Hi
This is just a FYI that we plan to release a new Twisted version that
includes a fix for a security related bug.
Most probably the release will be on the 29 of July 2024, 15:00 UTC
The security advisory is at
https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7
Only Twisted developers have access to it.
This security issue was reported by Ben Kallus and a fix was created by
Tom Most.
If you are a member of Twisted dev team and have time, please review the PR
and add your feedback.
We can continue the conversation over the GitHub Security advisory page.
Kind regards
--
Adi Roiban
Hello Twisted list,
We had a brief Twisted birds-of-a-feather session at PyCon 2024.
One issue that came up was that while Twisted works fine for the things that it does, we don't have a great onboarding process to motivate new developers to get involved and maintain it or build new things. In particular, Twisted's main value these days is no longer in the reactor, as the stdlib's core asyncio functionality is quite capable, but in our suite of protocol implementations and integrations. However, "it's got a ton of custom wire protocols" is less interesting in an era where there are fewer mainstream things that use custom wire protocols. So what are interesting things that we already do with wire protocols that, with a fresh coat of paint, could appeal to an audience of new developers to revitalize the project in general?
To that end, we discussed a few projects:
We should resurrect the effort to build a first-party websockets implementation: <https://github.com/twisted/twisted/issues/4173>. It's been nice to have Autobahn available, but websockets are by far the quickest and easiest way to provide a native demonstration of Twisted's capabilities. Luckily, we do not have to build an implementation ourselves, as a maintained sans-io kernel implementation exists in the <https://github.com/python-hyper/wsproto> project. So we just need to do a direct integration with the Resource model in twisted.web. I will probably do some work on this project myself.
Twitch's chat is IRC <https://dev.twitch.tv/docs/irc/>, but Twisted's IRC implementation is missing some implementation details. An IRC bot tutorial could thus actually be a very relevant introduction to a large audience of developers. Joel McGrady has volunteered for this effort and has written up some of the IRCv3 issues that will need addressing as part of it: https://github.com/twisted/twisted/issues/12180
We could probably do something interesting and fun with email, if we updated twisted.mail to make sure it worked with recent mail clients and did a little tutorial? Email is still relentlessly popular despite decades of progress. Nobody has volunteered for this yet.
We already have a ton of work on SMB that just needs to be un-stuck, both in terms of reviews and fixes: <https://github.com/twisted/twisted/pull/1274>. I really appreciate Ian contributing this to Twisted and I'd like it to see it eventually make it into a release, so I'm highlighting it here. If anyone wants to pick up responding to review feedback, you can make a fork of his fork, grab the branch and open a new PR to start addressing things.
Everyone then mumbled "HTTP/3"? But nobody seemed to actually care about that.
All of these efforts should be done documentation-first, to try to evaluate how to build a successor to the aging "finger" tutorial series, and to make sure that we have something to point new developers at so that they can find their way around Twisted.
-g
Hi Twisted maintainers,
I'de like to request your help fixing the release pipeline of pydoctor: https://github.com/twisted/pydoctor/issues/794
It's complaining about an email not being verified, but since the tool also triggers a couple of deprecation warnings I suspect the actual thing to do would be to upgrade the pipeline to use the secretless publishing
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
I'll release pydoctor 24.3.x after that (Yes I know it's late for a .3.x release...).
Thanks for your help,
Hello Twisted maintainers and contributors, I'd like to propose the addition of a new package into the Twisted ecosystem. A package dedicated to static analysis. You can read the full description in the following github issue: https://github.com/twisted/twisted/issues/12176
Tell me what you think,
Thanks,
Tristan
Hi,
I have created this PR to remove the twisted.web.soap code
https://github.com/twisted/twisted/pull/12148
It looks like the SOAP code was broken for a long time.
---------
Due to a defect in our packaging definition, the SOAPPY dependency library
was never installed as part of the automated CI tests, so the
twisted.web.soap tests were always skipped.
SOAPPY library is no longer maintained, with latest release in June 2014,
and it no longer works with Python 3 (I have tested with 3.12)
https://pypi.org/project/SOAPpy/#history
------------
This is why I don't think that it makes sense to raise a deprecation
warning.
The PR is directly removing the code, without a deprecation warning.
-----------
If you have any objections and you think that the twisted.web.soap code
should stay,
please let me know.
You can send your feedback by replying to this email or add your comment to
the PR
https://github.com/twisted/twisted/pull/12148
Thanks for your time!
--
Adi Roiban
Hello friends,
As you may already know, last year Twisted got fiscal sponsorship from the Python Software Foundation. This will enable us to once again dedicate financial resources to maintenance and development. Adi Roiban and I recently had a meeting with the PSF where we discussed bringing the Twisted fellowship sponsored maintenance program back in some form.
Our plan is currently to do something somewhat less formal than last time <https://labs.twistedmatrix.com/2015/12/tsf-sponsored-development-oct-dec-by…>. To wit, the current idea is to bring a maintainer on to do about 5 hours of work per week, mostly just keeping the review queue clear, so that contributions can be more efficiently accepted. We have a lot of code that is stalled but not technically "in review" right now, so it might also involve going through the PR backlog to integrate those, doing triage, etc.
If we are successful in raising more money, we might expand this role further. But, as it was many years ago, my conviction remains that the highest priority of funded work should be facilitating the work of volunteers, not writing more code. I am sure that at least one person reading this would be contributing a patch right now if the process weren't a bit stuck and frustrating due to reviewer bandwidth limitations :).
Also worth noting that the process is going to be somewhat more lightweight and less stodgily formal than we have had in the past. Our previous process made it difficult for people involved in the decision-making process for the project to actually do the work, so one consequence of this (and the fact that I'm working independently and doing consulting at the moment) is that I personally might be able to do some of this work directly. It also made the commitment of the person doing the work pretty substantial, but with a lighter weight process we can rotate the responsibility with more agility, allowing multiple people to step into or out of the role as their availability and our funds allow.
Since I mentioned that I would be a candidate for doing this work, I feel like I should highlight that in my independent work I have patrons who support my open source work in general rather than Twisted specifically, and sometimes in the course of that I do work on a Twisted thing here or there. So in the interests of transparency I wanted to highlight this detail, but the rule is pretty simple; if you want to support stuff that lives on my 'glyph' user on github, you can support that work directly, and if you want to support Twisted, donations to the PSF might go to me, or it might go to someone else, depending on what the project decides, but it will support stuff that lives on the "twisted" org. (In particular, I'd really like Klein & Treq to get some love in addition to the main repo, since they form a bit of a suite that makes conventional web services more viable out of the box.)
Speaking of "the project" making decisions, while it is our fiscal sponsor in the form of the PSF who has final say over spending decisions, their goal is to have an accurate reflection of "the project" as making decisions, and surely that includes some of you, in your role as contributors and interested community members. We don't really have a ton of money to spend (those aforementioned proposed 5 hours would probably eat up most of it at this point) so while we don't need a ton of big ambitious ideas, we would love to have more folks get involved in the process of decision-making (and fundraising!). Again, our process is lighter weight and less formal right now, so we do not have an elected Steering Committee or anything like that, but as more people are interested we can evolve our loose consensus into something more explicitly documented. (One role of interested, then, of course, would be someone who likes documenting processes…)
Of course, if you're excited that we are angling for this and would like to donate to the project, you can currently go here, with the knowledge that something useful will happen with the money in the not too distant future: https://psfmember.org/civicrm/contribute/transact/?reset=1&id=44 and other forms of contribution will be coming online soon (in particular, Github Sponsors is in the works).
Thanks for reading; we'd love to know your thoughts!
-g
Itamar has written up a super interesting proposal for how we might make Failure immutable, and thereby some of its use-cases somewhat more performant: https://github.com/twisted/twisted/issues/12111
First I just wanted to point to this as a great example of how to write up a proposal, it's almost to a PEP level of detail.
I don't think we need any particular input on the discussion, but this is a subtle and core area of the API, so it would be easy for me to miss an area where feedback would be useful. In any case, if you're a heavy user of Twisted you might be interested in this discussion. If we do it right, it shouldn't really require applications to do much, but if you have code that introspects Failures or their tracebacks for development tooling, it's something you might want to think about any changes you might need to make before the release which includes it.
-g
On behalf of the Twisted contributors I announce the release of Twisted 24.3.0 (the release formerly known as 24.2.0, before too much time passed.)
The notable changes are:
• A variety of small bug fixes.
• A performance improvement when doing many very small writes over TLS.
• Fix breakage with latest PyPy release.
The release changes can be seen at https://github.com/twisted/twisted/releases/tag/twisted-24.3.0
Wheels for the release are available on PyPI.
Many thanks to everyone who worked on this release!
—Itamar
On behalf of the Twisted contributors I announce the release candidate of Twisted 22.4.0.
The notable changes are:
• A variety of small bug fixes.
• A performance improvement when doing many very small writes over TLS.
• Fix breakage with latest PyPy release.
The release and NEWS file is available for review at https://github.com/twisted/twisted/pull/12106
Release candidate documentation is available at https://twisted--12106.org.readthedocs.build/en/12106/index.html
Wheels for the release candidate are available on PyPI
python -m pip install Twisted==22.4.0rc1
Please test it and report any issues. If nothing comes up in one week, 22.4.0 will be released based on the latest release candidate. Many thanks to everyone who worked on this release!
--
Itamar Turner-Trauring
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Greetings,
We are pleased to announce version 23.6.0 of magic-folder.
Magic Folder synchronizes local data to and from a Tahoe-LAFS Grid,
keeping data private with the end-to-end encrypted "Capabilities" of
Tahoe-LAFS. One or more magic-folder clients can join the same Folder,
adding and synchronizing data across multiple devices. Written in
Python, Magic Folder supports Linux, MacOS and Windows. Python3 and
PyPy are supported.
By itself, this project requires familiarity with the command-line and
long-running processes. The Gridsync project provides a cross-
platform GUI experience using the localhost HTTP API.
Changes in this release include:
- - security: Bump dependencies, including security-relevant cryptography library (#716)
- - feature: Added a description of the datamodel to the documentation (#702)
- - feature: Conflict files now named after the Participant (not Author) (#711)
- - bugfix: "magic-folder status" properly parses scan/poll events (#717)
- - bugfix: Handle updates to conflicted files more robustly (#719)
You may download the release from PyPI:
https://pypi.org/project/magic-folder/23.6.0/#files
Currently the localhost HTTP API used for integration is not 100%
stable, although we do not expect large changes.
thanks,
meejah
on behalf of all contributors
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEnVor1WiOy4id680/wmAoAxKAaacFAmSZNRIACgkQwmAoAxKA
aaeMBggAhijgTKRlYSBbIO+Y/mms4drY2ArEptF+Q5secHo9of68xlL1tQoTGgeF
et/xxgrjmn7WmnQYrC6k0f+xH+6mlW6sNb6wCafUmP/oh3p5bjAGv2tJDmfs81e+
iW7IUWBklx2mLdquwU4nWouJKZjeidqOyBvaBxx30hqOQe3yMwL5mxcliZg9ueZ6
M2HnQZmhA0yKblZrQ8H26dGTSvDLSOOCuHJKab04XYrmOJSJRqYK0DFXogjpNZbB
Ep5wiMpxyEsfPc1bHpxdIJmgJZq1iIgx6dFnHiMNe7yQLykLc9kjPJcxvWRLVsk4
OzN5lHzsiYKsS0g3NVSj+2PKxY3d3w==
=abqD
-----END PGP SIGNATURE-----
