Hi,
Python 3.5 entered security fix only mode. Should we now remove the
"needs backport to 3.5" label? Other security only branches don't have
this label neither (3.3 and 3.4).
Victor
Recently I received 20 one-year licenses from JetBrains for the PyCharm IDE (Professional) and other JetBrains products (the licenses cover their "All Products Pack") for use in Python development. There are 11 licenses available - of the licenses I asked for last year, nine people took them up, so those are in use and come out of the allocation of 20.
Those of you who took up the licences last time should find that the tools continue to work normally. The licences expire on 27 November 2018.
If any others of you are interested in using these licenses, let me know off-list and I will forward the license access details to you. To access the licenses, you will need to have (or create) a JetBrains account.
Regards,
Vinay Sajip
Hi,
I identified some active contributors and I would like to offer them
to get the "bug triage" permission. What's the requirements to give
such permissions to someone?
On my "Different stages of core developers" "lader", it's the 3rd
stage ("step"?):
http://cpython-core-tutorial.readthedocs.io/en/latest/what_is_a_cpython_cor…
Requirements to become a core developer (get the "commit bit") are now
written down:
http://cpython-core-tutorial.readthedocs.io/en/latest/what_is_a_cpython_cor…
It would be nice to write down requirements to get the bug triage permission.
IMHO the requirements are quite low:
* at least one commit merged in Python
* signed the CLA
* be nice and respectful
* don't close a bug if it's not well understood to not "loose"
information (closed bugs are ignored in search by default, and hidden
from the main page).
Did it happen in the past that we removed the bug triage permission to
someone who abused this power?
Maybe we can give some guide lines on how to behave on the bug tracker?
Responsability for bug tracker:
* Request more information if a report is incomplete
* Ping original reporters if they don't reply
* Adjust Python version, component, bug type, etc.
* Rewrite the issue title if needed
* Close duplicated bugs as DUPLICATE
* Close irrevelant bugs as NOTABUG
The exact behaviour on the bug tracker is not specified. For example,
when someone asks for help on code, I close the issue and suggest to
use a different forum to get help, without giving examples of forums
(since I simply don't know them :-)).
When the reported issue described a legit Python behaviour, I try to
explain the rationale of the behaviour before closing the issue as
"not a bug".
Sometimes I'm just tired of the 4th bug report on "floating point
rouding issue" and just give the link to the FAQ without explaining
anything.
Devguide §Helping Triage Issues
https://devguide.python.org/tracker/#helptriage
Victor
Hi,
On 12 February 2017, I got an email from Bitbucket: "we detected a
suspicious login to your Bitbucket Cloud account. We believe that a
malicious actor used a large database of usernames and passwords
stolen from third party services to access Bitbucket Cloud accounts.
We can't know exactly how your password was first compromised, however
it was not caused by Atlassian."
Wow. That's huge for me:
* I was using the same password for almost all services (except of
Gmail): GitHub, Bitbucket, a lot of web services. In term of security,
that's "bad". I know... but it is convenient...
* I had a few different password that I stored in clear text in a text
file which was hosted on a private repository on... Bitbucket
While *now* I'm quite sure that the hacker only succeed to log in but
didn't notice my password file, it was a good "opportunity" to upgrade
my security...
By the way, I suggest you to subscribe to https://haveibeenpwned.com/
which is a service to be notified if one of the service that you are
using have seen "pwned".
Using victor.stinner(a)gmail.com you can see "Breaches you were pwned
in: Dailymotion (october 2016) and GeekedIn (August 2016)". (There is
also a pastebin with my email, but it's just statistics on Mercurial,
nothing sensitive :-))
The question is no more if you have been hacked, but how much time do
you have before one of the services that you are using will be
hacked... haveibeenpwned.com only reference a few breaches that has
been made public...
It was an electric shock for me. I immediately changed the password of
the most critical services for me: GitHub, Bitbucket and many others.
I generated a random password of +10 characters (using KeePassX). I
started to use KeePassX password manager to stop storing passwords in
clear text, with a master passphrase to encrypt all these passwords.
I also acquired a Yubikey Nano. It's 50$. You may think that it's
expensive. But the question is more how much do you estimate all your
data of all your computers? Less than 50$, seriously? :-)
The next step was to enable 2-factor authentication on GitHub and Bitbucket:
* Configure the yubikey to generate an OTP for GitHub (for "long
press" on the key)
* Firefox: install
https://addons.mozilla.org/fr/firefox/addon/u2f-support-add-on/ to use
Yubikey with GitHub (sadly, the plugin doesn't work with Bitbucket nor
Google yet)
* Enable 2-factor auth on GitHub and Bitbucket using Yubikey
* Print two-step recoverty codes on paper and keep it safe somewhere
If you cannot affort a Yubikey, don't or cannot use it, you may want
to use FreeOTP: free OTP application for a smartphone (I'm using it on
Android), usable with GitHub, Bitbucket, Google, etc. It's not
exclusive, you can have multiple 2-factor keys (Yubikey, FreeOTP,
something else).
Oh, my explanation makes the assumption that you all already enabled
2-factor auth on your email, right? :-) If you wasn't aware: email is
simply the *most* critical part of your whole online data. If a hacker
gets access to your email, you already lost all your online
accounts...
For Gmail users: you may have a look at
https://myaccount.google.com/security as well. Maybe remove old
services that have access to your Google account?
After the hack, I also generated a new SSH key, even if it wasn't
stored online and is encrypted by a passphrase. Just because I was
using the same key since many years. I chose to use the new modern
ed25519 key format. It uses an elliptic curve rather than RSA, it's a
different kind of security. While I don't know if it's more secure, I
read that it's faster :-)
https://en.wikipedia.org/wiki/EdDSA
I was able to use this new key formats on all services... except Launchpad.
Changing a private SSH key isn't easy:
* You have to install the new SSH on most services that you are using
* You have to manually remove the old SSH key from *all* services that
you are using (there is no global "SSH revokation" service...)
* I used ~/.ssh/known_hosts to get most services, but also updated
GitHub, Bitbucket, etc.
* There are a few other services like psf-salt/psf-chef where you may
also want to see your SSH key updated
* The question is then if the old SSH key must be removed... the
problem is that I never tried to keep track of services that I'm using
through SSH, so I decided to keep the old SSH key (outside ~/.ssh). In
practice, I'm only using my new SSH private since longer than 6 months
and I was never blocked.
I also had trouble to get working SSH agent on Gnome for my ed25519
key, but I succeeded to enable the regular ssh-agent using systemd
--user. Tell me if you want instructions for this part as well.
Victor
Hi,
Do we have a contact over at Travis-CI? Their Linux build
infrastructure has become crazily slow lately, something is clearly
going wrong.
Regards
Antoine.
Hi,
I'm starting to organize my travel to Cleveland for Pycon US 2018. I
would like to know when will be the Python Language Summit to be able
to decide how many nights I will stay. The hotel is usually a huge
part of the budget.
https://us.pycon.org/2018/
May 9,10: Tutorials
May 11-13: Talks
May 14-17: Sprints
My preference would be to skip the two tutorial days, so organize the
language summit after the talks. But it is also interesting to have
the summit before talks, so we can have more time to discuss proposed
ideas... Maybe the best would be the organizee the summut Thursday
afternoon (May 10)?
Victor
On behalf of the Python development community and the Python 3.6
release team, I am happy to announce the availability of Python 3.6.4,
the fourth maintenance release of Python 3.6. Detailed information
about the changes made in 3.6.4 can be found in the change log here:
https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-4-final
Please see "What’s New In Python 3.6" for more information about the
new features in Python 3.6:
https://docs.python.org/3.6/whatsnew/3.6.html
You can download Python 3.6.4 here:
https://www.python.org/downloads/release/python-364/
The next maintenance release of Python 3.6 is expected to follow in
about 3 months, around the end of 2018-03. More information about the
3.6 release schedule can be found here:
https://www.python.org/dev/peps/pep-0494/
Enjoy!
--
Ned Deily
nad(a)python.org -- []
Hello,
It seems AppVevor builds (and generally Windows builds) have been broken
for some time with a failure in test_distutils:
https://ci.appveyor.com/project/python/cpython/build/3.7.0a0.9471#L2040
======================================================================
ERROR: test_get_exe_bytes (distutils.tests.test_bdist_wininst.BuildWinInstTestCase)
----------------------------------------------------------------------
Traceback (most recent call last):
File "C:\projects\cpython\lib\distutils\tests\test_bdist_wininst.py", line 24, in test_get_exe_bytes
exe_file = cmd.get_exe_bytes()
File "C:\projects\cpython\lib\distutils\command\bdist_wininst.py", line 361, in get_exe_bytes
f = open(filename, "rb")
FileNotFoundError: [Errno 2] No such file or directory: 'C:\\projects\\cpython\\lib\\distutils\\command\\wininst-14.12.exe'
----------------------------------------------------------------------
Regards
Antoine.
Hi, python-committers!
That's huge, for me, to receive this notification "Your now a core developer, congratulations!" thanks everyone here!
And waw, your messages in your votes to bring me in are heartwarming, as I said yesterday they validate, again and again, the ancient adage "Come for the language, stay for the community".
--
Julien Palard
https://mdk.fr