The subscribe function should work, but I did things manually through the PSHB interface[1]. I think the RSS format works fairly well. My only suggestion might be to change the RSS feed link to the actual PSHB url. ie: http://pypi.python.org/pypi?:action=lasthour If you have questions about it, let me know :) -justin [0]: http://dpaste.de/9zOP/ [1]: https://pubsubhubbub.appspot.com/subscribe -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssteinerx at gmail.com Fri Feb 5 15:30:33 2010 From: ssteinerx at gmail.com (ssteinerX@gmail.com) Date: Fri, 5 Feb 2010 09:30:33 -0500 Subject: [Catalog-sig] PyPI and PEP 381 In-Reply-To: <4B6B3D91.5090806@v.loewis.de> References: <4B4B80E2.60804@simplistix.co.uk> <4B54D90F.7020901@v.loewis.de> <9E8EAF43-DFF2-4FB3-A1B4-D23547942C71@leidel.info> <4B54DEAB.5010600@v.loewis.de> <4B54E9AF.4020105@v.loewis.de> <4B54F1E1.6050400@v.loewis.de> <951a972618365a1aafdad0615895f0e9@preisshare.net> <4B5517CD.2050406@v.loewis.de> <4B551D7E.50806@v.loewis.de> <4B6B3D91.5090806@v.loewis.de> Message-ID: <3E305C7A-C0AB-44B3-8B71-3349E7C06A24@gmail.com> On Feb 4, 2010, at 4:35 PM, Martin v. L?wis wrote: >> I can test it on the receiving end; I'm working on packaging up my >> pymetamirror package and putting the results on S3. >> >> It'd be cool to have it get notifications of what to download instead >> of doing a date based pull as is the current setup. > > Did you have a chance to test the pubsubhubbub notifications? > Does it work for you? I wrote a little harness and it seemed to work, but I've yet to start the actual server that could watch it continuously. I'm hoping to get the time to publish the whole thing this weekend. Were you ever able to look at the logs on the XML-RPC error I sent to the list a couple of weeks ago? Thanks, Steve From dattam at umich.edu Mon Feb 8 16:08:59 2010 From: dattam at umich.edu (Dattatreya Mellacheruvu) Date: Mon, 08 Feb 2010 10:08:59 -0500 Subject: [Catalog-sig] Graphical(and/or Dynamic) Simulations in Python Message-ID: <6bb02ad3eacc8b2f5d83da911e30ec0f@umich.edu> Hi, I want to simulate the dynamics of a particle in a force field. One of the applications of this module would be to use it to demonstrate how different mass spectrometers work. Is there is a python package that lets me do this kind of simulations (and dynamic simulations in general, like fluid dynamics simulations, network traffic simulations, etc.)? I need to see the output more like what i see if I used a Java Applet. Thanks in Advance! Dattatreya. Grad Student, UofM. -------------- next part -------------- An HTML attachment was scrubbed... URL: From doug.hellmann at gmail.com Mon Feb 8 16:44:49 2010 From: doug.hellmann at gmail.com (Doug Hellmann) Date: Mon, 8 Feb 2010 10:44:49 -0500 Subject: [Catalog-sig] Graphical(and/or Dynamic) Simulations in Python In-Reply-To: <6bb02ad3eacc8b2f5d83da911e30ec0f@umich.edu> References: <6bb02ad3eacc8b2f5d83da911e30ec0f@umich.edu> Message-ID: The catalog-sig list is intended for discussion of the development and management of the catalog itself, not its contents. You might get more help on the general python list (http://www.python.org/community/lists/ ) or through one of the science-oriented lists related to the SciPy project (http://scipy.org/). Doug On Feb 8, 2010, at 10:08 AM, Dattatreya Mellacheruvu wrote: > Hi, I want to simulate the dynamics of a particle in a force field. > > One of the applications of this module would be to use it to > demonstrate how different mass spectrometers work. > > Is there is a python package that lets me do this kind of > simulations (and dynamic simulations in general, like fluid dynamics > simulations, network traffic simulations, etc.)? > > I need to see the output more like what i see if I used a Java Applet. > > Thanks in Advance! > > Dattatreya. > > Grad Student, UofM. > > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG at python.org > http://mail.python.org/mailman/listinfo/catalog-sig From martin at v.loewis.de Fri Feb 12 20:47:38 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Fri, 12 Feb 2010 20:47:38 +0100 Subject: [Catalog-sig] pep381client Message-ID: <4B75B05A.8070409@v.loewis.de> I started working on a PEP 381 implementation, at http://bitbucket.org/loewis/pep381client/ A live installation of this can be seen at b.mirrors.pypi.python.org. The major feature still missing in this implementation is the integration of the statistics protocol. Regards, Martin From martin at v.loewis.de Sat Feb 13 18:32:37 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Sat, 13 Feb 2010 18:32:37 +0100 Subject: [Catalog-sig] PEP 381 timestamps Message-ID: <4B76E235.5090609@v.loewis.de> In implementing pep381client, I noticed that the last-modified format is underspecified. It says to use ISO 8601, but that doesn't really say much - many different formats would be possible. I suggest to clarify this as meaning the same format as XML-RPC uses, i.e. "%Y%m%dT%H:%M:%S\n". I also noticed that the naming of the file is slightly confusing: if you don't modify any mirrored content (because the master didn't since the last synchronisation), you are still supposed to modify last-modified (making this file the only one that was actually modified). OTOH, the specification makes it clear that this is the time of the last synchronization, so there is probably no need to change anything here. Regards, Martin From ziade.tarek at gmail.com Sat Feb 13 18:55:39 2010 From: ziade.tarek at gmail.com (=?ISO-8859-1?Q?Tarek_Ziad=E9?=) Date: Sat, 13 Feb 2010 18:55:39 +0100 Subject: [Catalog-sig] PEP 381 timestamps In-Reply-To: <4B76E235.5090609@v.loewis.de> References: <4B76E235.5090609@v.loewis.de> Message-ID: <94bdd2611002130955x7733dc34t48ca0e2471169211@mail.gmail.com> 2010/2/13 "Martin v. L?wis" : > In implementing pep381client, I noticed that the last-modified format is > underspecified. It says to use ISO 8601, but that doesn't really say > much - many different formats would be possible. > > I suggest to clarify this as meaning the same format as XML-RPC uses, > i.e. "%Y%m%dT%H:%M:%S\n". Sounds right. I can put some examples in the PEP > > I also noticed that the naming of the file is slightly confusing: if you > don't modify any mirrored content (because the master didn't since the > last synchronisation), you are still supposed to modify last-modified > (making this file the only one that was actually modified). OTOH, the > specification makes it clear that this is the time of the last > synchronization, so there is probably no need to change anything here. Yes mabye a better name could have been "last-synchronization-date", but I think "last-modified" is ok to keep Regards, Tarek From fdrake at gmail.com Sat Feb 13 22:19:14 2010 From: fdrake at gmail.com (Fred Drake) Date: Sat, 13 Feb 2010 16:19:14 -0500 Subject: [Catalog-sig] PEP 381 timestamps In-Reply-To: <4B76E235.5090609@v.loewis.de> References: <4B76E235.5090609@v.loewis.de> Message-ID: <9cee7ab81002131319s1a8dcb2fre8c51e4b29c411bb@mail.gmail.com> 2010/2/13 "Martin v. L?wis" : > I suggest to clarify this as meaning the same format as XML-RPC uses, > i.e. "%Y%m%dT%H:%M:%S\n". Given the high quality of the XML-RPC spec, I'd suggest never using it as the foundation of anything. I'd also suggest including the timezone for the value, so that it's unambiguous. This could be done by fiat (stating in the spec that times are consistently stored in UTC), or by including the timezone in the stored value. -Fred -- Fred L. Drake, Jr. "Chaos is the score upon which reality is written." --Henry Miller From martin at v.loewis.de Mon Feb 15 09:24:28 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Mon, 15 Feb 2010 09:24:28 +0100 Subject: [Catalog-sig] PyPI and PEP 381 In-Reply-To: <3E305C7A-C0AB-44B3-8B71-3349E7C06A24@gmail.com> References: <4B4B80E2.60804@simplistix.co.uk> <4B54D90F.7020901@v.loewis.de> <9E8EAF43-DFF2-4FB3-A1B4-D23547942C71@leidel.info> <4B54DEAB.5010600@v.loewis.de> <4B54E9AF.4020105@v.loewis.de> <4B54F1E1.6050400@v.loewis.de> <951a972618365a1aafdad0615895f0e9@preisshare.net> <4B5517CD.2050406@v.loewis.de> <4B551D7E.50806@v.loewis.de> <4B6B3D91.5090806@v.loewis.de> <3E305C7A-C0AB-44B3-8B71-3349E7C06A24@gmail.com> Message-ID: <4B7904BC.2040906@v.loewis.de> > Were you ever able to look at the logs on the XML-RPC error I sent to the list a couple of weeks ago? Unfortunately not. If it keeps happening, please submit a bug report. Regards, Martin From martin at v.loewis.de Mon Feb 15 23:13:26 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Mon, 15 Feb 2010 23:13:26 +0100 Subject: [Catalog-sig] pypi-checkins list Message-ID: <4B79C706.9080608@v.loewis.de> For those interested in following pypi-checkins: I have now setup a list at http://mail.python.org/mailman/listinfo/pypi-checkins Regards, Martin From gh at ghaering.de Mon Feb 22 09:47:38 2010 From: gh at ghaering.de (=?ISO-8859-1?Q?Gerhard_H=E4ring?=) Date: Mon, 22 Feb 2010 09:47:38 +0100 Subject: [Catalog-sig] How to remove dead links from PyPI? Message-ID: <496f9fbb1002220047n5a0427acw2127f932fd9f8c34@mail.gmail.com> Hello, I cannot figure out how to modify old releases on PyPI. This page: http://pypi.python.org/simple/pysqlite/ has lots of dead links for older releases of pysqlite (anything pointing to pysqlite.org or initd.org). I'd like to remove these links, so that easy_install and buildout won't take forever before giving up. Any idea how? Or do I need to contact the PyPI maintainers? -- Gerhard From hanno at hannosch.eu Mon Feb 22 10:05:26 2010 From: hanno at hannosch.eu (Hanno Schlichting) Date: Mon, 22 Feb 2010 10:05:26 +0100 Subject: [Catalog-sig] How to remove dead links from PyPI? In-Reply-To: <496f9fbb1002220047n5a0427acw2127f932fd9f8c34@mail.gmail.com> References: <496f9fbb1002220047n5a0427acw2127f932fd9f8c34@mail.gmail.com> Message-ID: <5cae42b21002220105k5296ec17m7a0e3bfab9ea8fdc@mail.gmail.com> Hi. On Mon, Feb 22, 2010 at 9:47 AM, Gerhard H?ring wrote: > I cannot figure out how to modify old releases on PyPI. This page: > > http://pypi.python.org/simple/pysqlite/ > > has lots of dead links for older releases of pysqlite (anything > pointing to pysqlite.org or initd.org). > > I'd like to remove these links, so that easy_install and buildout > won't take forever before giving up. > > Any idea how? Or do I need to contact the PyPI maintainers? You should be able to go to http://pypi.python.org/pypi?:action=pkg_edit&name=pysqlite That page should list all releases. You can then "edit" each of the releases and change the metadata of each release to remove the old URL's. If that doesn't work, I'm out of ideas :) Hanno From martin at v.loewis.de Mon Feb 22 10:08:01 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Mon, 22 Feb 2010 10:08:01 +0100 Subject: [Catalog-sig] How to remove dead links from PyPI? In-Reply-To: <496f9fbb1002220047n5a0427acw2127f932fd9f8c34@mail.gmail.com> References: <496f9fbb1002220047n5a0427acw2127f932fd9f8c34@mail.gmail.com> Message-ID: <4B824971.7030106@v.loewis.de> > I cannot figure out how to modify old releases on PyPI. This page: > > http://pypi.python.org/simple/pysqlite/ > > has lots of dead links for older releases of pysqlite (anything > pointing to pysqlite.org or initd.org). You need to edit or remove the old releases, on their respective edit pages, e.g. http://pypi.python.org/pypi?name=pysqlite&version=2.3.4&:action=submit_form http://pypi.python.org/pypi?%3Aaction=pkg_edit&name=pysqlite If the download for such an old release is no longer available, I recommend to delete the release from PyPI as well. Regards, Martin From gh at ghaering.de Mon Feb 22 09:41:22 2010 From: gh at ghaering.de (=?ISO-8859-1?Q?Gerhard_H=E4ring?=) Date: Mon, 22 Feb 2010 09:41:22 +0100 Subject: [Catalog-sig] How to remove dead links from PyPI? Message-ID: <496f9fbb1002220041w7318325oe0a59168fb25e148@mail.gmail.com> Hello, I cannot figure out how to modify old releases on PyPI. This page: http://pypi.python.org/simple/pysqlite/ has lots of dead links for older releases of pysqlite (anything pointing to pysqlite.org or initd.org). I'd like to remove these links, so that easy_install and buildout won't take forever before giving up. Any idea how? Or do I need to contact the PyPI maintainers? -- Gerhard From wam at wamber.net Tue Feb 23 17:59:00 2010 From: wam at wamber.net (William McVey) Date: Tue, 23 Feb 2010 11:59:00 -0500 Subject: [Catalog-sig] SSL for PyPI Message-ID: Sorry if this is the wrong group (if it is, please redirect me to the proper list), but I'd like suggest that PyPI be available via SSL protection. Obviously, I'd be willing to help with this effort as well. It occurred to me as I was at PyCon 'pip install'ing away that there was a real possibility of man-in-the-middle manipulations of both the content of the packages downloaded as well as the actual resolution of where packages were located (especially over an open public wifi network). I certainly understand that turning off the cleartext PyPI interface is not something that could be considered for a very-long time, but it'd be nice if those individuals who were concerned about the potential for attack had an option to pull PyPI info over a protected channel. And even if people weren't concerned, if it were perhaps the default option in their environment, their security posture could be improved. >From a technology standpoint, it should be straightforward to get an SSL certificate for pypi.python.org, and then configure the web server to provide the exact same content as the exising http://pypi.python.org site. From the client side, I'd suggest an extension/patch to pip (and easy_install) to use the SSL protected version of PyPI when available. Obviously doing certificate validity on the client side would require either python 2.6 or third party packages, but even a warning announcing that the updates/installs were happening over cleartext network would make people aware. -- William From tseaver at palladion.com Tue Feb 23 20:48:41 2010 From: tseaver at palladion.com (Tres Seaver) Date: Tue, 23 Feb 2010 14:48:41 -0500 Subject: [Catalog-sig] SSL for PyPI In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 William McVey wrote: > Sorry if this is the wrong group (if it is, please redirect me to the > proper list), but I'd like suggest that PyPI be available via SSL > protection. Obviously, I'd be willing to help with this effort as > well. It occurred to me as I was at PyCon 'pip install'ing away that > there was a real possibility of man-in-the-middle manipulations of > both the content of the packages downloaded as well as the actual > resolution of where packages were located (especially over an open > public wifi network). I certainly understand that turning off the > cleartext PyPI interface is not something that could be considered for > a very-long time, but it'd be nice if those individuals who were > concerned about the potential for attack had an option to pull PyPI > info over a protected channel. And even if people weren't concerned, > if it were perhaps the default option in their environment, their > security posture could be improved. > >>From a technology standpoint, it should be straightforward to get an > SSL certificate for pypi.python.org, and then configure the web server > to provide the exact same content as the exising > http://pypi.python.org site. From the client side, I'd suggest an > extension/patch to pip (and easy_install) to use the SSL protected > version of PyPI when available. Obviously doing certificate validity > on the client side would require either python 2.6 or third party > packages, but even a warning announcing that the updates/installs were > happening over cleartext network would make people aware. Sounds like a good plan to me: no software development required on the server side, only some very well-understood sysadmin. Clients can catch up once the https:// URLs work. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver at palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkuEMRIACgkQ+gerLs4ltQ4GnQCbB+ZKbKBFOniB82s2LyNkg2Ad 1XIAoNwAWFfpOzosa7XdvacDuMzGlJ98 =u3hg -----END PGP SIGNATURE----- From m.van.rees at zestsoftware.nl Wed Feb 24 14:36:25 2010 From: m.van.rees at zestsoftware.nl (Maurits van Rees) Date: Wed, 24 Feb 2010 13:36:25 +0000 (UTC) Subject: [Catalog-sig] How to remove dead links from PyPI? References: <496f9fbb1002220041w7318325oe0a59168fb25e148@mail.gmail.com> Message-ID: Gerhard H?ring, on 2010-02-22: > Hello, > > I cannot figure out how to modify old releases on PyPI. This page: > > http://pypi.python.org/simple/pysqlite/ > > has lots of dead links for older releases of pysqlite (anything > pointing to pysqlite.org or initd.org). > > I'd like to remove these links, so that easy_install and buildout > won't take forever before giving up. If you do: bin/buildout -t 5 then buildout will give up on a link after 5 seconds. It is a workaround, but it may be helpful. -- Maurits van Rees | http://maurits.vanrees.org/ Work | http://zestsoftware.nl/ What are you going to create today? From tseaver at palladion.com Wed Feb 24 16:09:59 2010 From: tseaver at palladion.com (Tres Seaver) Date: Wed, 24 Feb 2010 10:09:59 -0500 Subject: [Catalog-sig] SSL for PyPI In-Reply-To: References: Message-ID: <4B854147.5050505@palladion.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 William McVey wrote: > On Tue, Feb 23, 2010 at 2:48 PM, Tres Seaver wrote: >> Sounds like a good plan to me: no software development required on the >> server side, only some very well-understood sysadmin. Clients can catch >> up once the https:// URLs work. > > So I guess this begs the question, "Who is the sysadmin of pypi and > who is authorized to act on the PSF's behalf to order an SSL > certificate?". I think MvL is the sysadmin. I don't know who wears the "authorized representative" hat for the PSF. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver at palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkuFQUIACgkQ+gerLs4ltQ5GowCdHK2d5By0z4almUgbaa18Zrkf 2NYAoJoyvTBbi5qHFoIz6wBokvfQqp9y =GZDC -----END PGP SIGNATURE----- From martin at v.loewis.de Wed Feb 24 18:53:33 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Wed, 24 Feb 2010 18:53:33 +0100 Subject: [Catalog-sig] SSL for PyPI In-Reply-To: References: Message-ID: <4B85679D.907@v.loewis.de> > Sorry if this is the wrong group (if it is, please redirect me to the > proper list), but I'd like suggest that PyPI be available via SSL > protection. Notice that it already supports SSH access for this very purpose. SSL access could be provided, but would cause an ongoing maintenance issue (requiring regular updates of the server certificate, unless self-signed long-running certificates are used). Regards, Martin From martin at v.loewis.de Wed Feb 24 20:10:45 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Wed, 24 Feb 2010 20:10:45 +0100 Subject: [Catalog-sig] SSL for PyPI In-Reply-To: <4B85679D.907@v.loewis.de> References: <4B85679D.907@v.loewis.de> Message-ID: <4B8579B5.8040604@v.loewis.de> Martin v. L?wis wrote: >> Sorry if this is the wrong group (if it is, please redirect me to the >> proper list), but I'd like suggest that PyPI be available via SSL >> protection. > > Notice that it already supports SSH access for this very purpose. Ah. For that, download tools should use the server signatures protocol, i.e. access (e.g.) http://pypi.python.org/serversig/roundup This will also allow to verify the authenticity of mirrors that follow PEP 381. Download tools should cache the server key (and might also chose to hard-code it). Exact roll-over procedures are not defined yet, but I plan to always sign the next key with the previous one. Regards, Martin From wam at wamber.net Wed Feb 24 19:47:53 2010 From: wam at wamber.net (William McVey) Date: Wed, 24 Feb 2010 13:47:53 -0500 Subject: [Catalog-sig] SSL for PyPI In-Reply-To: <4B85679D.907@v.loewis.de> References: <4B85679D.907@v.loewis.de> Message-ID: On Wed, Feb 24, 2010 at 12:53 PM, "Martin v. L?wis" wrote: > Notice that it already supports SSH access for this very purpose. SSL > access could be provided, but would cause an ongoing maintenance issue > (requiring regular updates of the server certificate, unless self-signed > long-running certificates are used). The general public can't use the ssh interface for package downloads though, can it? SSL would require periodic replacement of server certificates, but this is fairly straightforward to manage as part of the domain renewal process (or as some other related administrative process), and doesn't have to be too onerous. A 5 year cert can be purchased for $141 (through domaindiscover... no guarantee that they have the best price, it's just the one I have bookmarked). I'd be happy to assist in any way you might find useful. -- William