[Catalog-sig] Fwd: Re: New pythonpackages.com service coming soon
Alex Clark
aclark at aclark.net
Sun Jan 22 21:57:21 CET 2012
On 1/22/12 12:35 PM, Tarek Ziadé wrote:
> Missed the reply all
>
> ---------- Forwarded message ----------
> From: "Tarek Ziadé" <ziade.tarek at gmail.com <mailto:ziade.tarek at gmail.com>>
> Date: Jan 22, 2012 9:35 AM
> Subject: Re: [Catalog-sig] New pythonpackages.com
> <http://pythonpackages.com> service coming soon
> To: "Alex Clark" <aclark at aclark.net <mailto:aclark at aclark.net>>
>
> The only concern I have is securiy. if someone breaks your server it can
> create havoc for those packages on PyPI.
To address this, I'll most likely move the site to heroku where it will
run on lxc-contained [1], ephemeral instances with configuration stored
in the environment only [2].
> Maybe there's a way to make
> this more secure, like making session based authorization ? Or that's
> what you planned maybe ?
I'm not sure what you mean, but I'm certainly planning lots of things
for the future, assuming things go well. WRT to sessions the app
currently uses Pyramid's auth_tkt policy, which configures a session for
anyone that authorizes the app on github.com.
> Otherwise cool idea
Thanks
Alex
[1] http://lxc.sourceforge.net/
[2] http://devcenter.heroku.com/articles/config-vars#an_example
>
> Cheers
> Tarek
>
> On Jan 22, 2012 9:04 AM, "Alex Clark" <aclark at aclark.net
> <mailto:aclark at aclark.net>> wrote:
>
> Folks,
>
> I have created a new service aimed at making it easier to release
> Python packages to PyPI. The primary user is currently: me. And to
> date, I have only released a single package with it: Pillow (well,
> in fact I really only tested a portion of the release process with
> Pillow).
>
> It works like this:
>
> - I have created a "user" `pythonpackages` on PyPI
> - I have uploaded an ssh key [1].
> - I have added `pythonpackages` as a maintainer of `Pillow`.
> - You can imagine the rest (and if you can't, it's a secret for now.)
>
> Now, I read the TOS very carefully before creating the
> `pythonpackages` "user". And there was nothing in it to indicate
> this action is anything other than "fair use". But I want to bring
> it to the attention of the PyPI maintainers now, in the event the
> service becomes popular later (I know at least I am planning to use
> it quite a bit. And we have ~70 beta users signed up to begin testing.)
>
> The bottom line is: there is now a "user" on the PyPI called
> `pythonpackages` that is in fact not a user, but a website
> (pythonpackages.com <http://pythonpackages.com>). By adding the
> "user" `pythonpackages` as a Maintainer to your package, you will be
> able to use the pythonpackages.com <http://pythonpackages.com>
> service to automate your release process in some exciting capacity,
> to be revealed soon. This is just one aspect of the service I am
> building, but it is an important milestone that I wanted to share
> (for obvious reasons).
>
> I welcome any comments/questions/concerns. It is my sincere hope
> that at the most, I am not offending anyone with my actions and at
> the least, I am not violating any terms or conditions that I don't
> know about.
>
> Sincerely,
>
>
> Alex Clark
>
>
> [1] I am using pypissh, http://pythonpackages.com/__info/pypissh
> <http://pythonpackages.com/info/pypissh> (many thanks to Martin von
> Löwis for this).
>
>
> --
> Alex Clark · http://pythonpackages.com
>
> _________________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org <mailto:Catalog-SIG at python.org>
> http://mail.python.org/__mailman/listinfo/catalog-sig
> <http://mail.python.org/mailman/listinfo/catalog-sig>
>
>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
--
Alex Clark · http://pythonpackages.com
More information about the Catalog-SIG
mailing list