From martin at v.loewis.de Thu Feb 4 22:35:13 2010
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Thu, 04 Feb 2010 22:35:13 +0100
Subject: [Catalog-sig] PyPI and PEP 381
In-Reply-To: <A715840A-21D5-4988-9736-2B46FB622437@gmail.com>
References: <4B4B80E2.60804@simplistix.co.uk>
<4B54D90F.7020901@v.loewis.de> <9E8EAF43-DFF2-4FB3-A1B4-D23547942C71@leidel.info> <4B54DEAB.5010600@v.loewis.de>
<hj2ogi$kuo$1@ger.gmane.org> <4B54E9AF.4020105@v.loewis.de> <b80fa96f7edb5273c4ab98877eef635e@preisshare.net> <4B54F1E1.6050400@v.loewis.de> <951a972618365a1aafdad0615895f0e9@preisshare.net> <4B5517CD.2050406@v.loewis.de> <b3cdbdcf1001181835q6b71ed68vbe05ad84036c4e04@mail.gmail.com> <4B551D7E.50806@v.loewis.de>
<A715840A-21D5-4988-9736-2B46FB622437@gmail.com>
Message-ID: <4B6B3D91.5090806@v.loewis.de>
> I can test it on the receiving end; I'm working on packaging up my
> pymetamirror package and putting the results on S3.
>
> It'd be cool to have it get notifications of what to download instead
> of doing a date based pull as is the current setup.
Did you have a chance to test the pubsubhubbub notifications?
Does it work for you?
Regards,
Martin
From justin at justinlilly.com Fri Feb 5 14:52:15 2010
From: justin at justinlilly.com (Justin Lilly)
Date: Fri, 5 Feb 2010 08:52:15 -0500
Subject: [Catalog-sig] PyPi & PSHB
Message-ID: <b3cdbdcf1002050552q1b1a7fccp31da18a43318fe7@mail.gmail.com>
Hey guys.
I coded up a quick pubsubhubbub client last night which will consume the
feed that pypi puts out. Below is the script I used to test things out[0].
To trigger an action, I re-registered a previously registered package. The
subscribe function should work, but I did things manually through the PSHB
interface[1].
I think the RSS format works fairly well. My only suggestion might be to
change the RSS feed link to the actual PSHB url. ie:
http://pypi.python.org/pypi?:action=lasthour
If you have questions about it, let me know :)
-justin
[0]: http://dpaste.de/9zOP/ <http://dpaste.de/JZkf/>
[1]: https://pubsubhubbub.appspot.com/subscribe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20100205/c1830903/attachment.htm>
From ssteinerx at gmail.com Fri Feb 5 15:30:33 2010
From: ssteinerx at gmail.com (ssteinerX@gmail.com)
Date: Fri, 5 Feb 2010 09:30:33 -0500
Subject: [Catalog-sig] PyPI and PEP 381
In-Reply-To: <4B6B3D91.5090806@v.loewis.de>
References: <4B4B80E2.60804@simplistix.co.uk>
<4B54D90F.7020901@v.loewis.de> <9E8EAF43-DFF2-4FB3-A1B4-D23547942C71@leidel.info> <4B54DEAB.5010600@v.loewis.de>
<hj2ogi$kuo$1@ger.gmane.org> <4B54E9AF.4020105@v.loewis.de> <b80fa96f7edb5273c4ab98877eef635e@preisshare.net> <4B54F1E1.6050400@v.loewis.de> <951a972618365a1aafdad0615895f0e9@preisshare.net> <4B5517CD.2050406@v.loewis.de> <b3cdbdcf1001181835q6b71ed68vbe05ad84036c4e04@mail.gmail.com> <4B551D7E.50806@v.loewis.de>
<A715840A-21D5-4988-9736-2B46FB622437@gmail.com>
<4B6B3D91.5090806@v.loewis.de>
Message-ID: <3E305C7A-C0AB-44B3-8B71-3349E7C06A24@gmail.com>
On Feb 4, 2010, at 4:35 PM, Martin v. L?wis wrote:
>> I can test it on the receiving end; I'm working on packaging up my
>> pymetamirror package and putting the results on S3.
>>
>> It'd be cool to have it get notifications of what to download instead
>> of doing a date based pull as is the current setup.
>
> Did you have a chance to test the pubsubhubbub notifications?
> Does it work for you?
I wrote a little harness and it seemed to work, but I've yet to start the actual server that could watch it continuously.
I'm hoping to get the time to publish the whole thing this weekend.
Were you ever able to look at the logs on the XML-RPC error I sent to the list a couple of weeks ago?
Thanks,
Steve
From dattam at umich.edu Mon Feb 8 16:08:59 2010
From: dattam at umich.edu (Dattatreya Mellacheruvu)
Date: Mon, 08 Feb 2010 10:08:59 -0500
Subject: [Catalog-sig] Graphical(and/or Dynamic) Simulations in Python
Message-ID: <6bb02ad3eacc8b2f5d83da911e30ec0f@umich.edu>
Hi, I want to simulate the dynamics of a particle in a force field.
One of the applications of this module would be to use it to demonstrate
how different mass spectrometers work.
Is there is a python package that lets me do this kind of simulations (and
dynamic simulations in general, like fluid dynamics simulations, network
traffic simulations, etc.)?
I need to see the output more like what i see if I used a Java Applet.
Thanks in Advance!
Dattatreya.
Grad Student, UofM.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20100208/73147637/attachment.htm>
From doug.hellmann at gmail.com Mon Feb 8 16:44:49 2010
From: doug.hellmann at gmail.com (Doug Hellmann)
Date: Mon, 8 Feb 2010 10:44:49 -0500
Subject: [Catalog-sig] Graphical(and/or Dynamic) Simulations in Python
In-Reply-To: <6bb02ad3eacc8b2f5d83da911e30ec0f@umich.edu>
References: <6bb02ad3eacc8b2f5d83da911e30ec0f@umich.edu>
Message-ID: <B728CBC9-56A7-42FE-A765-7EA5AC530D1E@gmail.com>
The catalog-sig list is intended for discussion of the development and
management of the catalog itself, not its contents.
You might get more help on the general python list (http://www.python.org/community/lists/
) or through one of the science-oriented lists related to the SciPy
project (http://scipy.org/).
Doug
On Feb 8, 2010, at 10:08 AM, Dattatreya Mellacheruvu wrote:
> Hi, I want to simulate the dynamics of a particle in a force field.
>
> One of the applications of this module would be to use it to
> demonstrate how different mass spectrometers work.
>
> Is there is a python package that lets me do this kind of
> simulations (and dynamic simulations in general, like fluid dynamics
> simulations, network traffic simulations, etc.)?
>
> I need to see the output more like what i see if I used a Java Applet.
>
> Thanks in Advance!
>
> Dattatreya.
>
> Grad Student, UofM.
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
From martin at v.loewis.de Fri Feb 12 20:47:38 2010
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Fri, 12 Feb 2010 20:47:38 +0100
Subject: [Catalog-sig] pep381client
Message-ID: <4B75B05A.8070409@v.loewis.de>
I started working on a PEP 381 implementation, at
http://bitbucket.org/loewis/pep381client/
A live installation of this can be seen at b.mirrors.pypi.python.org.
The major feature still missing in this implementation is the
integration of the statistics protocol.
Regards,
Martin
From martin at v.loewis.de Sat Feb 13 18:32:37 2010
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Sat, 13 Feb 2010 18:32:37 +0100
Subject: [Catalog-sig] PEP 381 timestamps
Message-ID: <4B76E235.5090609@v.loewis.de>
In implementing pep381client, I noticed that the last-modified format is
underspecified. It says to use ISO 8601, but that doesn't really say
much - many different formats would be possible.
I suggest to clarify this as meaning the same format as XML-RPC uses,
i.e. "%Y%m%dT%H:%M:%S\n".
I also noticed that the naming of the file is slightly confusing: if you
don't modify any mirrored content (because the master didn't since the
last synchronisation), you are still supposed to modify last-modified
(making this file the only one that was actually modified). OTOH, the
specification makes it clear that this is the time of the last
synchronization, so there is probably no need to change anything here.
Regards,
Martin
From ziade.tarek at gmail.com Sat Feb 13 18:55:39 2010
From: ziade.tarek at gmail.com (=?ISO-8859-1?Q?Tarek_Ziad=E9?=)
Date: Sat, 13 Feb 2010 18:55:39 +0100
Subject: [Catalog-sig] PEP 381 timestamps
In-Reply-To: <4B76E235.5090609@v.loewis.de>
References: <4B76E235.5090609@v.loewis.de>
Message-ID: <94bdd2611002130955x7733dc34t48ca0e2471169211@mail.gmail.com>
2010/2/13 "Martin v. L?wis" <martin at v.loewis.de>:
> In implementing pep381client, I noticed that the last-modified format is
> underspecified. It says to use ISO 8601, but that doesn't really say
> much - many different formats would be possible.
>
> I suggest to clarify this as meaning the same format as XML-RPC uses,
> i.e. "%Y%m%dT%H:%M:%S\n".
Sounds right. I can put some examples in the PEP
>
> I also noticed that the naming of the file is slightly confusing: if you
> don't modify any mirrored content (because the master didn't since the
> last synchronisation), you are still supposed to modify last-modified
> (making this file the only one that was actually modified). OTOH, the
> specification makes it clear that this is the time of the last
> synchronization, so there is probably no need to change anything here.
Yes mabye a better name could have been "last-synchronization-date",
but I think "last-modified"
is ok to keep
Regards,
Tarek
From fdrake at gmail.com Sat Feb 13 22:19:14 2010
From: fdrake at gmail.com (Fred Drake)
Date: Sat, 13 Feb 2010 16:19:14 -0500
Subject: [Catalog-sig] PEP 381 timestamps
In-Reply-To: <4B76E235.5090609@v.loewis.de>
References: <4B76E235.5090609@v.loewis.de>
Message-ID: <9cee7ab81002131319s1a8dcb2fre8c51e4b29c411bb@mail.gmail.com>
2010/2/13 "Martin v. L?wis" <martin at v.loewis.de>:
> I suggest to clarify this as meaning the same format as XML-RPC uses,
> i.e. "%Y%m%dT%H:%M:%S\n".
Given the high quality of the XML-RPC spec, I'd suggest never using it
as the foundation of anything.
I'd also suggest including the timezone for the value, so that it's
unambiguous. This could be done by fiat (stating in the spec that
times are consistently stored in UTC), or by including the timezone in
the stored value.
-Fred
--
Fred L. Drake, Jr. <fdrake at gmail.com>
"Chaos is the score upon which reality is written." --Henry Miller
From martin at v.loewis.de Mon Feb 15 09:24:28 2010
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Mon, 15 Feb 2010 09:24:28 +0100
Subject: [Catalog-sig] PyPI and PEP 381
In-Reply-To: <3E305C7A-C0AB-44B3-8B71-3349E7C06A24@gmail.com>
References: <4B4B80E2.60804@simplistix.co.uk>
<4B54D90F.7020901@v.loewis.de> <9E8EAF43-DFF2-4FB3-A1B4-D23547942C71@leidel.info> <4B54DEAB.5010600@v.loewis.de>
<hj2ogi$kuo$1@ger.gmane.org> <4B54E9AF.4020105@v.loewis.de> <b80fa96f7edb5273c4ab98877eef635e@preisshare.net> <4B54F1E1.6050400@v.loewis.de> <951a972618365a1aafdad0615895f0e9@preisshare.net> <4B5517CD.2050406@v.loewis.de> <b3cdbdcf1001181835q6b71ed68vbe05ad84036c4e04@mail.gmail.com> <4B551D7E.50806@v.loewis.de>
<A715840A-21D5-4988-9736-2B46FB622437@gmail.com>
<4B6B3D91.5090806@v.loewis.de>
<3E305C7A-C0AB-44B3-8B71-3349E7C06A24@gmail.com>
Message-ID: <4B7904BC.2040906@v.loewis.de>
> Were you ever able to look at the logs on the XML-RPC error I sent to the list a couple of weeks ago?
Unfortunately not. If it keeps happening, please submit a bug report.
Regards,
Martin
From martin at v.loewis.de Mon Feb 15 23:13:26 2010
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Mon, 15 Feb 2010 23:13:26 +0100
Subject: [Catalog-sig] pypi-checkins list
Message-ID: <4B79C706.9080608@v.loewis.de>
For those interested in following pypi-checkins: I have now setup a list at
http://mail.python.org/mailman/listinfo/pypi-checkins
Regards,
Martin
From gh at ghaering.de Mon Feb 22 09:47:38 2010
From: gh at ghaering.de (=?ISO-8859-1?Q?Gerhard_H=E4ring?=)
Date: Mon, 22 Feb 2010 09:47:38 +0100
Subject: [Catalog-sig] How to remove dead links from PyPI?
Message-ID: <496f9fbb1002220047n5a0427acw2127f932fd9f8c34@mail.gmail.com>
Hello,
I cannot figure out how to modify old releases on PyPI. This page:
http://pypi.python.org/simple/pysqlite/
has lots of dead links for older releases of pysqlite (anything
pointing to pysqlite.org or initd.org).
I'd like to remove these links, so that easy_install and buildout
won't take forever before giving up.
Any idea how? Or do I need to contact the PyPI maintainers?
-- Gerhard
From hanno at hannosch.eu Mon Feb 22 10:05:26 2010
From: hanno at hannosch.eu (Hanno Schlichting)
Date: Mon, 22 Feb 2010 10:05:26 +0100
Subject: [Catalog-sig] How to remove dead links from PyPI?
In-Reply-To: <496f9fbb1002220047n5a0427acw2127f932fd9f8c34@mail.gmail.com>
References: <496f9fbb1002220047n5a0427acw2127f932fd9f8c34@mail.gmail.com>
Message-ID: <5cae42b21002220105k5296ec17m7a0e3bfab9ea8fdc@mail.gmail.com>
Hi.
On Mon, Feb 22, 2010 at 9:47 AM, Gerhard H?ring <gh at ghaering.de> wrote:
> I cannot figure out how to modify old releases on PyPI. This page:
>
> http://pypi.python.org/simple/pysqlite/
>
> has lots of dead links for older releases of pysqlite (anything
> pointing to pysqlite.org or initd.org).
>
> I'd like to remove these links, so that easy_install and buildout
> won't take forever before giving up.
>
> Any idea how? Or do I need to contact the PyPI maintainers?
You should be able to go to
http://pypi.python.org/pypi?:action=pkg_edit&name=pysqlite
That page should list all releases. You can then "edit" each of the
releases and change the metadata of each release to remove the old
URL's.
If that doesn't work, I'm out of ideas :)
Hanno
From martin at v.loewis.de Mon Feb 22 10:08:01 2010
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Mon, 22 Feb 2010 10:08:01 +0100
Subject: [Catalog-sig] How to remove dead links from PyPI?
In-Reply-To: <496f9fbb1002220047n5a0427acw2127f932fd9f8c34@mail.gmail.com>
References: <496f9fbb1002220047n5a0427acw2127f932fd9f8c34@mail.gmail.com>
Message-ID: <4B824971.7030106@v.loewis.de>
> I cannot figure out how to modify old releases on PyPI. This page:
>
> http://pypi.python.org/simple/pysqlite/
>
> has lots of dead links for older releases of pysqlite (anything
> pointing to pysqlite.org or initd.org).
You need to edit or remove the old releases, on their respective edit
pages, e.g.
http://pypi.python.org/pypi?name=pysqlite&version=2.3.4&:action=submit_form
http://pypi.python.org/pypi?%3Aaction=pkg_edit&name=pysqlite
If the download for such an old release is no longer available, I
recommend to delete the release from PyPI as well.
Regards,
Martin
From gh at ghaering.de Mon Feb 22 09:41:22 2010
From: gh at ghaering.de (=?ISO-8859-1?Q?Gerhard_H=E4ring?=)
Date: Mon, 22 Feb 2010 09:41:22 +0100
Subject: [Catalog-sig] How to remove dead links from PyPI?
Message-ID: <496f9fbb1002220041w7318325oe0a59168fb25e148@mail.gmail.com>
Hello,
I cannot figure out how to modify old releases on PyPI. This page:
http://pypi.python.org/simple/pysqlite/
has lots of dead links for older releases of pysqlite (anything
pointing to pysqlite.org or initd.org).
I'd like to remove these links, so that easy_install and buildout
won't take forever before giving up.
Any idea how? Or do I need to contact the PyPI maintainers?
-- Gerhard
From wam at wamber.net Tue Feb 23 17:59:00 2010
From: wam at wamber.net (William McVey)
Date: Tue, 23 Feb 2010 11:59:00 -0500
Subject: [Catalog-sig] SSL for PyPI
Message-ID: <c75938f81002230859r75d57e84yc848367bdc554839@mail.gmail.com>
Sorry if this is the wrong group (if it is, please redirect me to the
proper list), but I'd like suggest that PyPI be available via SSL
protection. Obviously, I'd be willing to help with this effort as
well. It occurred to me as I was at PyCon 'pip install'ing away that
there was a real possibility of man-in-the-middle manipulations of
both the content of the packages downloaded as well as the actual
resolution of where packages were located (especially over an open
public wifi network). I certainly understand that turning off the
cleartext PyPI interface is not something that could be considered for
a very-long time, but it'd be nice if those individuals who were
concerned about the potential for attack had an option to pull PyPI
info over a protected channel. And even if people weren't concerned,
if it were perhaps the default option in their environment, their
security posture could be improved.
>From a technology standpoint, it should be straightforward to get an
SSL certificate for pypi.python.org, and then configure the web server
to provide the exact same content as the exising
http://pypi.python.org site. From the client side, I'd suggest an
extension/patch to pip (and easy_install) to use the SSL protected
version of PyPI when available. Obviously doing certificate validity
on the client side would require either python 2.6 or third party
packages, but even a warning announcing that the updates/installs were
happening over cleartext network would make people aware.
-- William
From tseaver at palladion.com Tue Feb 23 20:48:41 2010
From: tseaver at palladion.com (Tres Seaver)
Date: Tue, 23 Feb 2010 14:48:41 -0500
Subject: [Catalog-sig] SSL for PyPI
In-Reply-To: <c75938f81002230859r75d57e84yc848367bdc554839@mail.gmail.com>
References: <c75938f81002230859r75d57e84yc848367bdc554839@mail.gmail.com>
Message-ID: <hm1bep$frn$1@dough.gmane.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
William McVey wrote:
> Sorry if this is the wrong group (if it is, please redirect me to the
> proper list), but I'd like suggest that PyPI be available via SSL
> protection. Obviously, I'd be willing to help with this effort as
> well. It occurred to me as I was at PyCon 'pip install'ing away that
> there was a real possibility of man-in-the-middle manipulations of
> both the content of the packages downloaded as well as the actual
> resolution of where packages were located (especially over an open
> public wifi network). I certainly understand that turning off the
> cleartext PyPI interface is not something that could be considered for
> a very-long time, but it'd be nice if those individuals who were
> concerned about the potential for attack had an option to pull PyPI
> info over a protected channel. And even if people weren't concerned,
> if it were perhaps the default option in their environment, their
> security posture could be improved.
>
>>From a technology standpoint, it should be straightforward to get an
> SSL certificate for pypi.python.org, and then configure the web server
> to provide the exact same content as the exising
> http://pypi.python.org site. From the client side, I'd suggest an
> extension/patch to pip (and easy_install) to use the SSL protected
> version of PyPI when available. Obviously doing certificate validity
> on the client side would require either python 2.6 or third party
> packages, but even a warning announcing that the updates/installs were
> happening over cleartext network would make people aware.
Sounds like a good plan to me: no software development required on the
server side, only some very well-understood sysadmin. Clients can catch
up once the https:// URLs work.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkuEMRIACgkQ+gerLs4ltQ4GnQCbB+ZKbKBFOniB82s2LyNkg2Ad
1XIAoNwAWFfpOzosa7XdvacDuMzGlJ98
=u3hg
-----END PGP SIGNATURE-----
From m.van.rees at zestsoftware.nl Wed Feb 24 14:36:25 2010
From: m.van.rees at zestsoftware.nl (Maurits van Rees)
Date: Wed, 24 Feb 2010 13:36:25 +0000 (UTC)
Subject: [Catalog-sig] How to remove dead links from PyPI?
References: <496f9fbb1002220041w7318325oe0a59168fb25e148@mail.gmail.com>
Message-ID: <hm3a0p$aj7$1@dough.gmane.org>
Gerhard H?ring, on 2010-02-22:
> Hello,
>
> I cannot figure out how to modify old releases on PyPI. This page:
>
> http://pypi.python.org/simple/pysqlite/
>
> has lots of dead links for older releases of pysqlite (anything
> pointing to pysqlite.org or initd.org).
>
> I'd like to remove these links, so that easy_install and buildout
> won't take forever before giving up.
If you do:
bin/buildout -t 5
then buildout will give up on a link after 5 seconds.
It is a workaround, but it may be helpful.
--
Maurits van Rees | http://maurits.vanrees.org/
Work | http://zestsoftware.nl/
What are you going to create today?
From tseaver at palladion.com Wed Feb 24 16:09:59 2010
From: tseaver at palladion.com (Tres Seaver)
Date: Wed, 24 Feb 2010 10:09:59 -0500
Subject: [Catalog-sig] SSL for PyPI
In-Reply-To: <c75938f81002240703i53404ee2y2ab9ed5a4921f91b@mail.gmail.com>
References: <c75938f81002230859r75d57e84yc848367bdc554839@mail.gmail.com>
<hm1bep$frn$1@dough.gmane.org>
<c75938f81002240703i53404ee2y2ab9ed5a4921f91b@mail.gmail.com>
Message-ID: <4B854147.5050505@palladion.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
William McVey wrote:
> On Tue, Feb 23, 2010 at 2:48 PM, Tres Seaver <tseaver at palladion.com> wrote:
>> Sounds like a good plan to me: no software development required on the
>> server side, only some very well-understood sysadmin. Clients can catch
>> up once the https:// URLs work.
>
> So I guess this begs the question, "Who is the sysadmin of pypi and
> who is authorized to act on the PSF's behalf to order an SSL
> certificate?".
I think MvL is the sysadmin. I don't know who wears the "authorized
representative" hat for the PSF.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkuFQUIACgkQ+gerLs4ltQ5GowCdHK2d5By0z4almUgbaa18Zrkf
2NYAoJoyvTBbi5qHFoIz6wBokvfQqp9y
=GZDC
-----END PGP SIGNATURE-----
From martin at v.loewis.de Wed Feb 24 18:53:33 2010
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Wed, 24 Feb 2010 18:53:33 +0100
Subject: [Catalog-sig] SSL for PyPI
In-Reply-To: <c75938f81002230859r75d57e84yc848367bdc554839@mail.gmail.com>
References: <c75938f81002230859r75d57e84yc848367bdc554839@mail.gmail.com>
Message-ID: <4B85679D.907@v.loewis.de>
> Sorry if this is the wrong group (if it is, please redirect me to the
> proper list), but I'd like suggest that PyPI be available via SSL
> protection.
Notice that it already supports SSH access for this very purpose. SSL
access could be provided, but would cause an ongoing maintenance issue
(requiring regular updates of the server certificate, unless self-signed
long-running certificates are used).
Regards,
Martin
From martin at v.loewis.de Wed Feb 24 20:10:45 2010
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Wed, 24 Feb 2010 20:10:45 +0100
Subject: [Catalog-sig] SSL for PyPI
In-Reply-To: <4B85679D.907@v.loewis.de>
References: <c75938f81002230859r75d57e84yc848367bdc554839@mail.gmail.com>
<4B85679D.907@v.loewis.de>
Message-ID: <4B8579B5.8040604@v.loewis.de>
Martin v. L?wis wrote:
>> Sorry if this is the wrong group (if it is, please redirect me to the
>> proper list), but I'd like suggest that PyPI be available via SSL
>> protection.
>
> Notice that it already supports SSH access for this very purpose.
Ah. For that, download tools should use the server signatures protocol,
i.e. access (e.g.)
http://pypi.python.org/serversig/roundup
This will also allow to verify the authenticity of mirrors that follow
PEP 381.
Download tools should cache the server key (and might also chose to
hard-code it). Exact roll-over procedures are not defined yet, but I
plan to always sign the next key with the previous one.
Regards,
Martin
From wam at wamber.net Wed Feb 24 19:47:53 2010
From: wam at wamber.net (William McVey)
Date: Wed, 24 Feb 2010 13:47:53 -0500
Subject: [Catalog-sig] SSL for PyPI
In-Reply-To: <4B85679D.907@v.loewis.de>
References: <c75938f81002230859r75d57e84yc848367bdc554839@mail.gmail.com>
<4B85679D.907@v.loewis.de>
Message-ID: <c75938f81002241047k587524eep8e53c735ca7875e3@mail.gmail.com>
On Wed, Feb 24, 2010 at 12:53 PM, "Martin v. L?wis" <martin at v.loewis.de> wrote:
> Notice that it already supports SSH access for this very purpose. SSL
> access could be provided, but would cause an ongoing maintenance issue
> (requiring regular updates of the server certificate, unless self-signed
> long-running certificates are used).
The general public can't use the ssh interface for package downloads
though, can it? SSL would require periodic replacement of server
certificates, but this is fairly straightforward to manage as part of
the domain renewal process (or as some other related administrative
process), and doesn't have to be too onerous. A 5 year cert can be
purchased for $141 (through domaindiscover... no guarantee that they
have the best price, it's just the one I have bookmarked). I'd be
happy to assist in any way you might find useful.
-- William