If you've ever had your password eaten by our Trac instance, had your comment rejected by spambayes, or seen the amount of effort it takes removing random nulls from our htpasswd files, rejoice! With https://github.com/twisted-infra/braid/pull/192 , we are moving our Trac instance to log in using GitHub OAuth. This should mean we solve the issue of keeping passwords (making you and us more secure), being able to turn off the spam filter (as we don't have anonymous ticket submittal, and github is better at catching spammers than we are), and hopefully cause less ongoing issues with passwords suddenly not working.
What this means for you is that your username and password will no longer work for logging into our Trac, you will need to authorise your GitHub login to access it. This means that you may have another username, please contact me privately and I will see what I can do about migrating any ticket histories over, if you feel like it is needed.
I'd like to announce a prerelease of the upcoming Twisted 16.1.1, a patch release for Twisted 16.1. This fixes a regression in twisted.web where requests would not be logged.
The tarball and NEWS file can be found at https://twistedmatrix.com/Releases/pre/16.1.1pre1/ . Please test this release with your software.
If no issues are found, it will be released in a day or two.
Twisted Release Manager
On behalf of Twisted Matrix Laboratories, I am honoured to announce the release of Twisted 16.1!
This release is hot off the heels of 16.0 released last month, including some nice little tidbits. The highlights include:
- twisted.application.internet.ClientService, a service that maintains a persistent outgoing endpoint-based connection -- a replacement for ReconnectingClientFactory that uses modern APIs;
- A large (77% on one benchmark) performance improvement when using twisted.web's client on PyPy;
- A few conch modules have been ported to Python 3, in preparation for further porting of the SSH functionality;
- Full support for OpenSSL 1.0.2f and above;
- t.web.http.Request.addCookie now accepts Unicode and bytes keys/values;
- `twistd manhole` no longer uses a hard-coded SSH host key, and will generate one for you on the fly (this adds a 'appdirs' PyPI dependency, installing with [conch] will add it automatically);
- Over eighteen tickets overall closed since 16.0.
For more information, check the NEWS file (link provided below).
You can find the downloads at <https://pypi.python.org/pypi/Twisted> (or alternatively <http://twistedmatrix.com/trac/wiki/Downloads>). The NEWS file is also available at <https://github.com/twisted/twisted/blob/twisted-16.1.0/NEWS>.
Many thanks to everyone who had a part in this release - the supporters of the Twisted Software Foundation, the developers who contributed code as well as documentation, and all the people building great things with Twisted!
Amber Brown (HawkOwl)
Over the last few months, twistedmatrix.com's mailman installation has been used increasingly frequently to execute denial-of-service attacks against people's mailboxes. This is accomplished by sending huge numbers of subscription requests to our website, which in turn sends huge numbers of confirmation emails to their inbox. Based on some information that some targeted users have sent me, I now believe that this is to cause those users' mail quotas to be exceeded so that password reset or login notification emails won't reach them.
This has been going on for some time, but the frequency and severity of the attacks seem to be increasing; I only recently realized that this was considerably worse than an annoyance for those affected. I now have at least 1 confirmed report of this attack being a part of a (partially successful) identity theft.
This isn't the only problem we have with email:
We're running our own infrastructure which puts load on our already beyond-overloaded volunteer system administration team.
Despite running our own infrastructure, we are not dogfooding Twisted at all in the process, so we're not even learning anything useful from the pain; "exim is bad" is a lesson we've already learned many times, we do not need to keep learning it.
Given how hard it is for us to upgrade Mailman in our current system, we aren't even dogfooding our fellow community project terribly well.
Our infrastructure runs on the same host as the website and the buildmaster, overloading a very creaky system.
In addition to mailing lists, we run a mail forwarder. Our server's sender reputation is ... not great. We don't have SPF records, we don't do DKIM, and we don't provide authenticated SMTP for users, so emails just come from "wherever" when they are sent from, e.g. 'glyph(a)twistedmatrix.com' :-).
In order to address this, as soon as I can reasonably manage to do so, I will be moving Twisted's email infrastructure to mailgun.com <http://mailgun.com/>, a product that I've been successfully using for a range of personal domains (in particular, the divmod.com <http://divmod.com/> email forwarder - yes, I still operate that, when the Twisted community promises you an email address for life you get it ;-)). Additionally, Mailgun uses a bunch of Twisted within their infrastructure, so (although we won't be operating it) we will actually be dogfooding considerably more.
(Mailgun is a product of my employer, Rackspace, but they've given us a generous open source discount so there's no conflict of interest; the Twisted project won't be spending money on this.)
There will be a couple of inconveniences immediately after the transition:
At first, there will be no self-service subscription to mailing lists any more. If you want to subscribe, you'll have to send a message to twisted-python-owner(a)twistedmatrix.com <mailto:email@example.com> and the list administrator (right now, probably just me) will manually add your address. (Self-service unsubscription will still be possible.)
I'm not sure if I'll be able to keep the list archives at https://twistedmatrix.com/pipermail/ <https://twistedmatrix.com/pipermail/> updated, at least at first. I would encourage everyone to use http://news.gmane.org/gmane.comp.python.twisted <http://news.gmane.org/gmane.comp.python.twisted> and http://news.gmane.org/gmane.comp.python.twisted.web <http://news.gmane.org/gmane.comp.python.twisted.web> in the meanwhile.
Speaking of the contents of that sad URL, many disused mailing lists will be deleted. I doubt anyone will notice since there haven't been any posts to most of them in many years.
If you presently send email from a twistedmatrix.com <http://twistedmatrix.com/> address, you will probably want to start using the mailgun forwarder so that your messages will have nice shiny DKIM/SPF headers; I suspect you may start having more deliverability problems than you already do once other mail servers notice that we have said records if you're not using them. I'll distribute SMTP credentials via GPG-encrypted email to everyone I'm aware of who uses such an address.
There will be considerable benefits though:
For those of you with @twistedmatrix.com <http://twistedmatrix.com/> addresses, Mailgun operates a pretty conservative low-pass spam filter, but in looking at the analytics from my own personal domains, it really helps a lot and it is definitely more effective than the setup we've got right now.
Deliverability and mail-sending performance should be much improved; messages should arrive faster because they will be quarantined or deferred-bounced by major senders like GMail et. al. far less often, because we'll be forwarding less spam and legitimate messages will have appropriate anti-spam headers.
Trac will get faster at certain times because email DoSes should stop hitting the server.
Administrative overhead will decrease; we can just stop maintaining email ourselves.
Last but certainly not least, we'll stop being a collective unwilling accessory to cybercrime.
Probably these changes will all be pretty subtle, and most folks won't notice, but I wanted it to be clear in advance that they were intentional, in case there is some disruption associated with them :-). If anyone wants to give me a hand with parts of this (for example, setting up a smarthost configuration so that trac can still send email) please let me know.