From venkat83 at gmail.com Wed May 5 05:02:35 2010 From: venkat83 at gmail.com (Venkatraman S) Date: Wed, 5 May 2010 08:32:35 +0530 Subject: [Catalog-sig] Callbacks and Data access Message-ID: Hi I happened to stumble on PypiXMLrpc wiki link and was wondering whether the following can be done or not: 1) Is it possible to get the download statistics on a timeline basis? 2) Can i have some callbacks which tells me when Pypi is updated - as in, when a new package is updated, or an existing package is updated or a new release is launched? 3) Is it possible to get all the data from PyPi in one go? basically get an export? 4) I am not sure whether XMLRPC is the best way to access data - is there some other way?(other than crawling?) Regards, Venkat http://twitter.com/venkasub -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin at v.loewis.de Wed May 5 07:09:32 2010 From: martin at v.loewis.de (=?UTF-8?B?Ik1hcnRpbiB2LiBMw7Z3aXMi?=) Date: Wed, 05 May 2010 07:09:32 +0200 Subject: [Catalog-sig] Callbacks and Data access In-Reply-To: References: Message-ID: <4BE0FD8C.70609@v.loewis.de> > 1) Is it possible to get the download statistics on a timeline basis? Unfortunately, I don't understand the question: what statistics do you want to download, and what does "timeline basis" mean? > 2) Can i have some callbacks which tells me when Pypi is updated - as > in, when a new package is updated, or an existing package is updated or > a new release is launched? Yes, there is a pubsubhubbub notification set up for the RSS feed http://pypi.python.org/pypi?:action=lasthour > 3) Is it possible to get all the data from PyPi in one go? basically > get an export? If, by "all data", you really mean "all data" (including the actual package files), then no. It isn't possible to get *all* data even one-by-one. Some data (e.g. account information) is not available to the public. If you plan to do mirroring, please be careful not to download everything repeatedly, or else your IP may get blocked. > 4) I am not sure whether XMLRPC is the best way to access data - is > there some other way?(other than crawling?) Yes, there is the Simple API, which is REST-based http://pypi.python.org/simple/ Regards, Martin From venkat83 at gmail.com Wed May 5 07:23:33 2010 From: venkat83 at gmail.com (Venkatraman S) Date: Wed, 5 May 2010 10:53:33 +0530 Subject: [Catalog-sig] Callbacks and Data access In-Reply-To: <4BE0FD8C.70609@v.loewis.de> References: <4BE0FD8C.70609@v.loewis.de> Message-ID: On Wed, May 5, 2010 at 10:39 AM, "Martin v. L?wis" wrote: > > 1) Is it possible to get the download statistics on a timeline basis? > > Unfortunately, I don't understand the question: what statistics do you > want to download, and what does "timeline basis" mean? > Basically, i would like to know how many downloads have happened over a course of time. Think in terms of a chart with the X-axis being the months/year and y-axis being number of downloads. > > > 3) Is it possible to get all the data from PyPi in one go? basically > > get an export? > > If, by "all data", you really mean "all data" (including the actual > package files), then no. > > It isn't possible to get *all* data even one-by-one. Some data (e.g. > account information) is not available to the public. > > If you plan to do mirroring, please be careful not to download > everything repeatedly, or else your IP may get blocked. > I want to build some charting on top of the pypi data so that people will know the usage and popularity of the data. Think in terms of a wrapper on top of the data. -V http://twitter.com/venkasub -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin at v.loewis.de Wed May 5 07:35:15 2010 From: martin at v.loewis.de (=?UTF-8?B?Ik1hcnRpbiB2LiBMw7Z3aXMi?=) Date: Wed, 05 May 2010 07:35:15 +0200 Subject: [Catalog-sig] Callbacks and Data access In-Reply-To: References: <4BE0FD8C.70609@v.loewis.de> Message-ID: <4BE10393.2060901@v.loewis.de> > Basically, i would like to know how many downloads have happened over a > course of time. > Think in terms of a chart with the X-axis being the months/year and > y-axis being number of downloads. No, that is currently not available. Regards, Martin From martin at v.loewis.de Wed May 5 07:43:02 2010 From: martin at v.loewis.de (=?UTF-8?B?Ik1hcnRpbiB2LiBMw7Z3aXMi?=) Date: Wed, 05 May 2010 07:43:02 +0200 Subject: [Catalog-sig] Callbacks and Data access In-Reply-To: <4BE10393.2060901@v.loewis.de> References: <4BE0FD8C.70609@v.loewis.de> <4BE10393.2060901@v.loewis.de> Message-ID: <4BE10566.5080802@v.loewis.de> Martin v. L?wis wrote: >> Basically, i would like to know how many downloads have happened over a >> course of time. >> Think in terms of a chart with the X-axis being the months/year and >> y-axis being number of downloads. > > No, that is currently not available. Actually, it *is* available, see http://pypi.python.org/webstats/ Regards, Martin From venkat83 at gmail.com Wed May 5 08:05:08 2010 From: venkat83 at gmail.com (Venkatraman S) Date: Wed, 5 May 2010 11:35:08 +0530 Subject: [Catalog-sig] Callbacks and Data access In-Reply-To: <4BE10566.5080802@v.loewis.de> References: <4BE0FD8C.70609@v.loewis.de> <4BE10393.2060901@v.loewis.de> <4BE10566.5080802@v.loewis.de> Message-ID: On Wed, May 5, 2010 at 11:13 AM, "Martin v. L?wis" wrote: > Martin v. L?wis wrote: > >> Basically, i would like to know how many downloads have happened over a > >> course of time. > >> Think in terms of a chart with the X-axis being the months/year and > >> y-axis being number of downloads. > > > > No, that is currently not available. > > Actually, it *is* available, see > > http://pypi.python.org/webstats/ > > Looks good, but the page suffers from information overload. I basically want to know given a package X, the download and release history(timeline) of it along with the package details. Also, i want to know whether it would be 'legally' correct if i present the data in my website in a 'better way' and link to pypi for downloading the package? The idea is I want to develop a Python Toolbox that the community doesnt have presently (i am working on a prototype here- the site is still in its alpha and i am working on it). Presenting information in a much visually appealing way and also helping to choose between the packages would be the goal. Any money generated will be used for promoting Python in India (like sponsoring python based events or tech contests). (I can write more, but reserve it for latter) -Venkat -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin at v.loewis.de Wed May 5 08:23:45 2010 From: martin at v.loewis.de (=?UTF-8?B?Ik1hcnRpbiB2LiBMw7Z3aXMi?=) Date: Wed, 05 May 2010 08:23:45 +0200 Subject: [Catalog-sig] Callbacks and Data access In-Reply-To: References: <4BE0FD8C.70609@v.loewis.de> <4BE10393.2060901@v.loewis.de> <4BE10566.5080802@v.loewis.de> Message-ID: <4BE10EF1.20409@v.loewis.de> > Looks good, but the page suffers from information overload. Tough luck. > I basically want to know given a package X, the download and release > history(timeline) of it along with the package details. I understand. I'm not going to publish the web server access logs. > Also, i want to know whether it would be 'legally' correct if i present > the data in my website in a 'better way' and link to pypi for > downloading the package? As long as you comply with copyright law, certainly. > The idea is I want to develop a Python Toolbox that the community doesnt > have presently (i am working on a prototype here > - the site is still in its alpha and i > am working on it). Presenting information in a much visually appealing > way and also helping to choose between the packages would be the goal. Hmm. I would rather prefer if you contributed any enhancements to PyPI directly, instead of building a separate site. Regards, Martin From venkat83 at gmail.com Wed May 5 08:51:26 2010 From: venkat83 at gmail.com (Venkatraman S) Date: Wed, 5 May 2010 12:21:26 +0530 Subject: [Catalog-sig] Callbacks and Data access In-Reply-To: <4BE10EF1.20409@v.loewis.de> References: <4BE0FD8C.70609@v.loewis.de> <4BE10393.2060901@v.loewis.de> <4BE10566.5080802@v.loewis.de> <4BE10EF1.20409@v.loewis.de> Message-ID: On Wed, May 5, 2010 at 11:53 AM, "Martin v. L?wis" wrote: > > > I basically want to know given a package X, the download and release > > history(timeline) of it along with the package details. > > I understand. I'm not going to publish the web server access logs. > Is the download information(per package) stored in the database (instead of being the server logs)? > As long as you comply with copyright law, certainly. > Link? -Venkat -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at ikanobori.jp Thu May 6 00:14:33 2010 From: simon at ikanobori.jp (Simon de Vlieger) Date: Thu, 6 May 2010 00:14:33 +0200 Subject: [Catalog-sig] Callbacks and Data access In-Reply-To: References: <4BE0FD8C.70609@v.loewis.de> <4BE10393.2060901@v.loewis.de> <4BE10566.5080802@v.loewis.de> <4BE10EF1.20409@v.loewis.de> Message-ID: <394E1A32-4FA0-48A6-B4A9-198D065B2BA1@ikanobori.jp> It used to be available through the XMLRPC API PyPi exposes but was removed at a later date. I noticed this earlier on, see the bugreport here: https://sourceforge.net/tracker/index.php?func=detail&aid=2979587&group_id=66150&atid=513503 Is your website going to be just a prettier representation of the PyPi listings and if so, what would you like to improve on the current PyPi website (to give a constructive spin to this). Regards, Simon de Vlieger On 5 mei 2010, at 08:51, Venkatraman S wrote: > > On Wed, May 5, 2010 at 11:53 AM, "Martin v. L?wis" > wrote: > > > I basically want to know given a package X, the download and release > > history(timeline) of it along with the package details. > > I understand. I'm not going to publish the web server access logs. > > Is the download information(per package) stored in the database > (instead of being the server logs)? > > As long as you comply with copyright law, certainly. > > Link? > > -Venkat > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG at python.org > http://mail.python.org/mailman/listinfo/catalog-sig -------------- next part -------------- An HTML attachment was scrubbed... URL: From ziade.tarek at gmail.com Thu May 6 16:34:24 2010 From: ziade.tarek at gmail.com (=?ISO-8859-1?Q?Tarek_Ziad=E9?=) Date: Thu, 6 May 2010 16:34:24 +0200 Subject: [Catalog-sig] The "Softpedia" spam Message-ID: Hello, The Softpedia website sends an email to everyone that register or uploads something at PyPI. This is clearly a spam and their website don't care about our projects. I am not sure if they use the PubSubHubbub thing, but I was wondering how we could prevent these unsolicited mails. If they use PubSubHubbub, maybe we could set up a black list of subscribers people can manage at their level, if they reconstruct the emails by reading the RSS feed, maybe we should not publish this info (even with the @ transformed into " at "). Regards Tarek ---------- Forwarded message ---------- From: Softpedia Editorial Team Date: Thu, May 6, 2010 at 4:11 PM Subject: Distutils2 included in the Softpedia Linux software database To: tarek at ziade.org Congratulations, Distutils2, one of your products, has been added to Softpedia's database of software programs for Linux. It is featured with a description text, screenshots, download links and technical details on this page: http://linux.softpedia.com/get/Programming/Libraries/Distutils2-56577.shtml The description text was created by our editors, using sources such as text from your product's homepage, information from its help system, the PAD file (if available) and the editor's own opinions on the program itself. If you feel that having your product listed on Softpedia is not a benefit for you or simply need something changed or updated, please contact us via email at webmaster at softpedia.com and we will work with you to fix any problem you may have found with the product's listing. -- Sincerely, The Softpedia Team ----------------------------------------------------------------------- Softpedia is a library of over 400,000 free and free-to-try software programs for Windows, Mac OS and Linux, games and gaming tools, Windows device drivers, mobile devices and IT-related articles. ----------------------------------------------------------------------- Softpedia - the encyclopedia of free software downloads http://www.softpedia.com/ -- Tarek Ziad? | http://ziade.org From mal at egenix.com Thu May 6 16:50:06 2010 From: mal at egenix.com (M.-A. Lemburg) Date: Thu, 06 May 2010 16:50:06 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: References: Message-ID: <4BE2D71E.5040009@egenix.com> Tarek Ziad? wrote: > Hello, > > The Softpedia website sends an email to everyone that register or > uploads something at PyPI. This is clearly a spam and their website > don't care about our projects. > > I am not sure if they use the PubSubHubbub thing, but I was wondering > how we could prevent these unsolicited mails. > > If they use PubSubHubbub, maybe we could set up a black list of > subscribers people can manage at their level, > if they reconstruct the emails by reading the RSS feed, maybe we > should not publish this info (even with the @ transformed into " at > "). Unfortunately, that's what you get when providing APIs to extract all the data from PyPI. Not even the terms on the PyPI service can be used to prevent that (something I'll try to change now that I'm on the PSF board again). We should really disallow redistribution of the PyPI meta data and uploads without prior written consent from the PSF. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, May 06 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From ziade.tarek at gmail.com Thu May 6 17:03:02 2010 From: ziade.tarek at gmail.com (=?ISO-8859-1?Q?Tarek_Ziad=E9?=) Date: Thu, 6 May 2010 17:03:02 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <4BE2D71E.5040009@egenix.com> References: <4BE2D71E.5040009@egenix.com> Message-ID: On Thu, May 6, 2010 at 4:50 PM, M.-A. Lemburg wrote: > Tarek Ziad? wrote: >> Hello, >> >> The Softpedia website sends an email to everyone that register or >> uploads something at PyPI. This is clearly a spam and their website >> don't care about our projects. >> >> I am not sure if they use the PubSubHubbub thing, but I was wondering >> how we could prevent these unsolicited mails. >> >> If they use PubSubHubbub, maybe we could set up a black list of >> subscribers people can manage at their level, >> if they reconstruct the emails by reading the RSS feed, maybe we >> should not publish this info (even with ?the @ transformed into " at >> "). > > Unfortunately, that's what you get when providing APIs to extract > all the data from PyPI. > > Not even the terms on the PyPI service can be used to prevent > that (something I'll try to change now that I'm on the PSF board > again). > > We should really disallow redistribution of the PyPI meta data > and uploads without prior written consent from the PSF. Well the problem is not about the distribution of the metadata because for OSS projects, you'll always have your email somewhere in the tarball. I am not sure what you want to do at PSF level, but I wouldn't want the PSF to restrict the usage of my own project info if I upload them at PyPI. PyPI is just *one* recipient for projects and don't own people data. The problem is about the usage of the APIs PyPI provides : Softpedia has set up a automatic process that gets triggered every time something is uploaded. So It's all about spam, as usual. If we can control how the APIs are used, we will defeat this bot. What I propose is: - set up authentication for the XML-RPC APIs, in order to control this. If a user starts to use XML-RPC calls in his bots, it's easy to shut it down. - set up a restricted list of subscribers for the PubSubHubbub protocol (I am not sure if this protocol supports authentication, but I guess we can set something up) - avoid displaying any email or derived emails on anonymous page > > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source ?(#1, May 06 2010) >>>> Python/Zope Consulting and Support ... ? ? ? ?http://www.egenix.com/ >>>> mxODBC.Zope.Database.Adapter ... ? ? ? ? ? ? http://zope.egenix.com/ >>>> mxODBC, mxDateTime, mxTextTools ... ? ? ? ?http://python.egenix.com/ > ________________________________________________________________________ > > ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: > > > ? eGenix.com Software, Skills and Services GmbH ?Pastor-Loeh-Str.48 > ? ?D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > ? ? ? ? ? Registered at Amtsgericht Duesseldorf: HRB 46611 > ? ? ? ? ? ? ? http://www.egenix.com/company/contact/ > -- Tarek Ziad? | http://ziade.org From mal at egenix.com Thu May 6 17:18:00 2010 From: mal at egenix.com (M.-A. Lemburg) Date: Thu, 06 May 2010 17:18:00 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: References: <4BE2D71E.5040009@egenix.com> Message-ID: <4BE2DDA8.5080805@egenix.com> Tarek Ziad? wrote: > On Thu, May 6, 2010 at 4:50 PM, M.-A. Lemburg wrote: >> Tarek Ziad? wrote: >>> Hello, >>> >>> The Softpedia website sends an email to everyone that register or >>> uploads something at PyPI. This is clearly a spam and their website >>> don't care about our projects. >>> >>> I am not sure if they use the PubSubHubbub thing, but I was wondering >>> how we could prevent these unsolicited mails. >>> >>> If they use PubSubHubbub, maybe we could set up a black list of >>> subscribers people can manage at their level, >>> if they reconstruct the emails by reading the RSS feed, maybe we >>> should not publish this info (even with the @ transformed into " at >>> "). >> >> Unfortunately, that's what you get when providing APIs to extract >> all the data from PyPI. >> >> Not even the terms on the PyPI service can be used to prevent >> that (something I'll try to change now that I'm on the PSF board >> again). >> >> We should really disallow redistribution of the PyPI meta data >> and uploads without prior written consent from the PSF. > > Well the problem is not about the distribution of the metadata because > for OSS projects, you'll always have your email somewhere in the tarball. > > I am not sure what you want to do at PSF level, but I wouldn't want the PSF to > restrict the usage of my own project info if I upload them at PyPI. PyPI > is just *one* recipient for projects and don't own people data. Sorry, perhaps I wasn't clear: when uploading things to PyPI you accept the PyPI terms. These terms currently allow anyone to take the data from PyPI and publically redistribute it without any restrictions. I think it's better to only allow the PSF to redistribute data that it got from the PyPI package authors. Redistribution in the form that Softpedia uses to attract visitors and make revenue on the ads they have on their site is not something the PSF would normally tolerate. However, with the current terms, there's nothing the PSF can do about it. As package author, you are, of course, free to upload your packages wherever you want, the PyPI terms only apply to the data that you passed on to the PSF for display. > The problem is about the usage of the APIs PyPI provides : Softpedia > has set up a > automatic process that gets triggered every time something is uploaded. > > So It's all about spam, as usual. If we can control how the APIs are > used, we will defeat this bot. > > What I propose is: > > - set up authentication for the XML-RPC APIs, in order to control > this. If a user starts to use > XML-RPC calls in his bots, it's easy to shut it down. > > - set up a restricted list of subscribers for the PubSubHubbub > protocol (I am not sure if this protocol > supports authentication, but I guess we can set something up) > > - avoid displaying any email or derived emails on anonymous page I'm not sure how that would work. Package manager tools would then all have to use this authentication mechanism. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, May 06 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From ziade.tarek at gmail.com Thu May 6 17:37:19 2010 From: ziade.tarek at gmail.com (=?ISO-8859-1?Q?Tarek_Ziad=E9?=) Date: Thu, 6 May 2010 17:37:19 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <4BE2DDA8.5080805@egenix.com> References: <4BE2D71E.5040009@egenix.com> <4BE2DDA8.5080805@egenix.com> Message-ID: On Thu, May 6, 2010 at 5:18 PM, M.-A. Lemburg wrote: [..] > Sorry, perhaps I wasn't clear: when uploading things to PyPI > you accept the PyPI terms. These terms currently allow anyone > to take the data from PyPI and publically redistribute it > without any restrictions. > > I think it's better to only allow the PSF to redistribute data > that it got from the PyPI package authors. I am not sure what it means that the PSF redistributes data. Is this http://www.python.org/about/legal or another text ? A list of prohibited usage (combined with authentication) should be enough to prevent the problem as far as I understand. For instance, here's SourceForge's one http://sourceforge.net/apps/trac/sitelegal/wiki/Terms_of_Use#a2.YOURUSEOFSOURCEFORGE.NET Extract: ...using any information obtained from SourceForge.net in order to contact, advertise to, solicit, or sell to any user without such user's prior explicit consent (including non-commercial contacts like chain letters); [..] >> What I propose is: >> >> - set up authentication for the XML-RPC APIs, in order to control >> this. If a user starts to use >> ? XML-RPC calls in his bots, it's easy to shut it down. >> >> - set up a restricted list of subscribers for the PubSubHubbub >> protocol (I am not sure if this protocol >> supports authentication, but I guess we can set something up) >> >> - avoid displaying any email or derived emails on anonymous page > > I'm not sure how that would work. Package manager tools would > then all have to use this authentication mechanism. Yes but they would need to use an account therefore have an identity when they run their scripts. For instance, PyPI can have API calls quota per user, and a white list of users that are allowed to have an unlimited number of API calls. (managed manually) IOW, allow stuff like cheesecake ratings or whatever, to subscribe, and be able to block Softpedia. It's a limited protection but should be enough: I don't think the Softpedia staff will work on defeating this by registering hundreds of zombies at PyPI. But I understand that it also needs the legal part, Regards, Tarek -- Tarek Ziad? | http://ziade.org From mal at egenix.com Thu May 6 17:53:36 2010 From: mal at egenix.com (M.-A. Lemburg) Date: Thu, 06 May 2010 17:53:36 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: References: <4BE2D71E.5040009@egenix.com> <4BE2DDA8.5080805@egenix.com> Message-ID: <4BE2E600.5090208@egenix.com> Tarek Ziad? wrote: > On Thu, May 6, 2010 at 5:18 PM, M.-A. Lemburg wrote: > [..] >> Sorry, perhaps I wasn't clear: when uploading things to PyPI >> you accept the PyPI terms. These terms currently allow anyone >> to take the data from PyPI and publically redistribute it >> without any restrictions. >> >> I think it's better to only allow the PSF to redistribute data >> that it got from the PyPI package authors. > > I am not sure what it means that the PSF redistributes data. Is this > http://www.python.org/about/legal or another text ? That text needs some care as well, yes. I was referring to this text on PyPI: http://pypi.python.org/pypi?%3Aaction=register_form """ By registering to upload content to PyPI, I agree and affirmatively acknowledge the following: 1. Content is restricted to Python packages and related information only. 2. Any content uploaded to PyPI is provided on a non-confidential basis. 3. The PSF is free to use or disseminate any content that I upload on an unrestricted basis for any purpose. In particular, the PSF and all other users of the web site are granted an irrevocable, worldwide, royalty-free, nonexclusive license to reproduce, distribute, transmit, display, perform, and publish the content, including in digital form. 4. I represent and warrant that I have complied with all government regulations concerning the transfer or export of any content I upload to PyPI. In particular, if I am subject to United States law, I represent and warrant that I have obtained the proper governmental authorization for the export of the content I upload. I further affirm that any content I provide is not intended for use by a government end-user as defined in part 772 of the United States Export Administration Regulations. """ > A list of prohibited usage (combined with authentication) should be > enough to prevent the problem > as far as I understand. > > For instance, here's SourceForge's one > > http://sourceforge.net/apps/trac/sitelegal/wiki/Terms_of_Use#a2.YOURUSEOFSOURCEFORGE.NET > > Extract: > > ...using any information obtained from SourceForge.net in order to > contact, advertise to, solicit, or sell to any > user without such user's prior explicit consent (including > non-commercial contacts like chain letters); Right, we'd need something along those lines. > [..] >>> What I propose is: >>> >>> - set up authentication for the XML-RPC APIs, in order to control >>> this. If a user starts to use >>> XML-RPC calls in his bots, it's easy to shut it down. >>> >>> - set up a restricted list of subscribers for the PubSubHubbub >>> protocol (I am not sure if this protocol >>> supports authentication, but I guess we can set something up) >>> >>> - avoid displaying any email or derived emails on anonymous page >> >> I'm not sure how that would work. Package manager tools would >> then all have to use this authentication mechanism. > > Yes but they would need to use an account therefore have an identity > when they run their scripts. Hmm, wouldn't that require all pip users to have PyPI account ? > For instance, PyPI can have API calls quota per user, and a white list > of users that are allowed to have > an unlimited number of API calls. (managed manually) > > IOW, allow stuff like cheesecake ratings or whatever, to subscribe, > and be able to block Softpedia. > > It's a limited protection but should be enough: I don't think the > Softpedia staff will work on > defeating this by registering hundreds of zombies at PyPI. > > But I understand that it also needs the legal part, I'll work on the legal stuff and leave the technical side to you :-) -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, May 06 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From tseaver at palladion.com Thu May 6 20:36:06 2010 From: tseaver at palladion.com (Tres Seaver) Date: Thu, 06 May 2010 14:36:06 -0400 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <4BE2E600.5090208@egenix.com> References: <4BE2D71E.5040009@egenix.com> <4BE2DDA8.5080805@egenix.com> <4BE2E600.5090208@egenix.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 M.-A. Lemburg wrote: > Tarek Ziad? wrote: >> On Thu, May 6, 2010 at 5:18 PM, M.-A. Lemburg wrote: >> [..] >>> Sorry, perhaps I wasn't clear: when uploading things to PyPI >>> you accept the PyPI terms. These terms currently allow anyone >>> to take the data from PyPI and publically redistribute it >>> without any restrictions. >>> >>> I think it's better to only allow the PSF to redistribute data >>> that it got from the PyPI package authors. >> I am not sure what it means that the PSF redistributes data. Is this >> http://www.python.org/about/legal or another text ? > > That text needs some care as well, yes. I was referring to this text > on PyPI: > > http://pypi.python.org/pypi?%3Aaction=register_form > """ > By registering to upload content to PyPI, I agree and affirmatively acknowledge the following: > > 1. Content is restricted to Python packages and related information only. > 2. Any content uploaded to PyPI is provided on a non-confidential basis. > 3. The PSF is free to use or disseminate any content that I upload on an unrestricted basis for > any purpose. In particular, the PSF and all other users of the web site are granted an irrevocable, > worldwide, royalty-free, nonexclusive license to reproduce, distribute, transmit, display, perform, > and publish the content, including in digital form. > 4. I represent and warrant that I have complied with all government regulations concerning the > transfer or export of any content I upload to PyPI. In particular, if I am subject to United States > law, I represent and warrant that I have obtained the proper governmental authorization for the > export of the content I upload. I further affirm that any content I provide is not intended for use > by a government end-user as defined in part 772 of the United States Export Administration Regulations. > """ > >> A list of prohibited usage (combined with authentication) should be >> enough to prevent the problem >> as far as I understand. >> >> For instance, here's SourceForge's one >> >> http://sourceforge.net/apps/trac/sitelegal/wiki/Terms_of_Use#a2.YOURUSEOFSOURCEFORGE.NET >> >> Extract: >> >> ...using any information obtained from SourceForge.net in order to >> contact, advertise to, solicit, or sell to any >> user without such user's prior explicit consent (including >> non-commercial contacts like chain letters); > > Right, we'd need something along those lines. > >> [..] >>>> What I propose is: >>>> >>>> - set up authentication for the XML-RPC APIs, in order to control >>>> this. If a user starts to use >>>> XML-RPC calls in his bots, it's easy to shut it down. >>>> >>>> - set up a restricted list of subscribers for the PubSubHubbub >>>> protocol (I am not sure if this protocol >>>> supports authentication, but I guess we can set something up) >>>> >>>> - avoid displaying any email or derived emails on anonymous page >>> I'm not sure how that would work. Package manager tools would >>> then all have to use this authentication mechanism. >> Yes but they would need to use an account therefore have an identity >> when they run their scripts. > > Hmm, wouldn't that require all pip users to have PyPI account ? I *think* PIP uses the "/simple" API (the RESTy one), rather than XMLRPC. That is certainly how setuptools / distribute work, anyway. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver at palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkvjDBAACgkQ+gerLs4ltQ5yCQCfV6Voc2nET6JtMJjDkrP0cPnc TYwAnRNQDeE8KVBuGuqu8+OpN23oGWuf =LKnD -----END PGP SIGNATURE----- From martin at v.loewis.de Fri May 7 00:59:37 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Fri, 07 May 2010 00:59:37 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: References: Message-ID: <4BE349D9.1050302@v.loewis.de> > If they use PubSubHubbub, maybe we could set up a black list of > subscribers people can manage at their level, > if they reconstruct the emails by reading the RSS feed, maybe we > should not publish this info (even with the @ transformed into " at > "). I don't think we should stop announcing new releases on the web site, and, as long as we do, people can setup automated actions. People keep asking for being notified, so I don't think the need for that will go away, either. IOW, it is a good thing that automated reactions to new releases are actually possible. Now, with respect to these specific email messages: I agree they are spam, and would support to see that stopped. However, I don't think technical means are the right reaction. Instead, we should send them an email message asking them to stop. Feel free to approach them. Regards, Martin From ziade.tarek at gmail.com Fri May 7 01:33:46 2010 From: ziade.tarek at gmail.com (=?ISO-8859-1?Q?Tarek_Ziad=E9?=) Date: Fri, 7 May 2010 01:33:46 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <4BE349D9.1050302@v.loewis.de> References: <4BE349D9.1050302@v.loewis.de> Message-ID: 2010/5/7 "Martin v. L?wis" : >> If they use PubSubHubbub, maybe we could set up a black list of >> subscribers people can manage at their level, >> if they reconstruct the emails by reading the RSS feed, maybe we >> should not publish this info (even with ?the @ transformed into " at >> "). > > I don't think we should stop announcing new releases on the web site, > and, as long as we do, people can setup automated actions. People keep > asking for being notified, so I don't think the need for that will go > away, either. IOW, it is a good thing that automated reactions to new > releases are actually possible. No one asked for stopping announcing the new releases. Having those automated reaction is of course a good thing ! I just said that making it more secure would prevent spammers. e.g. differentiate "people" from spammers. > > Now, with respect to these specific email messages: I agree they are > spam, and would support to see that stopped. However, I don't think > technical means are the right reaction. Instead, we should send them an > email message asking them to stop. Feel free to approach them. I don't think asking a spammer to stop spamming is the real solution. PyPI and the PSF should protect its pypi.python.org users as much as possible, here, and I still think it has to be addressed by making it harder for spammers to bother us. > Regards, > Martin > -- Tarek Ziad? | http://ziade.org From exarkun at twistedmatrix.com Fri May 7 01:43:54 2010 From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com) Date: Thu, 06 May 2010 23:43:54 -0000 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: References: <4BE349D9.1050302@v.loewis.de> Message-ID: <20100506234354.1681.1307873384.divmod.xquotient.66@localhost.localdomain> On 11:33 pm, ziade.tarek at gmail.com wrote: >2010/5/7 "Martin v. L?wis" : >>>If they use PubSubHubbub, maybe we could set up a black list of >>>subscribers people can manage at their level, >>>if they reconstruct the emails by reading the RSS feed, maybe we >>>should not publish this info (even with ?the @ transformed into " at >>>"). >> >>I don't think we should stop announcing new releases on the web site, >>and, as long as we do, people can setup automated actions. People keep >>asking for being notified, so I don't think the need for that will go >>away, either. IOW, it is a good thing that automated reactions to new >>releases are actually possible. > >No one asked for stopping announcing the new releases. Having those >automated >reaction is of course a good thing ! > >I just said that making it more secure would prevent spammers. > >e.g. differentiate "people" from spammers. >> >>Now, with respect to these specific email messages: I agree they are >>spam, and would support to see that stopped. However, I don't think >>technical means are the right reaction. Instead, we should send them >>an >>email message asking them to stop. Feel free to approach them. > >I don't think asking a spammer to stop spamming is the real solution. Softpedia is not an anonymous entity in an unknown legal jurisdiction. I'm not going to claim to know what the best thing to do here is, but asking Softpedia to stop doing this isn't like replying to a 411 email asking to be taken off their mailing list. There's at least a small chance that they care about their brand and reputation, and if not, another chance that legal action can be brought against them. >PyPI and the PSF should protect its pypi.python.org users as much as >possible, >here, and I still think it has to be addressed by making it harder for >spammers >to bother us. >>Regards, >>Martin > > > >-- >Tarek Ziad? | http://ziade.org >_______________________________________________ >Catalog-SIG mailing list >Catalog-SIG at python.org >http://mail.python.org/mailman/listinfo/catalog-sig From ziade.tarek at gmail.com Fri May 7 01:45:42 2010 From: ziade.tarek at gmail.com (=?ISO-8859-1?Q?Tarek_Ziad=E9?=) Date: Fri, 7 May 2010 01:45:42 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <4BE3532A.9010005@v.loewis.de> References: <4BE349D9.1050302@v.loewis.de> <4BE3532A.9010005@v.loewis.de> Message-ID: 2010/5/7 "Martin v. L?wis" : >> I don't think asking a spammer to stop spamming is the real solution. > > So you are saying we should *not* approach Softpedia? Why not? I am not talking about Softpedia in particular, but about the PyPI system that can be used to spam people, whoever is the spammer. IOW, I think we should fix this issue once for all and not focus on Softpedia. Now I won't contact them, but anyone can try (beware you might get more spam ;) ) > > Regards, > Martin > -- Tarek Ziad? | http://ziade.org From martin at v.loewis.de Fri May 7 01:39:22 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Fri, 07 May 2010 01:39:22 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: References: <4BE349D9.1050302@v.loewis.de> Message-ID: <4BE3532A.9010005@v.loewis.de> > I don't think asking a spammer to stop spamming is the real solution. So you are saying we should *not* approach Softpedia? Why not? Regards, Martin From ziade.tarek at gmail.com Fri May 7 01:49:02 2010 From: ziade.tarek at gmail.com (=?ISO-8859-1?Q?Tarek_Ziad=E9?=) Date: Fri, 7 May 2010 01:49:02 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <20100506234354.1681.1307873384.divmod.xquotient.66@localhost.localdomain> References: <4BE349D9.1050302@v.loewis.de> <20100506234354.1681.1307873384.divmod.xquotient.66@localhost.localdomain> Message-ID: 2010/5/7 : [..] > > Softpedia is not an anonymous entity in an unknown legal jurisdiction. I'm > not going to claim to know what the best thing to do here is, but asking > Softpedia to stop doing this isn't like replying to a 411 email asking to be > taken off their mailing list. ?There's at least a small chance that they > care about their brand and reputation, and if not, another chance that legal > action can be brought against them. Maybe it'll work, frankly I don't know who is behind them. But this doesn't fix the real problem. From steve at pearwood.info Fri May 7 02:43:31 2010 From: steve at pearwood.info (Steven D'Aprano) Date: Fri, 7 May 2010 10:43:31 +1000 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: References: Message-ID: <201005071043.32009.steve@pearwood.info> On Fri, 7 May 2010 12:34:24 am Tarek Ziad? wrote: > Hello, > > The Softpedia website sends an email to everyone that register or > uploads something at PyPI. This is clearly a spam and their website > don't care about our projects. > > I am not sure if they use the PubSubHubbub thing, but I was wondering > how we could prevent these unsolicited mails. I don't know that we should be responsible for trying to prevent every bad use of PyPI. I'm not even convinced that the Softpedia emails are spam in any legal or ethical sense. It's not a mass broadcast of email: each email gets sent to *one* recipient. Re-distributing the software on PyPI is legal under the terms of the licences (possibly with a few exceptions). I think you would fail to convince a judge that, legally, Softpedia is spamming or engaged in any unreasonable action. You certainly fail to convince me. It would be different if you sent them clear instructions telling them you prohibited them from redistributing the software, but that would be in clear contradiction of any Open Source licence I know of, and you won't get any sympathy from me. You might not want to receive emails from Softpedia, but that doesn't make them spam. I don't want to receive those stupid "chicken soup for the soul" emails that my mum sends me, but that doesn't make them spam. I don't think this is a problem we should be trying to solve. If you don't want to see Softpedia's emails, teach your mail client to filter them into the trash. -- Steven D'Aprano From steve at pearwood.info Fri May 7 02:50:22 2010 From: steve at pearwood.info (Steven D'Aprano) Date: Fri, 7 May 2010 10:50:22 +1000 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <4BE3532A.9010005@v.loewis.de> References: <4BE3532A.9010005@v.loewis.de> Message-ID: <201005071050.22610.steve@pearwood.info> On Fri, 7 May 2010 09:39:22 am Martin v. L?wis wrote: > > I don't think asking a spammer to stop spamming is the real > > solution. > > So you are saying we should *not* approach Softpedia? Why not? It is not up to us to decide on behalf of thousands of package authors whether or not their software is mirrored on Softpedia, or whether Softpedia contacts them. I am strongly opposed to PyPI making that decision for me. I am moderately opposed to PyPI prohibiting the redistribution of metadata. -- Steven D'Aprano From tjreedy at udel.edu Fri May 7 06:28:24 2010 From: tjreedy at udel.edu (Terry Reedy) Date: Fri, 07 May 2010 00:28:24 -0400 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <201005071043.32009.steve@pearwood.info> References: <201005071043.32009.steve@pearwood.info> Message-ID: On 5/6/2010 8:43 PM, Steven D'Aprano wrote: > On Fri, 7 May 2010 12:34:24 am Tarek Ziad? wrote: >> Hello, >> >> The Softpedia website sends an email to everyone that register or >> uploads something at PyPI. This is clearly a spam and their website >> don't care about our projects. >> >> I am not sure if they use the PubSubHubbub thing, but I was wondering >> how we could prevent these unsolicited mails. > > I don't know that we should be responsible for trying to prevent every > bad use of PyPI. I'm not even convinced that the Softpedia emails are > spam in any legal or ethical sense. > > It's not a mass broadcast of email: each email gets sent to *one* > recipient. Re-distributing the software on PyPI is legal under the > terms of the licences (possibly with a few exceptions). I think you > would fail to convince a judge that, legally, Softpedia is spamming or > engaged in any unreasonable action. You certainly fail to convince me. I am not completely convinced either. It appears to be a legitimate site that people use to access FOSS software, with relatively subdued ads (except for the double-underscore popup boxes). I do notice that http://pypi.python.org/pypi/Distutils2/1.0a1 shows 0 downloads at the moment whereas http://linux.softpedia.com/get/Programming/Libraries/Distutils2-56577.shtml shows 14. The python3.1.2 page shows nearly 10000. That much, if truthful, is good. If one uploads often, I see how the 'curtesy' letter could be annoying. Terry Jan Reedy From noah at coderanger.net Fri May 7 09:22:53 2010 From: noah at coderanger.net (Noah Kantrowitz) Date: Fri, 7 May 2010 00:22:53 -0700 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: References: <201005071043.32009.steve@pearwood.info> Message-ID: <006A95EB-C897-48F8-ABAD-48E3E94E3BD3@coderanger.net> On May 6, 2010, at 9:28 PM, Terry Reedy wrote: > On 5/6/2010 8:43 PM, Steven D'Aprano wrote: >> On Fri, 7 May 2010 12:34:24 am Tarek Ziad? wrote: >>> Hello, >>> >>> The Softpedia website sends an email to everyone that register or >>> uploads something at PyPI. This is clearly a spam and their website >>> don't care about our projects. >>> >>> I am not sure if they use the PubSubHubbub thing, but I was wondering >>> how we could prevent these unsolicited mails. >> >> I don't know that we should be responsible for trying to prevent every >> bad use of PyPI. I'm not even convinced that the Softpedia emails are >> spam in any legal or ethical sense. >> >> It's not a mass broadcast of email: each email gets sent to *one* >> recipient. Re-distributing the software on PyPI is legal under the >> terms of the licences (possibly with a few exceptions). I think you >> would fail to convince a judge that, legally, Softpedia is spamming or >> engaged in any unreasonable action. You certainly fail to convince me. > > I am not completely convinced either. It appears to be a legitimate site that people use to access FOSS software, with relatively subdued ads (except for the double-underscore popup boxes). I do notice that > http://pypi.python.org/pypi/Distutils2/1.0a1 > shows 0 downloads at the moment whereas > http://linux.softpedia.com/get/Programming/Libraries/Distutils2-56577.shtml > shows 14. The python3.1.2 page shows nearly 10000. That much, if truthful, is good. > > If one uploads often, I see how the 'curtesy' letter could be annoying. I think most FOSS authors are aware that putting their email in a package is effectively putting it in the clear on the internet. I think we have come beyond the days of "noah (at) coderanger [dot] net" and all those silly tricks that were popular not too long ago. If an author is excessively concerned about spam, they shouldn't put their email in author_email. Is that field mandatory now or something? Softpedia is a little annoying with the emails, but I've found them useful personally (along with versiontracker) when looking for OS X software before. Freshmeat is a similar index of FOSS projects, and I've definitely used that before. Is there some reason we are objecting to including PyPI data in other software catalogs? If it makes it a tiny bit easier to find Python software, I'm all for it. --Noah From ziade.tarek at gmail.com Fri May 7 09:31:45 2010 From: ziade.tarek at gmail.com (=?ISO-8859-1?Q?Tarek_Ziad=E9?=) Date: Fri, 7 May 2010 09:31:45 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: References: <201005071043.32009.steve@pearwood.info> Message-ID: On Fri, May 7, 2010 at 6:28 AM, Terry Reedy wrote: [..] >> >> I don't know that we should be responsible for trying to prevent every >> bad use of PyPI. I'm not even convinced that the Softpedia emails are >> spam in any legal or ethical sense. >> >> It's not a mass broadcast of email: each email gets sent to *one* >> recipient. Re-distributing the software on PyPI is legal under the >> terms of the licences (possibly with a few exceptions). I think you >> would fail to convince a judge that, legally, Softpedia is spamming or >> engaged in any unreasonable action. You certainly fail to convince me. A spam is an unsolicited email you receive from someone you don't know, that tries to sell or promote a service or a product to make money. Softpedia qualifies in this definition. > I am not completely convinced either. It appears to be a legitimate site > that people use to access FOSS software, with relatively subdued ads (except > for the double-underscore popup boxes). I do notice that > http://pypi.python.org/pypi/Distutils2/1.0a1 > shows 0 downloads at the moment whereas > http://linux.softpedia.com/get/Programming/Libraries/Distutils2-56577.shtml > shows 14. The python3.1.2 page shows nearly 10000. That much, if truthful, > is good. > > If one uploads often, I see how the 'curtesy' letter could be annoying. Yes that what happens to me. But well I am just going to drop it, it seems that I am alone thinking this should be prevented, and that Softpedia is a spammer :) From martin at v.loewis.de Fri May 7 09:35:32 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Fri, 07 May 2010 09:35:32 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <006A95EB-C897-48F8-ABAD-48E3E94E3BD3@coderanger.net> References: <201005071043.32009.steve@pearwood.info> <006A95EB-C897-48F8-ABAD-48E3E94E3BD3@coderanger.net> Message-ID: <4BE3C2C4.8030709@v.loewis.de> > I think most FOSS authors are aware that putting their email in a > package is effectively putting it in the clear on the internet. I > think we have come beyond the days of "noah (at) coderanger [dot] > net" and all those silly tricks that were popular not too long ago. > If an author is excessively concerned about spam, they shouldn't put > their email in author_email. Is that field mandatory now or > something? Softpedia is a little annoying with the emails, but I've > found them useful personally (along with versiontracker) when looking > for OS X software before. Freshmeat is a similar index of FOSS > projects, and I've definitely used that before. Is there some reason > we are objecting to including PyPI data in other software catalogs? > If it makes it a tiny bit easier to find Python software, I'm all for > it. Ok. So I won't take any action, then. Regards, Martin From ziade.tarek at gmail.com Fri May 7 09:36:49 2010 From: ziade.tarek at gmail.com (=?ISO-8859-1?Q?Tarek_Ziad=E9?=) Date: Fri, 7 May 2010 09:36:49 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <006A95EB-C897-48F8-ABAD-48E3E94E3BD3@coderanger.net> References: <201005071043.32009.steve@pearwood.info> <006A95EB-C897-48F8-ABAD-48E3E94E3BD3@coderanger.net> Message-ID: On Fri, May 7, 2010 at 9:22 AM, Noah Kantrowitz wrote: [..] > > I think most FOSS authors are aware that putting their email in a package is effectively putting it in the clear on the internet. I think we have come beyond the days of "noah (at) coderanger [dot] net" and all those silly tricks that were popular not too long ago. If an author is excessively concerned about spam, they shouldn't put their email in author_email. Is that field mandatory now or something? No it's not mandatory. > Softpedia is a little annoying with the emails, but I've found them useful personally (along with versiontracker) > when looking for OS X software before. Freshmeat is a similar index of FOSS projects, and I've definitely > used that before. Is there some reason we are objecting to including PyPI data in other software catalogs? If > it makes it a tiny bit easier to find Python software, I'm all for it. You can't compare Freshmeat and Softpedia. Freshmeat is a legitimate index developer manually fills, whereas Softpedia is bot-based and just tries to attract people to make make money. I don't mind having PyPI projects at Softpedia, but I think we should prevent this automatic mail sending they set up. It got worse lately. But I said I would drop it, so... :) > > --Noah > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG at python.org > http://mail.python.org/mailman/listinfo/catalog-sig > -- Tarek Ziad? | http://ziade.org From mal at egenix.com Fri May 7 09:47:21 2010 From: mal at egenix.com (M.-A. Lemburg) Date: Fri, 07 May 2010 09:47:21 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <006A95EB-C897-48F8-ABAD-48E3E94E3BD3@coderanger.net> References: <201005071043.32009.steve@pearwood.info> <006A95EB-C897-48F8-ABAD-48E3E94E3BD3@coderanger.net> Message-ID: <4BE3C589.1040109@egenix.com> Noah Kantrowitz wrote: > I think most FOSS authors are aware that putting their email in a package is effectively putting it in the clear on the internet. I think we have come beyond the days of "noah (at) coderanger [dot] net" and all those silly tricks that were popular not too long ago. If an author is excessively concerned about spam, they shouldn't put their email in author_email. Is that field mandatory now or something? Softpedia is a little annoying with the emails, but I've found them useful personally (along with versiontracker) when looking for OS X software before. Freshmeat is a similar index of FOSS projects, and I've definitely used that before. Is there some reason we are objecting to including PyPI data in other software catalogs? If it makes it a tiny bit easier to find Python software, I'm all for it. No, but the PSF should be asked for permission before using the data on some other site. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, May 07 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2010-04-23: Released mxODBC.Zope.DA 2.0.1 http://zope.egenix.com/ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From noah at coderanger.net Fri May 7 09:49:33 2010 From: noah at coderanger.net (Noah Kantrowitz) Date: Fri, 7 May 2010 00:49:33 -0700 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <4BE3C589.1040109@egenix.com> References: <201005071043.32009.steve@pearwood.info> <006A95EB-C897-48F8-ABAD-48E3E94E3BD3@coderanger.net> <4BE3C589.1040109@egenix.com> Message-ID: <4954D092-40E7-445C-940B-217A0C03DDEF@coderanger.net> On May 7, 2010, at 12:47 AM, M.-A. Lemburg wrote: > Noah Kantrowitz wrote: >> I think most FOSS authors are aware that putting their email in a package is effectively putting it in the clear on the internet. I think we have come beyond the days of "noah (at) coderanger [dot] net" and all those silly tricks that were popular not too long ago. If an author is excessively concerned about spam, they shouldn't put their email in author_email. Is that field mandatory now or something? Softpedia is a little annoying with the emails, but I've found them useful personally (along with versiontracker) when looking for OS X software before. Freshmeat is a similar index of FOSS projects, and I've definitely used that before. Is there some reason we are objecting to including PyPI data in other software catalogs? If it makes it a tiny bit easier to find Python software, I'm all for it. > > No, but the PSF should be asked for permission before using the data > on some other site. Permission is probably not a good thing to inject, too much risk of being picky on who can use the data. If it is available to anyone, it should be available to all. I would agree that as a professional courtesy it would be nice if people would let us know if they are mining PyPI, but you are dipping into dangerous territory if you put a gate in front of it. --Noah From mal at egenix.com Fri May 7 09:57:19 2010 From: mal at egenix.com (M.-A. Lemburg) Date: Fri, 07 May 2010 09:57:19 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <4954D092-40E7-445C-940B-217A0C03DDEF@coderanger.net> References: <201005071043.32009.steve@pearwood.info> <006A95EB-C897-48F8-ABAD-48E3E94E3BD3@coderanger.net> <4BE3C589.1040109@egenix.com> <4954D092-40E7-445C-940B-217A0C03DDEF@coderanger.net> Message-ID: <4BE3C7DF.3090005@egenix.com> Noah Kantrowitz wrote: > > On May 7, 2010, at 12:47 AM, M.-A. Lemburg wrote: > >> Noah Kantrowitz wrote: >>> I think most FOSS authors are aware that putting their email in a package is effectively putting it in the clear on the internet. I think we have come beyond the days of "noah (at) coderanger [dot] net" and all those silly tricks that were popular not too long ago. If an author is excessively concerned about spam, they shouldn't put their email in author_email. Is that field mandatory now or something? Softpedia is a little annoying with the emails, but I've found them useful personally (along with versiontracker) when looking for OS X software before. Freshmeat is a similar index of FOSS projects, and I've definitely used that before. Is there some reason we are objecting to including PyPI data in other software catalogs? If it makes it a tiny bit easier to find Python software, I'm all for it. >> >> No, but the PSF should be asked for permission before using the data >> on some other site. > > Permission is probably not a good thing to inject, too much risk of being picky on who can use the data. If it is available to anyone, it should be available to all. I would agree that as a professional courtesy it would be nice if people would let us know if they are mining PyPI, but you are dipping into dangerous territory if you put a gate in front of it. Why do you think so ? The PSF would most certainly apply the same openness it is applying for its own trademarks. I believe that package authors uploading things to PyPI should be able to trust that the PSF (being behind PyPI) uses this data with the appropriate care. The same is true if you upload data to Freshmeat, Sourceforge and other such sites. Why should PyPI be different ? -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, May 07 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2010-04-23: Released mxODBC.Zope.DA 2.0.1 http://zope.egenix.com/ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From noah at coderanger.net Fri May 7 10:00:52 2010 From: noah at coderanger.net (Noah Kantrowitz) Date: Fri, 7 May 2010 01:00:52 -0700 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <4BE3C7DF.3090005@egenix.com> References: <201005071043.32009.steve@pearwood.info> <006A95EB-C897-48F8-ABAD-48E3E94E3BD3@coderanger.net> <4BE3C589.1040109@egenix.com> <4954D092-40E7-445C-940B-217A0C03DDEF@coderanger.net> <4BE3C7DF.3090005@egenix.com> Message-ID: <5B7B39BD-6659-44D7-91DC-32E1E6EC15D0@coderanger.net> On May 7, 2010, at 12:57 AM, M.-A. Lemburg wrote: > Noah Kantrowitz wrote: >> >> On May 7, 2010, at 12:47 AM, M.-A. Lemburg wrote: >> >>> Noah Kantrowitz wrote: >>>> I think most FOSS authors are aware that putting their email in a package is effectively putting it in the clear on the internet. I think we have come beyond the days of "noah (at) coderanger [dot] net" and all those silly tricks that were popular not too long ago. If an author is excessively concerned about spam, they shouldn't put their email in author_email. Is that field mandatory now or something? Softpedia is a little annoying with the emails, but I've found them useful personally (along with versiontracker) when looking for OS X software before. Freshmeat is a similar index of FOSS projects, and I've definitely used that before. Is there some reason we are objecting to including PyPI data in other software catalogs? If it makes it a tiny bit easier to find Python software, I'm all for it. >>> >>> No, but the PSF should be asked for permission before using the data >>> on some other site. >> >> Permission is probably not a good thing to inject, too much risk of being picky on who can use the data. If it is available to anyone, it should be available to all. I would agree that as a professional courtesy it would be nice if people would let us know if they are mining PyPI, but you are dipping into dangerous territory if you put a gate in front of it. > > Why do you think so ? > > The PSF would most certainly apply the same openness it is applying > for its own trademarks. > > I believe that package authors uploading things to PyPI should be able > to trust that the PSF (being behind PyPI) uses this data with the > appropriate care. > > The same is true if you upload data to Freshmeat, Sourceforge and > other such sites. Why should PyPI be different ? I just don't think the PSF or this SIG should be in the business of saying who can access PyPI (which is what this boils down to at a philosophical level). That said, I also have a lot of faith in the judgement of the PSF and if they felt they could take on this (large) responsibility I wouldn't fight it that hard. I would fight harder to say that this shouldn't be the job of the SIG though. --Noah From mal at egenix.com Fri May 7 10:17:00 2010 From: mal at egenix.com (M.-A. Lemburg) Date: Fri, 07 May 2010 10:17:00 +0200 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: <5B7B39BD-6659-44D7-91DC-32E1E6EC15D0@coderanger.net> References: <201005071043.32009.steve@pearwood.info> <006A95EB-C897-48F8-ABAD-48E3E94E3BD3@coderanger.net> <4BE3C589.1040109@egenix.com> <4954D092-40E7-445C-940B-217A0C03DDEF@coderanger.net> <4BE3C7DF.3090005@egenix.com> <5B7B39BD-6659-44D7-91DC-32E1E6EC15D0@coderanger.net> Message-ID: <4BE3CC7C.9080905@egenix.com> Noah Kantrowitz wrote: > > On May 7, 2010, at 12:57 AM, M.-A. Lemburg wrote: > >> Noah Kantrowitz wrote: >>> >>> On May 7, 2010, at 12:47 AM, M.-A. Lemburg wrote: >>> >>>> Noah Kantrowitz wrote: >>>>> I think most FOSS authors are aware that putting their email in a package is effectively putting it in the clear on the internet. I think we have come beyond the days of "noah (at) coderanger [dot] net" and all those silly tricks that were popular not too long ago. If an author is excessively concerned about spam, they shouldn't put their email in author_email. Is that field mandatory now or something? Softpedia is a little annoying with the emails, but I've found them useful personally (along with versiontracker) when looking for OS X software before. Freshmeat is a similar index of FOSS projects, and I've definitely used that before. Is there some reason we are objecting to including PyPI data in other software catalogs? If it makes it a tiny bit easier to find Python software, I'm all for it. >>>> >>>> No, but the PSF should be asked for permission before using the data >>>> on some other site. >>> >>> Permission is probably not a good thing to inject, too much risk of being picky on who can use the data. If it is available to anyone, it should be available to all. I would agree that as a professional courtesy it would be nice if people would let us know if they are mining PyPI, but you are dipping into dangerous territory if you put a gate in front of it. >> >> Why do you think so ? >> >> The PSF would most certainly apply the same openness it is applying >> for its own trademarks. >> >> I believe that package authors uploading things to PyPI should be able >> to trust that the PSF (being behind PyPI) uses this data with the >> appropriate care. >> >> The same is true if you upload data to Freshmeat, Sourceforge and >> other such sites. Why should PyPI be different ? > > I just don't think the PSF or this SIG should be in the business of saying who can access PyPI (which is what this boils down to at a philosophical level). That said, I also have a lot of faith in the judgement of the PSF and if they felt they could take on this (large) responsibility I wouldn't fight it that hard. I would fight harder to say that this shouldn't be the job of the SIG though. This would be the PSF's task, since the relationship is between the package author and the PSF, not this SIG, although the PSF could approach the SIG for help, e.g. in order to define where to draw the line. Please also note that the PSF would not be in the business of saying who can access PyPI, only in the business of saying who is allowed to publicly redistribute that data and under which conditions. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, May 07 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2010-04-23: Released mxODBC.Zope.DA 2.0.1 http://zope.egenix.com/ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From tjreedy at udel.edu Fri May 7 23:52:04 2010 From: tjreedy at udel.edu (Terry Reedy) Date: Fri, 07 May 2010 17:52:04 -0400 Subject: [Catalog-sig] The "Softpedia" spam In-Reply-To: References: <201005071043.32009.steve@pearwood.info> Message-ID: On 5/7/2010 3:31 AM, Tarek Ziad? wrote: > A spam is an unsolicited email you receive from someone you don't know, > that tries to sell or promote a service or a product to make money. > Softpedia qualifies in this definition. I suspect that they would claim that the purpose of the email is only to afford you the opportunity to correct the info. I have no idea if they really would make a change. In any case, by your definition, the unsolicited email would not be spam if the *site* did not have ads. Would you then not mind them? >> If one uploads often, I see how the 'curtesy' letter could be annoying. > > Yes that what happens to me. But well I am just going to drop it, it > seems that I am > alone thinking this should be prevented, and that Softpedia is a spammer :) I think they are on the border, perhaps cleverly so, perhaps too cleverly. You could respond and say the writeup is ok, but that you frequently upload revisions and detest getting a notification each time they grab one and would they please put you on a list of authors not to email again. Terry Jan Reedy From jjl at pobox.com Sat May 8 20:19:18 2010 From: jjl at pobox.com (John J Lee) Date: Sat, 8 May 2010 19:19:18 +0100 (BST) Subject: [Catalog-sig] Uploading existing source distributions Message-ID: setup.py sdist builds project distributions (tarballs, zip files, eggs, ...), even if they're already built. I'd like to build source distributions, test them, then upload byte-for-byte identical source distributions to PyPI. However, the only way I know to upload zip files using the upload command involves also running sdist: python setup.py sdist --formats=gztar,zip upload Presumably that will cause sdist to rebuild the distributions, causing the md5sums to change (presumably due to timestamps) Of course, it works OK to just rebuild source distributions with identical inputs after testing, but it's an annoyance that you can't just point setup.py upload at an already-built source distribution. Has anybody figured out how to do that? Or is there some other automated means of uploading existing source distributions to PyPI? The latter would need to set the appropriate metadata, as setup.py upload does, as well as uploading the files themselves. John From tdoman at novell.com Mon May 10 23:40:37 2010 From: tdoman at novell.com (Tom Doman) Date: Mon, 10 May 2010 15:40:37 -0600 Subject: [Catalog-sig] Bug fixes\enhancements for PyTNEF Message-ID: <4BE828F5020000E40000ED0C@sinclair.provo.novell.com> To whom it may concern, I have made some bug fixes and debug enhancements to the PyTNEF package I found here: http://pypi.python.org/pypi/pytnef It appears to be a relatively dead project, last uploaded 2006 but it appears to be hosted on google w/ updates as late as 2008. I have tried to contact the creator of this project w/o success but I would like to comply w/ the terms of the LGPL by posting my updates back to the same location. I realize it is not required under the terms of the LGPL but I'd like to follow a "best practice" and give the changes a proper home. I'm brand new to this community and I haven't yet been able to determine how to submit an update especially when I can't get in touch w/ the maintainer. Can you help me w/ this procedure? I have only modified one python file in the entire package. Thanks, Tom Doman Novell Inc. tdoman at novell.com (801)861-4397 -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin at v.loewis.de Tue May 11 03:48:57 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Tue, 11 May 2010 03:48:57 +0200 Subject: [Catalog-sig] Bug fixes\enhancements for PyTNEF In-Reply-To: <4BE828F5020000E40000ED0C@sinclair.provo.novell.com> References: <4BE828F5020000E40000ED0C@sinclair.provo.novell.com> Message-ID: <4BE8B789.3070006@v.loewis.de> > I'm brand new to this community and I haven't yet been able to determine > how to submit an update especially when I can't get in touch w/ the > maintainer. Can you help me w/ this procedure? I have only modified > one python file in the entire package. My recommendation: fork the code under a new name, and publish it under the new name as well. Then, the original author may become aware and realize that you are serious about that (which he may doubt if you just announced your intents by email). Ideally, this ends with a public handover. Regards, Martin From martin at v.loewis.de Fri May 14 19:59:09 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Fri, 14 May 2010 19:59:09 +0200 Subject: [Catalog-sig] Sorting and grouping by multilink properties disabled Message-ID: <4BED8F6D.6050204@v.loewis.de> While investigating the load hit on roundup, we found that Google somewhy issued queries that group by "nosy". "nosy" being a multilink property, the implementation is a really lame "download the entire database, sort in Python" approach. Therefore, I have disabled sorting and grouping by multilink properties. If that causes problems, please let me know. Regards, Martin From martin at v.loewis.de Fri May 14 20:01:53 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Fri, 14 May 2010 20:01:53 +0200 Subject: [Catalog-sig] Sorting and grouping by multilink properties disabled In-Reply-To: <4BED8F6D.6050204@v.loewis.de> References: <4BED8F6D.6050204@v.loewis.de> Message-ID: <4BED9011.10402@v.loewis.de> [oops, meant for a different mailing list] Sorry, Martin From jcea at jcea.es Fri May 28 04:50:40 2010 From: jcea at jcea.es (Jesus Cea) Date: Fri, 28 May 2010 04:50:40 +0200 Subject: [Catalog-sig] Renaming a pypi package Message-ID: <4BFF2F80.8070605@jcea.es> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, guys. I am pretty sure this is a FAQ, and I am certain I have read other emails about this in the past, but I can't find any info online now. Silly me!. How can I rename a package in pypi?. I would like to rename to something actually installable via "easy_install". Suggestions about the new name? :). Thanks!. - -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/_/_/_/ . _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBS/8vf5lgi5GaxT1NAQKVYQP9EEXIIaACfj2vYLD2OaZCPyVk9rQvvNuh 6CM7UEcDx+7ZtrhpXAk8Z1o1BLR28couSSFgaaV23MXjE2WEF96z6kXiqV8IVKQ8 ekCh7CFH49RmvDK1VhbLEvmZ/X8fqLG6Zdejx6oCyuCRoeD3qkNyyR3MryeRrHNx CxTHcyL5MnI= =2JbR -----END PGP SIGNATURE----- From martin at v.loewis.de Fri May 28 08:28:06 2010 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Fri, 28 May 2010 08:28:06 +0200 Subject: [Catalog-sig] Renaming a pypi package In-Reply-To: <4BFF2F80.8070605@jcea.es> References: <4BFF2F80.8070605@jcea.es> Message-ID: <4BFF6276.9020300@v.loewis.de> > How can I rename a package in pypi?. Submit a support request to the PyPI bug tracker asking to rename it. Alternatively, create a new package, release it, and delete the old package. Regards, Martin From jcea at jcea.es Fri May 28 14:59:26 2010 From: jcea at jcea.es (Jesus Cea) Date: Fri, 28 May 2010 14:59:26 +0200 Subject: [Catalog-sig] Renaming a pypi package In-Reply-To: <4BFF6276.9020300@v.loewis.de> References: <4BFF2F80.8070605@jcea.es> <4BFF6276.9020300@v.loewis.de> Message-ID: <4BFFBE2E.2060005@jcea.es> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 28/05/10 08:28, "Martin v. L?wis" wrote: >> How can I rename a package in pypi?. > > Submit a support request to the PyPI bug tracker asking to rename it. > > Alternatively, create a new package, release it, and delete the old > package. Thanks, Martin. I rather prefer the renaming, since I would like to keep the project history. How do you validate that the guy requesting the rename in the bug tracker is actually the owner?. BTW, messing around PyPI, I have found a rename option under "manage roles". Not sure what it does, it seems to be to rename packages inside the project, so no useful here. I a - -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/_/_/_/ . _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBS/++Lplgi5GaxT1NAQLJ1gQAl3FRx9tVQJeQLdn7g8uSFAdoOPBeqJ4Y rzy+C3xNiy90T97uKDpTSqUFDVguRBjxVT1O0SbL/nW9vt3cwz5purNw7mgnh9Ux htf3+f9ApwSAa7zVut/7VlJ6fvxu/6bs+KsQIQoAWY56e/P1BMC8cgI8E47Vprhk 85gE/bJjKPA= =5Til -----END PGP SIGNATURE-----