[Catalog-sig] Fwd: Re: New pythonpackages.com service coming soon

Alex Clark aclark at aclark.net
Sun Jan 22 21:57:21 CET 2012

On 1/22/12 12:35 PM, Tarek Ziadé wrote:
> Missed the reply all
> ---------- Forwarded message ----------
> From: "Tarek Ziadé" <ziade.tarek at gmail.com <mailto:ziade.tarek at gmail.com>>
> Date: Jan 22, 2012 9:35 AM
> Subject: Re: [Catalog-sig] New pythonpackages.com
> <http://pythonpackages.com> service coming soon
> To: "Alex Clark" <aclark at aclark.net <mailto:aclark at aclark.net>>
> The only concern I have is securiy. if someone breaks your server it can
> create havoc for those packages on PyPI.

To address this, I'll most likely move the site to heroku where it will 
run on lxc-contained [1], ephemeral instances with configuration stored 
in the environment only [2].

> Maybe there's a way to make
> this more secure, like making session based authorization ? Or that's
> what you planned maybe ?

I'm not sure what you mean, but I'm certainly planning lots of things 
for the future, assuming things go well. WRT to sessions the app 
currently uses Pyramid's auth_tkt policy, which configures a session for 
anyone that authorizes the app on github.com.

> Otherwise cool idea



[1] http://lxc.sourceforge.net/
[2] http://devcenter.heroku.com/articles/config-vars#an_example

> Cheers
> Tarek
> On Jan 22, 2012 9:04 AM, "Alex Clark" <aclark at aclark.net
> <mailto:aclark at aclark.net>> wrote:
>     Folks,
>     I have created a new service aimed at making it easier to release
>     Python packages to PyPI. The primary user is currently: me. And to
>     date, I have only released a single package with it: Pillow (well,
>     in fact I really only tested a portion of the release process with
>     Pillow).
>     It works like this:
>     - I have created a "user" `pythonpackages` on PyPI
>     - I have uploaded an ssh key [1].
>     - I have added `pythonpackages` as a maintainer of `Pillow`.
>     - You can imagine the rest (and if you can't, it's a secret for now.)
>     Now, I read the TOS very carefully before creating the
>     `pythonpackages` "user". And there was nothing in it to indicate
>     this action is anything other than "fair use". But I want to bring
>     it to the attention of the PyPI maintainers now, in the event the
>     service becomes popular later (I know at least I am planning to use
>     it quite a bit. And we have ~70 beta users signed up to begin testing.)
>     The bottom line is: there is now a "user" on the PyPI called
>     `pythonpackages` that is in fact not a user, but a website
>     (pythonpackages.com <http://pythonpackages.com>). By adding the
>     "user" `pythonpackages` as a Maintainer to your package, you will be
>     able to use the pythonpackages.com <http://pythonpackages.com>
>     service to automate your release process in some exciting capacity,
>     to be revealed soon. This is just one aspect of the service I am
>     building, but it is an important milestone that I wanted to share
>     (for obvious reasons).
>     I welcome any comments/questions/concerns. It is my sincere hope
>     that at the most, I am not offending anyone with my actions and at
>     the least, I am not violating any terms or conditions that I don't
>     know about.
>     Sincerely,
>     Alex Clark
>     [1] I am using pypissh, http://pythonpackages.com/__info/pypissh
>     <http://pythonpackages.com/info/pypissh> (many thanks to Martin von
>     Löwis for this).
>     --
>     Alex Clark · http://pythonpackages.com
>     _________________________________________________
>     Catalog-SIG mailing list
>     Catalog-SIG at python.org <mailto:Catalog-SIG at python.org>
>     http://mail.python.org/__mailman/listinfo/catalog-sig
>     <http://mail.python.org/mailman/listinfo/catalog-sig>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig

Alex Clark · http://pythonpackages.com

More information about the Catalog-SIG mailing list