Mailman 3 - pypi-announce

pip 20.3 release (heads-up for potential disruption)
by Sumana Harihareswara 30 Nov '20

30 Nov '20

On behalf of the Python Packaging Authority, I am pleased to announce that we have just released pip 20.3, a new version of pip. You can install it by running `python -m pip install --upgrade pip`. This is an important and disruptive release -- we explained why in a blog post last year https://pyfound.blogspot.com/2019/12/moss-czi-support-pip.html . We even made a video about it: https://www.youtube.com/watch?v=B4GQCBBsuNU . Blog post with details: https://pyfound.blogspot.com/2020/11/pip-20-3-new-resolver.html Highlights include: * **DISRUPTION**: Switch to the new dependency resolver by default. Watch out for changes in handling editable installs, constraints files, and more: https://pip.pypa.io/en/latest/user_guide/#changes-to-the-pip-dependency-res… * **DEPRECATION**: Deprecate support for Python 3.5 (to be removed in pip 21.0) * **DEPRECATION**: pip freeze will stop filtering the pip, setuptools, distribute and wheel packages from pip freeze output in a future version. To keep the previous behavior, users should use the new `--exclude` option. * Support for PEP 600: Future ‘manylinux’ Platform Tags for Portable Linux Built Distributions. * Add support for MacOS Big Sur compatibility tags. The new resolver is now *on by default*. It is significantly stricter and more consistent when it receives incompatible instructions, and reduces support for certain kinds of constraints files, so some workarounds and workflows may break. Please see our guide on how to test and migrate, and how to report issues: https://pip.pypa.io/en/latest/user_guide/#changes-to-the-pip-dependency-res… . You can use the deprecated (old) resolver, using the flag `--use-deprecated=legacy-resolver`, until we remove it in the pip 21.0 release in January 2021. In pip 21.0 we will also remove support for Python 2.7. You can find more details (including deprecations and removals) in the changelog https://pip.pypa.io/en/stable/news/ , and you can find thank-yous and instructions on reporting issues at https://pyfound.blogspot.com/2020/11/pip-20-3-new-resolver.html . Thank you, Sumana Harihareswara pip project manager Changeset Consulting https://changeset.nyc

1 0

upgrade to pip 20.2 -- plus changes coming in 20.3
by Sumana Harihareswara 30 Jul '20

30 Jul '20

On behalf of the Python Packaging Authority, I am pleased to announce the release of pip 20.2. Please upgrade for speed improvements, bug fixes, and better logging. You can install it by running python -m pip install --upgrade pip. We make major releases each quarter, so this is the first new release since 20.1 in April. NOTICE: This release includes the beta of the next-generation dependency resolver. It is significantly stricter and more consistent when it receives incompatible instructions, and reduces support for certain kinds of constraints files, so some workarounds and workflows may break. Please test it with the `--use-feature=2020-resolver` flag. Please see our guide on how to test and migrate, and how to report issues <https://pip.pypa.io/en/latest/user_guide/#changes-to-the-pip-dependency-res…>. The new dependency resolver is *off by default* because it is *not yet ready for everyday use*. For release highlights and thank-yous, please see <https://blog.python.org/2020/07/upgrade-pip-20-2-changes-20-3.html> . The full changelog is at <https://pip.pypa.io/en/stable/news/>. Future: We plan to make pip's next quarterly release, 20.3, in October 2020. We are preparing to change the default dependency resolution behavior and make the new resolver the default in pip 20.3. -- Sumana Harihareswara project manager for pip, on contract with Python Software Foundation Changeset Consulting, https://changeset.nyc

1 0

Upgrade to pip 20.1
by Sumana Harihareswara 01 May '20

01 May '20

On behalf of the Python Packaging Authority, I am pleased to announce that we have released a new version of pip, pip 20.1. Please upgrade for speed improvements and bugfixes. We make major releases each quarter, and so this is the first new release since 20.0.2 in January. To install pip 20.1, you can run: python -m pip install --upgrade pip For release highlights and thank-yous, please see https://blog.python.org/2020/04/pip-20-1-released.html . Future: In May, we aim to release a version of pip that includes a testable beta of the new dependency resolver: https://pyfound.blogspot.com/2020/03/new-pip-resolver-to-roll-out-this-year… . And we plan to make pip's next quarterly release in July 2020. best, Sumana Harihareswara project manager for pip, on contract with Python Software Foundation Changeset Consulting, https://changeset.nyc

1 0

Preview: Upcoming changes to PyPI BigQuery public dataset
by Ernest W. Durbin III 31 Mar '20

31 Mar '20

Hello! I’m looking for anyone how has built something interesting using the PyPI Big Query public dataset that’s documented at https://packaging.python.org/guides/analyzing-pypi-package-downloads/. There are some changes that are coming up that we’d like to preview for users that are actively using the dataset. If that’s you, send a note to bigquery-feedback(a)pypi.org with how you’ve been using the dataset. I’ll get back to you with information on the upcoming changes and will select a few projects to feature in the announcement of the new changes. -Ernest W. Durbin III Director of Infrastructure Python Software Foundation

1 0

Start using 2FA and API tokens on PyPI
by Sumana Harihareswara 18 Jan '20

18 Jan '20

Dear PyPI users: To increase the security of PyPI downloads, we have added two-factor authentication (2FA) as a login security option, and API tokens for uploading packages. If you maintain or own a project on the Python Package Index [pypi.org], you should start using these features. Click "help" on PyPI for instructions. See details, explanations, and screenshots in our blog post today: https://pyfound.blogspot.com/2020/01/start-using-2fa-and-api-tokens-on-pypi… A condensed explanation follows. 2FA: Two-factor authentication makes your account more secure by requiring two things in order to log in: something you know and something you own. In PyPI's case, "something you know" is your username and password, while "something you own" can be an application to generate a temporary code, or a security device (most commonly a USB key). PyPI's implementation of the WebAuthn standard means you can use any 2FA device that meets the FIDO standard. 2FA only affects logging in via a web browser, and not (yet) package uploads. API tokens: API tokens provide an alternative way (instead of username and password) to authenticate when uploading packages to PyPI. You can create a token for an entire PyPI account, in which case, the token will work for all projects associated with that account. Alternatively, you can limit a token's scope to a specific project. That way, if a token is compromised, you can just revoke and recreate that token, instead of having to change your password in lots of automated processes. For more details and instructions, click "help" on PyPI, or go to: https://pypi.org/help/ These features are also available on Test PyPI. Future: In the future, PyPI will set and enforce a policy requiring users with two-factor authentication enabled to use API tokens to upload (rather than just their password, without a second factor). We do not yet know when we will make this policy change; when we decide on a timeline, we will announce the change on this list. Thanks to the Open Technology Fund for funding this work. More work is in progress on pip and PyPI -- see https://wiki.python.org/psf/PackagingWG . Please forward to other PyPI users, especially package maintainers. -Sumana Harihareswara on behalf of the PyPI team

1 0

PyPI two-factor auth (2FA) trial May 3-20
by Sumana Harihareswara 02 May '19

02 May '19

Dear PyPI users: To increase the security of PyPI downloads, we're beginning to introduce two-factor authentication (2FA) as a login security option, and want project maintainers and owners to start testing it. Starting this Friday, May 3rd, you'll be able to use 2FA on Test PyPI http://test.pypi.org/ . And if you'd like to try 2FA on official PyPI https://pypi.org , please fill out this Google form https://docs.google.com/forms/d/e/1FAIpQLSfRmXhkfAL-LgLfcMdzTG7iIaSwPo-pyzk… so we can invite you to the private beta, which we plan to hold 3-20 May. More details at https://wiki.python.org/psf/WarehousePackageMaintainerTesting . We expect to end this testing period on May 20th, then enable the optional 2FA feature for all PyPI users, and move on to working on WebAuthn support. Thanks to the Open Technology Fund for funding this work. More progress reports at https://wiki.python.org/psf/PackagingWG . -Sumana Harihareswara on behalf of the PyPI team

1 0

PyPI will no longer accept compromised passwords!
by Donald Stufft 14 Aug '18

14 Aug '18

I just wanted to give everyone a heads up that PyPI will no longer accept passwords that have been published in data breaches. For background you can take a look at https://github.com/pypa/warehouse/pull/4541 <https://github.com/pypa/warehouse/pull/4541>. For high level overview see https://pypi.org/help/#compromised-password <https://pypi.org/help/#compromised-password>. Finally if you have any trouble, please file an issue at https://github.com/pypa/warehouse/issues/new/choose <https://github.com/pypa/warehouse/issues/new/choose>.

1 0

Please make sure you've verified your PyPI account email address
by Sumana Harihareswara 20 Jul '18

20 Jul '18

Heads-up: if you have a pypi.org or test.pypi.org account, please verify your email address: https://pypi.org/manage/account/ https://test.pypi.org/manage/account/ Reason: > We have a problem with a bit of our data, namely that due to historical reasons we have a fair amount of users in the database that do not have a verified primary email address. The side effect of this is that we're currently sending emails to email addresses that we have not had verified. This is a bad situation to be in, because in order to keep our bounce/spam rate low, we should be confirming all email addresses before sending email to them. In addition the way our bounce handling code works is it un-verifies the email address, which the intent was to stop sending email to it until the user has reverified their email address. (quoting from Donald Stufft's explanation https://github.com/pypa/warehouse/issues/3632 which goes on to detail the step-by-step plan) We have over 180,000 user accounts with unverified primary email addresses. Since it's important that we don't send email to unverified addresses, we're gradually adding restrictions on what accounts with unverified primary addresses can do. As of a few days ago, any user whose primary email address is unverified can't upload a file: https://github.com/pypa/warehouse/pull/4292 Please forward to other PyPI users, especially package maintainers. -- Sumana Harihareswara on behalf of the PyPI team

1 0

legacy.pypi.org shut down, please use pypi.org
by sh＠changeset.nyc 30 Apr '18

30 Apr '18

We have sunset the original Python Package Index service, which was temporarily deployed at https://legacy.pypi.org . The new PyPI is at https://pypi.org . Browser and API calls to pypi.python.org will continue to redirect to pypi.org . If you have been using legacy.pypi.org directly, please start using pypi.org : https://warehouse.readthedocs.io/api-reference/integration-guide/#migrating… If there is a feature that the new codebase does not support, you should file an issue at https://github.com/pypa/warehouse/issues as soon as possible. If you use JFrog Artifactory, please make sure you're running the latest version. Please see the guidance from JFrog https://jfrog.com/knowledge-base/why-am-i-not-able-to-connect-to-pypi-pytho… and full discussion of the issue https://github.com/pypa/warehouse/issues/3275 . Maintenance report on the sunsetting: https://status.python.org/incidents/ptvp1wnn0jmq Historical context and future plans: https://lwn.net/Articles/751458/ Sincerely, Sumana Harihareswara on behalf of the PyPI team

1 0

Pip 10.0 has been released
by Paul Moore 14 Apr '18

14 Apr '18

On behalf of the PyPA, I am pleased to announce that pip 10.0 has just been released. This release has been the culmination of many months of work by the community. To install pip 10.0, you can run python -m pip install --upgrade pip or use get-pip, as described in https://pip.pypa.io/en/latest/installing. If you are using a version of pip supplied by your distribution vendor, vendor-supplied upgrades will be available in due course (or you can use pip 10 in a virtual environment). (One minor issue with using get-pip on Windows - when you download get-pip.py, rename it to something that doesn't include "pip" in the name, such as "gp.py", as the standard name triggers a check in pip that aborts the run - this is being tracked in https://github.com/pypa/pip/issues/5219). Highlights of the new release: * Python 2.6 is no longer supported - if you need pip on Python 2.6, you should stay on pip 9, which is the last version to support Python 2.6. * Support for PEP 518, which allows projects to specify what packages they require in order to build from source. (PEP 518 support is currently limited, with full support coming in future versions - see the documentation for details). * Significant improvements in Unicode handling for non-ASCII locales on Windows. * A new "pip config" command. * The default upgrade strategy has become "only-if-needed" * Many bug fixes and minor improvements. In addition, the previously announced reorganisation of pip's internals has now taken place. Unless you are the author of code that imports the pip module (or a user of such code), this change will not affect you. If you are affected, please report the issue to the author of the offending code (refer them to https://mail.python.org/pipermail/distutils-sig/2017-October/031642.html for the details of the announcement). Thanks to everyone who put so much effort into the new release. Many of the contributions came from community members, whether in the form of code, participation in design discussions, or bug reports. The pip development team is extremely grateful to everyone in the community for their contributions. Thanks, Paul

1 0