Mailman 3 December 2017 - python-committers

GitHub: remove the "needs backport to 3.5" label?
by Victor Stinner 20 Aug '19

20 Aug '19

Hi, Python 3.5 entered security fix only mode. Should we now remove the "needs backport to 3.5" label? Other security only branches don't have this label neither (3.3 and 3.4). Victor

6 11

Licences for PyCharm and other JetBrains products
by Vinay Sajip 17 Dec '18

17 Dec '18

Recently I received 20 one-year licenses from JetBrains for the PyCharm IDE (Professional) and other JetBrains products (the licenses cover their "All Products Pack") for use in Python development. There are 11 licenses available - of the licenses I asked for last year, nine people took them up, so those are in use and come out of the allocation of 20. Those of you who took up the licences last time should find that the tools continue to work normally. The licences expire on 27 November 2018. If any others of you are interested in using these licenses, let me know off-list and I will forward the license access details to you. To access the licenses, you will need to have (or create) a JetBrains account. Regards, Vinay Sajip

2 1

Requirements to get the "bug triage" permission?
by Victor Stinner 25 Jan '18

25 Jan '18

Hi, I identified some active contributors and I would like to offer them to get the "bug triage" permission. What's the requirements to give such permissions to someone? On my "Different stages of core developers" "lader", it's the 3rd stage ("step"?): http://cpython-core-tutorial.readthedocs.io/en/latest/what_is_a_cpython_cor… Requirements to become a core developer (get the "commit bit") are now written down: http://cpython-core-tutorial.readthedocs.io/en/latest/what_is_a_cpython_cor… It would be nice to write down requirements to get the bug triage permission. IMHO the requirements are quite low: * at least one commit merged in Python * signed the CLA * be nice and respectful * don't close a bug if it's not well understood to not "loose" information (closed bugs are ignored in search by default, and hidden from the main page). Did it happen in the past that we removed the bug triage permission to someone who abused this power? Maybe we can give some guide lines on how to behave on the bug tracker? Responsability for bug tracker: * Request more information if a report is incomplete * Ping original reporters if they don't reply * Adjust Python version, component, bug type, etc. * Rewrite the issue title if needed * Close duplicated bugs as DUPLICATE * Close irrevelant bugs as NOTABUG The exact behaviour on the bug tracker is not specified. For example, when someone asks for help on code, I close the issue and suggest to use a different forum to get help, without giving examples of forums (since I simply don't know them :-)). When the reported issue described a legit Python behaviour, I try to explain the rationale of the behaviour before closing the issue as "not a bug". Sometimes I'm just tired of the 4th bug report on "floating point rouding issue" and just give the link to the FAQ without explaining anything. Devguide §Helping Triage Issues https://devguide.python.org/tracker/#helptriage Victor

9 21

Security: please enable 2-factor authentication on GitHub and your email
by Victor Stinner 07 Jan '18

07 Jan '18

Hi, On 12 February 2017, I got an email from Bitbucket: "we detected a suspicious login to your Bitbucket Cloud account. We believe that a malicious actor used a large database of usernames and passwords stolen from third party services to access Bitbucket Cloud accounts. We can't know exactly how your password was first compromised, however it was not caused by Atlassian." Wow. That's huge for me: * I was using the same password for almost all services (except of Gmail): GitHub, Bitbucket, a lot of web services. In term of security, that's "bad". I know... but it is convenient... * I had a few different password that I stored in clear text in a text file which was hosted on a private repository on... Bitbucket While *now* I'm quite sure that the hacker only succeed to log in but didn't notice my password file, it was a good "opportunity" to upgrade my security... By the way, I suggest you to subscribe to https://haveibeenpwned.com/ which is a service to be notified if one of the service that you are using have seen "pwned". Using victor.stinner(a)gmail.com you can see "Breaches you were pwned in: Dailymotion (october 2016) and GeekedIn (August 2016)". (There is also a pastebin with my email, but it's just statistics on Mercurial, nothing sensitive :-)) The question is no more if you have been hacked, but how much time do you have before one of the services that you are using will be hacked... haveibeenpwned.com only reference a few breaches that has been made public... It was an electric shock for me. I immediately changed the password of the most critical services for me: GitHub, Bitbucket and many others. I generated a random password of +10 characters (using KeePassX). I started to use KeePassX password manager to stop storing passwords in clear text, with a master passphrase to encrypt all these passwords. I also acquired a Yubikey Nano. It's 50$. You may think that it's expensive. But the question is more how much do you estimate all your data of all your computers? Less than 50$, seriously? :-) The next step was to enable 2-factor authentication on GitHub and Bitbucket: * Configure the yubikey to generate an OTP for GitHub (for "long press" on the key) * Firefox: install https://addons.mozilla.org/fr/firefox/addon/u2f-support-add-on/ to use Yubikey with GitHub (sadly, the plugin doesn't work with Bitbucket nor Google yet) * Enable 2-factor auth on GitHub and Bitbucket using Yubikey * Print two-step recoverty codes on paper and keep it safe somewhere If you cannot affort a Yubikey, don't or cannot use it, you may want to use FreeOTP: free OTP application for a smartphone (I'm using it on Android), usable with GitHub, Bitbucket, Google, etc. It's not exclusive, you can have multiple 2-factor keys (Yubikey, FreeOTP, something else). Oh, my explanation makes the assumption that you all already enabled 2-factor auth on your email, right? :-) If you wasn't aware: email is simply the *most* critical part of your whole online data. If a hacker gets access to your email, you already lost all your online accounts... For Gmail users: you may have a look at https://myaccount.google.com/security as well. Maybe remove old services that have access to your Google account? After the hack, I also generated a new SSH key, even if it wasn't stored online and is encrypted by a passphrase. Just because I was using the same key since many years. I chose to use the new modern ed25519 key format. It uses an elliptic curve rather than RSA, it's a different kind of security. While I don't know if it's more secure, I read that it's faster :-) https://en.wikipedia.org/wiki/EdDSA I was able to use this new key formats on all services... except Launchpad. Changing a private SSH key isn't easy: * You have to install the new SSH on most services that you are using * You have to manually remove the old SSH key from *all* services that you are using (there is no global "SSH revokation" service...) * I used ~/.ssh/known_hosts to get most services, but also updated GitHub, Bitbucket, etc. * There are a few other services like psf-salt/psf-chef where you may also want to see your SSH key updated * The question is then if the old SSH key must be removed... the problem is that I never tried to keep track of services that I'm using through SSH, so I decided to keep the old SSH key (outside ~/.ssh). In practice, I'm only using my new SSH private since longer than 6 months and I was never blocked. I also had trouble to get working SSH agent on Gnome for my ed25519 key, but I succeeded to enable the regular ssh-agent using systemd --user. Tell me if you want instructions for this part as well. Victor

17 56

Travis-CI breakdown
by Antoine Pitrou 01 Jan '18

01 Jan '18

Hi, Do we have a contact over at Travis-CI? Their Linux build infrastructure has become crazily slow lately, something is clearly going wrong. Regards Antoine.

2 2

Date of the Python Language Summit?
by Victor Stinner 19 Dec '17

19 Dec '17

Hi, I'm starting to organize my travel to Cleveland for Pycon US 2018. I would like to know when will be the Python Language Summit to be able to decide how many nights I will stay. The hotel is usually a huge part of the budget. https://us.pycon.org/2018/ May 9,10: Tutorials May 11-13: Talks May 14-17: Sprints My preference would be to skip the two tutorial days, so organize the language summit after the talks. But it is also interesting to have the summit before talks, so we can have more time to discuss proposed ideas... Maybe the best would be the organizee the summut Thursday afternoon (May 10)? Victor

2 1

[RELEASE] Python 3.6.4 is now available
by Ned Deily 19 Dec '17

19 Dec '17

On behalf of the Python development community and the Python 3.6 release team, I am happy to announce the availability of Python 3.6.4, the fourth maintenance release of Python 3.6. Detailed information about the changes made in 3.6.4 can be found in the change log here: https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-4-final Please see "What’s New In Python 3.6" for more information about the new features in Python 3.6: https://docs.python.org/3.6/whatsnew/3.6.html You can download Python 3.6.4 here: https://www.python.org/downloads/release/python-364/ The next maintenance release of Python 3.6 is expected to follow in about 3 months, around the end of 2018-03. More information about the 3.6 release schedule can be found here: https://www.python.org/dev/peps/pep-0494/ Enjoy! -- Ned Deily nad(a)python.org -- []

1 0

Julien Palard not seen as a core dev on the bug tracker
by Victor Stinner 18 Dec '17

18 Dec '17

Hi, Julien Palard has been promoted as a core developer at December 8th: https://devguide.python.org/developers/#permissions-history But he is still not seen as a core dev on the bug tracker: https://bugs.python.org/user23063 His nick name is "mdk". Can someone please fix his bpo account? Devguide: https://devguide.python.org/coredev/#issue-tracker Victor

2 3

AppVeyor builds broken
by Antoine Pitrou 14 Dec '17

14 Dec '17

Hello, It seems AppVevor builds (and generally Windows builds) have been broken for some time with a failure in test_distutils: https://ci.appveyor.com/project/python/cpython/build/3.7.0a0.9471#L2040 ====================================================================== ERROR: test_get_exe_bytes (distutils.tests.test_bdist_wininst.BuildWinInstTestCase) ---------------------------------------------------------------------- Traceback (most recent call last): File "C:\projects\cpython\lib\distutils\tests\test_bdist_wininst.py", line 24, in test_get_exe_bytes exe_file = cmd.get_exe_bytes() File "C:\projects\cpython\lib\distutils\command\bdist_wininst.py", line 361, in get_exe_bytes f = open(filename, "rb") FileNotFoundError: [Errno 2] No such file or directory: 'C:\\projects\\cpython\\lib\\distutils\\command\\wininst-14.12.exe' ---------------------------------------------------------------------- Regards Antoine.

3 2

Saying hello as a new core dev
by Julien Palard 13 Dec '17

13 Dec '17

Hi, python-committers! That's huge, for me, to receive this notification "Your now a core developer, congratulations!" thanks everyone here! And waw, your messages in your votes to bring me in are heartwarming, as I said yesterday they validate, again and again, the ancient adage "Come for the language, stay for the community". -- Julien Palard https://mdk.fr

3 2