`setup.py register` can't create PyPI account.
Hi. I wasn't able to make an account in PyPI using `setup.py register`. http://pypi.python.org/pypi?:action=register_form require 'I agree' checkbox, but `distutils/command/register.py` doesn't seem to send a 'agree' form key/value to the PyPI server. This problem occurs in the major python versions (include 2.7). This introduced for PyPI site by https://svn.python.org/packages/trunk/pypi/webui.py rev-690. regards. -- Takayuki SHIMIZUKAWA
On Sun, Jul 11, 2010 at 4:47 AM, Takayuki Shimizukawa <shimizukawa@gmail.com> wrote:
I wasn't able to make an account in PyPI using `setup.py register`.
The name of the "register" command is a little confusing. It's purpose is *not* to allow you to register yourself with PyPI, but to register package information with the site. You need to use the web interface to create your account. When using "setup.py register", you'll be asked to authenticate using the account you created via the web. -Fred -- Fred L. Drake, Jr. <fdrake at gmail.com> "A storm broke loose in my mind." --Albert Einstein
Hi Fred, 2010/7/12 Fred Drake <fdrake@acm.org>:
On Sun, Jul 11, 2010 at 4:47 AM, Takayuki Shimizukawa <shimizukawa@gmail.com> wrote:
I wasn't able to make an account in PyPI using `setup.py register`. -snip- You need to use the web interface to create your account. When using "setup.py register", you'll be asked to authenticate using the account you created via the web.
ok, I was able to make an account via the web interface. However, the usage of the register command is written on a manual (http://docs.python.org/distutils/packageindex.html), and many people will meet with the same problem by using the method. I think it is necessary to correct command/register.py or PyPI site. regards. -- Takayuki SHIMIZUKAWA
The name of the "register" command is a little confusing. [Its] purpose is *not* to allow you to register yourself with PyPI, but to register package information with the site.
According to the doc pointed to by Takayuki, it’s both. I’ll open a bug report against distutils and PyPI (if I find where to do that) if noone does it sooner. Regards
On Mon, Jul 12, 2010 at 7:07 AM, Takayuki Shimizukawa <shimizukawa@gmail.com> wrote:
However, the usage of the register command is written on a manual (http://docs.python.org/distutils/packageindex.html), and many people will meet with the same problem by using the method.
I guess it's been a long time since I've seen that menu! This does indicate a bug, which should be fixed. Part of the fix should include a test for PyPI that an account can be created using the interface invoked by distutils. -Fred -- Fred L. Drake, Jr. <fdrake at gmail.com> "A storm broke loose in my mind." --Albert Einstein
Am 12.07.2010 14:43, schrieb Fred Drake:
On Mon, Jul 12, 2010 at 7:07 AM, Takayuki Shimizukawa <shimizukawa@gmail.com> wrote:
However, the usage of the register command is written on a manual (http://docs.python.org/distutils/packageindex.html), and many people will meet with the same problem by using the method.
I guess it's been a long time since I've seen that menu!
This does indicate a bug, which should be fixed. Part of the fix should include a test for PyPI that an account can be created using the interface invoked by distutils.
That is not feasible. It might be necessary to break distutils again, for whatever reason. So I'd rather suggest to remove the "register user" functionality from distutils, and direct users to web signup. Regards, Martin
On Mon, Jul 12, 2010 at 11:22 PM, "Martin v. Löwis" <martin@v.loewis.de> wrote:
Am 12.07.2010 14:43, schrieb Fred Drake:
On Mon, Jul 12, 2010 at 7:07 AM, Takayuki Shimizukawa <shimizukawa@gmail.com> wrote:
However, the usage of the register command is written on a manual (http://docs.python.org/distutils/packageindex.html), and many people will meet with the same problem by using the method.
I guess it's been a long time since I've seen that menu!
This does indicate a bug, which should be fixed. Part of the fix should include a test for PyPI that an account can be created using the interface invoked by distutils.
That is not feasible. It might be necessary to break distutils again, for whatever reason. So I'd rather suggest to remove the "register user" functionality from distutils, and direct users to web signup.r
Why is that ? This used to work, IIRC. This is a regression on PyPI side (checkbox added afaik), and needs to be fixed. We could think about deprecating it maybe, but we cannot break all existing python versions with a change in the PyPI UI like that... Regards Tarek -- Tarek Ziadé | http://ziade.org
Why is that ? This used to work, IIRC. This is a regression on PyPI side (checkbox added afaik), and needs to be fixed.
How would you propose to fix this?
We could think about deprecating it maybe, but we cannot break all existing python versions with a change in the PyPI UI like that...
This happened several months ago, and nobody complained so far. So I don't consider it a serious problem. Regards, Martin
2010/7/13 "Martin v. Löwis" <martin@v.loewis.de>:
Why is that ? This used to work, IIRC. This is a regression on PyPI side (checkbox added afaik), and needs to be fixed.
How would you propose to fix this?
A quick hack is to look at the user agent (urllib2) and remove your checkbox in this case. A cleaner step would be to remove this and create a new UI page to register the users from within the web version, and change the human links in your web app.
We could think about deprecating it maybe, but we cannot break all existing python versions with a change in the PyPI UI like that...
This happened several months ago, and nobody complained so far. So I don't consider it a serious problem.
We have one complaint now, and I am complaining too. You cannot break existing software then say you don't consider this a "serious" problem because it's not widely used. Are you really expecting me to remove silently this feature from all python versions documentation and tell people it's not a serious problem ? -- Tarek Ziadé | http://ziade.org
Am 13.07.2010 00:15, schrieb Tarek Ziadé:
2010/7/13 "Martin v. Löwis" <martin@v.loewis.de>:
Why is that ? This used to work, IIRC. This is a regression on PyPI side (checkbox added afaik), and needs to be fixed.
How would you propose to fix this?
A quick hack is to look at the user agent (urllib2) and remove your checkbox in this case.
That would be unacceptable, because the question is then not being asked. Our legal counsel advised us that we must have such a checkbox, and offering a way to bypass it defeats its purpose.
A cleaner step would be to remove this and create a new UI page to register the users from within the web version, and change the human links in your web app.
This I don't understand. Is this essentially the same proposal: you don't get asked the question if you register through distutils?
We have one complaint now, and I am complaining too. You cannot break existing software then say you don't consider this a "serious" problem because it's not widely used.
Sure I can. If the PSF legal counsel tells me to make a change to PyPI, I don't question that order, not even if complying means to break some code.
Are you really expecting me to remove silently this feature from all python versions documentation and tell people it's not a serious problem ?
I think the whole notion of distutils being able to perform user registration is flawed. This already is clear when you consider that it actually *doesn't* register the user, but only initiates registration so that the user has to complete registration over the web. We might as well tell him to do the entire registration over the web. Regards, Martin
2010/7/13 "Martin v. Löwis" <martin@v.loewis.de>:
Am 13.07.2010 00:15, schrieb Tarek Ziadé:
2010/7/13 "Martin v. Löwis" <martin@v.loewis.de>:
Why is that ? This used to work, IIRC. This is a regression on PyPI side (checkbox added afaik), and needs to be fixed.
How would you propose to fix this?
A quick hack is to look at the user agent (urllib2) and remove your checkbox in this case.
That would be unacceptable, because the question is then not being asked. Our legal counsel advised us that we must have such a checkbox, and offering a way to bypass it defeats its purpose.
There's a difference between a legal decision and a technical backward compatibility issue. Your change in the PyPI UI has broken the register command in Distutils for Python 2.5 and onward. If this legal issue is to be applied to *all* existing Python version *immediatly*, we should create a security patch for all versions.
A cleaner step would be to remove this and create a new UI page to register the users from within the web version, and change the human links in your web app.
This I don't understand. Is this essentially the same proposal: you don't get asked the question if you register through distutils?
No, because this is how it works in Python 2.5, 2.6, 2.7, 3.1 Again, the command is now broken because you have added a checkbox in PyPI. This change is not a bad thing, don't get me wrong. But if you enforce it for all Python versions, you basically break this feature. The urllib2 user agent has the Python version in it. I suggest that you bypass this change, for all existing Python versions, and introduce it for Python 3.2
We have one complaint now, and I am complaining too. You cannot break existing software then say you don't consider this a "serious" problem because it's not widely used.
Sure I can. If the PSF legal counsel tells me to make a change to PyPI, I don't question that order, not even if complying means to break some code.
But the PSF didn't tell you to break existing Python versions. I think we need to find a better solution here.
Are you really expecting me to remove silently this feature from all python versions documentation and tell people it's not a serious problem ?
I think the whole notion of distutils being able to perform user registration is flawed. This already is clear when you consider that it actually *doesn't* register the user, but only initiates registration so that the user has to complete registration over the web. We might as well tell him to do the entire registration over the web.
Again, maybe it's flawed, and maybe we should remove it. But you cannot break this feature in Python 2.5, 26 etc.. because you find it flawed today. Regards Tarek -- Tarek Ziadé | http://ziade.org
Your change in the PyPI UI has broken the register command in Distutils for Python 2.5 and onward.
Correct. Actually, older versions are also broken, back to 2.3.
If this legal issue is to be applied to *all* existing Python version *immediatly*, we should create a security patch for all versions.
I disagree - that's not a security threat.
No, because this is how it works in Python 2.5, 2.6, 2.7, 3.1 Again, the command is now broken because you have added a checkbox in PyPI.
I fully understand that. However, changing PyPI to remove that checkbox under certain conditions is not an option.
This change is not a bad thing, don't get me wrong. But if you enforce it for all Python versions, you basically break this feature.
Correct.
The urllib2 user agent has the Python version in it. I suggest that you bypass this change, for all existing Python versions, and introduce it for Python 3.2
Unfortunately, that's just not acceptable.
But the PSF didn't tell you to break existing Python versions. I think we need to find a better solution here.
Sure. However, bypassing the checkbox is not an option. How about this: we issue a 401 error response, telling users to register over the web? IIUC, distutils will display this message.
Again, maybe it's flawed, and maybe we should remove it. But you cannot break this feature in Python 2.5, 26 etc.. because you find it flawed today.
And it's not the reason that I broke it. Instead, the reason is that the PSF required me to make the change. I didn't even remember that this would break distutils. Now that I think about it, I think it's distutils that needs to get fixed going forward. For backwards compatibility, I'm willing to accept solutions as long as they don't allow users to bypass that checkbox. Regards, Martin
2010/7/13 "Martin v. Löwis" <martin@v.loewis.de>: ...
Again, maybe it's flawed, and maybe we should remove it. But you cannot break this feature in Python 2.5, 26 etc.. because you find it flawed today.
And it's not the reason that I broke it. Instead, the reason is that the PSF required me to make the change. I didn't even remember that this would break distutils. Now that I think about it, I think it's distutils that needs to get fixed going forward. For backwards compatibility, I'm willing to accept solutions as long as they don't allow users to bypass that checkbox.
I understand why you did that change, and I understand the reasons. We also agree that Distutils needs to be fixed, and this is being worked out in Distutils2. But I strongly disagree that its better to break existing Python versions to comply with the PSF legal policy. I think this is a mistake, and I think it's acceptable to bypass that policy in distutils. That policy didn't exist back then, so it makes perfectly sense not to have it in Distutils. Furthermore, I would like if possible, that all changes in PyPI that may impact existing software, to be discussed, so we can be aware of such problems. (I am sending a mail to the PSF list, because I would like to defend my opinion for the legal aspect) Regards Tarek
Regards, Martin
-- Tarek Ziadé | http://ziade.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tarek Ziadé wrote:
2010/7/13 "Martin v. Löwis" <martin@v.loewis.de>: ...
Again, maybe it's flawed, and maybe we should remove it. But you cannot break this feature in Python 2.5, 26 etc.. because you find it flawed today. And it's not the reason that I broke it. Instead, the reason is that the PSF required me to make the change. I didn't even remember that this would break distutils. Now that I think about it, I think it's distutils that needs to get fixed going forward. For backwards compatibility, I'm willing to accept solutions as long as they don't allow users to bypass that checkbox.
I understand why you did that change, and I understand the reasons. We also agree that Distutils needs to be fixed, and this is being worked out in Distutils2.
But I strongly disagree that its better to break existing Python versions to comply with the PSF legal policy. I think this is a mistake, and I think it's acceptable to bypass that policy in distutils. That policy didn't exist back then, so it makes perfectly sense not to have it in Distutils.
The breakage you are talking about here is only for an *extremely rare* case: a user rund 'setup.py register' without having first created an account through the web UI. I think Martin is right, and that the fact that it used to work was an undocumented misfeature (even a security hole). Forcing people to register through the web in order to keep the usage license enforced is a valid requirement: you can't just wish it away by saying "We didn't use to have to do that." Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkw7tAEACgkQ+gerLs4ltQ6NKgCgsE7+kOdMghuqSiI38Voq3cUH WW4AoKyx35Cbr+zEtZZ1JPYSHvSJA8Ir =yPiO -----END PGP SIGNATURE-----
On Tue, Jul 13, 2010 at 2:32 AM, Tres Seaver <tseaver@palladion.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tarek Ziadé wrote:
2010/7/13 "Martin v. Löwis" <martin@v.loewis.de>: ...
Again, maybe it's flawed, and maybe we should remove it. But you cannot break this feature in Python 2.5, 26 etc.. because you find it flawed today. And it's not the reason that I broke it. Instead, the reason is that the PSF required me to make the change. I didn't even remember that this would break distutils. Now that I think about it, I think it's distutils that needs to get fixed going forward. For backwards compatibility, I'm willing to accept solutions as long as they don't allow users to bypass that checkbox.
I understand why you did that change, and I understand the reasons. We also agree that Distutils needs to be fixed, and this is being worked out in Distutils2.
But I strongly disagree that its better to break existing Python versions to comply with the PSF legal policy. I think this is a mistake, and I think it's acceptable to bypass that policy in distutils. That policy didn't exist back then, so it makes perfectly sense not to have it in Distutils.
The breakage you are talking about here is only for an *extremely rare* case: a user rund 'setup.py register' without having first created an account through the web UI. I think Martin is right, and that the fact that it used to work was an undocumented misfeature (even a security hole).
It's not extremely rare. You do it just once that is. I've documented that feature in several books, as the first step when you do your first package registration. Tarek -- Tarek Ziadé | http://ziade.org
Am 13.07.2010 03:23, schrieb Greg Ewing:
Martin v. Löwis wrote:
For backwards compatibility, I'm willing to accept solutions as long as they don't allow users to bypass that checkbox.
If the user is required to visit a web page to complete the registration, could you put the check box on *that* page instead?
That might also work; I'd have to check with the lawyer whether there are any problems with such a change. Regards, Martin
On Tue, Jul 13, 2010 at 8:37 AM, "Martin v. Löwis" <martin@v.loewis.de> wrote:
Am 13.07.2010 03:23, schrieb Greg Ewing:
Martin v. Löwis wrote:
For backwards compatibility, I'm willing to accept solutions as long as they don't allow users to bypass that checkbox.
If the user is required to visit a web page to complete the registration, could you put the check box on *that* page instead?
That might also work; I'd have to check with the lawyer whether there are any problems with such a change.
Great ! Can you point me to the discussion that took place, to set up this feature ? I cannot find it in the archives,
Regards, Martin _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
-- Tarek Ziadé | http://ziade.org
2010/7/13 "Martin v. Löwis" <martin@v.loewis.de>:
Am 13.07.2010 03:23, schrieb Greg Ewing:
Martin v. Löwis wrote:
For backwards compatibility, I'm willing to accept solutions as long as they don't allow users to bypass that checkbox.
If the user is required to visit a web page to complete the registration, could you put the check box on *that* page instead?
That might also work; I'd have to check with the lawyer whether there are any problems with such a change.
It's a good news! If this problem will be solved by that policy, I come to be able to teach the developers Distutils according to current documents.
Regards, Martin
Regards, -- Takayuki SHIMIZUKAWA
That might also work; I'd have to check with the lawyer whether there are any problems with such a change.
It's a good news!
If this problem will be solved by that policy, I come to be able to teach the developers Distutils according to current documents.
Please teach them to use a web browser to register instead. Regards, Martin
On Tue, Jul 13, 2010 at 10:39 PM, "Martin v. Löwis" <martin@v.loewis.de> wrote:
That might also work; I'd have to check with the lawyer whether there are any problems with such a change.
It's a good news!
If this problem will be solved by that policy, I come to be able to teach the developers Distutils according to current documents.
Please teach them to use a web browser to register instead.
No. If the fix Greg proposed is accepted by The PSF, this feature will work again and you will be able to use it again. It worked perfectly fine before the change. Martin, if you want to remove some feature from Distutils, make a proposal. But you can't decide on your own that a feature in a project maintained by a bunch of other people, has to go. Tarek -- Tarek Ziadé | http://ziade.org
No. If the fix Greg proposed is accepted by The PSF, this feature will work again and you will be able to use it again. It worked perfectly fine before the change.
Martin, if you want to remove some feature from Distutils, make a proposal.
But you can't decide on your own that a feature in a project maintained by a bunch of other people, has to go.
Van Lindberg has approved the change. However, I won't have time to implement it in a foreseeable future. Can you provide a patch? Regards, Martin
Le 14/07/2010 07:48, "Martin v. Löwis" a écrit :
Van Lindberg has approved the change. However, I won't have time to implement it in a foreseeable future. Can you provide a patch?
I looked at the code and asked for help in catalog-sig: http://mail.python.org/pipermail/catalog-sig/2010-July/003131.html Regards
On Monday, July 12, 2010 04:15:26 pm Tarek Ziadé wrote:
2010/7/13 "Martin v. Löwis" <martin@v.loewis.de>:
Why is that ? This used to work, IIRC. This is a regression on PyPI side (checkbox added afaik), and needs to be fixed.
How would you propose to fix this?
A quick hack is to look at the user agent (urllib2) and remove your checkbox in this case. A cleaner step would be to remove this and create a new UI page to register the users from within the web version, and change the human links in your web app.
There is the problem, then, of updating the client software (distutils) to perform the function for why the checkbox was added in the first place. It is possible that the checkbox was added in response to legal issues (just guessing, as it happened around the same time as other legal questions). Then, IMO, it is required to break (or update) existing client code.
We could think about deprecating it maybe, but we cannot break all existing python versions with a change in the PyPI UI like that...
You need to know the reason for the addition before coming to conclusions.
Are you really expecting me to remove silently this feature from all python versions documentation and tell people it's not a serious problem ?
If lawyers are involved, there is little to be done. Jeremy Kloth
I wasn't able to make an account in PyPI using `setup.py register`.
http://pypi.python.org/pypi?:action=register_form require 'I agree' checkbox, but `distutils/command/register.py` doesn't seem to send a 'agree' form key/value to the PyPI server.
This problem occurs in the major python versions (include 2.7).
This introduced for PyPI site by https://svn.python.org/packages/trunk/pypi/webui.py rev-690.
Hi Takayuki, Georg Brandl has now fixed the problem in r823. Regards, Martin
2010/7/26 "Martin v. Löwis" <martin@v.loewis.de>:
I wasn't able to make an account in PyPI using `setup.py register`.
http://pypi.python.org/pypi?:action=register_form require 'I agree' checkbox, but `distutils/command/register.py` doesn't seem to send a 'agree' form key/value to the PyPI server.
This problem occurs in the major python versions (include 2.7).
This introduced for PyPI site by https://svn.python.org/packages/trunk/pypi/webui.py rev-690.
Hi Takayuki,
Georg Brandl has now fixed the problem in r823.
Regards, Martin
I confirmed it. Thanks! -- Takayuki SHIMIZUKAWA
participants (8)
-
"Martin v. Löwis" -
Fred Drake -
Greg Ewing -
Jeremy Kloth -
Takayuki Shimizukawa -
Tarek Ziadé -
Tres Seaver -
Éric Araujo