Quantcast

New pythonpackages.com service coming soon

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

New pythonpackages.com service coming soon

Alex Clark
Folks,

I have created a new service aimed at making it easier to release Python
packages to PyPI. The primary user is currently: me. And to date, I have
only released a single package with it: Pillow (well, in fact I really
only tested a portion of the release process with Pillow).

It works like this:

- I have created a "user" `pythonpackages` on PyPI
- I have uploaded an ssh key [1].
- I have added `pythonpackages` as a maintainer of `Pillow`.
- You can imagine the rest (and if you can't, it's a secret for now.)

Now, I read the TOS very carefully before creating the `pythonpackages`
"user". And there was nothing in it to indicate this action is anything
other than "fair use". But I want to bring it to the attention of the
PyPI maintainers now, in the event the service becomes popular later (I
know at least I am planning to use it quite a bit. And we have ~70 beta
users signed up to begin testing.)

The bottom line is: there is now a "user" on the PyPI called
`pythonpackages` that is in fact not a user, but a website
(pythonpackages.com). By adding the "user" `pythonpackages` as a
Maintainer to your package, you will be able to use the
pythonpackages.com service to automate your release process in some
exciting capacity, to be revealed soon. This is just one aspect of the
service I am building, but it is an important milestone that I wanted to
share (for obvious reasons).

I welcome any comments/questions/concerns. It is my sincere hope that at
the most, I am not offending anyone with my actions and at the least, I
am not violating any terms or conditions that I don't know about.

Sincerely,


Alex Clark


[1] I am using pypissh, http://pythonpackages.com/info/pypissh (many
thanks to Martin von Löwis for this).


--
Alex Clark · http://pythonpackages.com

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fwd: Re: New pythonpackages.com service coming soon

Tarek Ziadé

Missed the reply all

---------- Forwarded message ----------
From: "Tarek Ziadé" <[hidden email]>
Date: Jan 22, 2012 9:35 AM
Subject: Re: [Catalog-sig] New pythonpackages.com service coming soon
To: "Alex Clark" <[hidden email]>

The only concern I have is securiy. if someone breaks your server it can create havoc for those packages on PyPI.  Maybe there's a way to make this more secure, like making session based authorization ? Or that's what you planned maybe ?

Otherwise cool idea

Cheers
Tarek

On Jan 22, 2012 9:04 AM, "Alex Clark" <[hidden email]> wrote:
Folks,

I have created a new service aimed at making it easier to release Python packages to PyPI. The primary user is currently: me. And to date, I have only released a single package with it: Pillow (well, in fact I really only tested a portion of the release process with Pillow).

It works like this:

- I have created a "user" `pythonpackages` on PyPI
- I have uploaded an ssh key [1].
- I have added `pythonpackages` as a maintainer of `Pillow`.
- You can imagine the rest (and if you can't, it's a secret for now.)

Now, I read the TOS very carefully before creating the `pythonpackages` "user". And there was nothing in it to indicate this action is anything other than "fair use". But I want to bring it to the attention of the PyPI maintainers now, in the event the service becomes popular later (I know at least I am planning to use it quite a bit. And we have ~70 beta users signed up to begin testing.)

The bottom line is: there is now a "user" on the PyPI called `pythonpackages` that is in fact not a user, but a website (pythonpackages.com). By adding the "user" `pythonpackages` as a Maintainer to your package, you will be able to use the pythonpackages.com service to automate your release process in some exciting capacity, to be revealed soon. This is just one aspect of the service I am building, but it is an important milestone that I wanted to share (for obvious reasons).

I welcome any comments/questions/concerns. It is my sincere hope that at the most, I am not offending anyone with my actions and at the least, I am not violating any terms or conditions that I don't know about.

Sincerely,


Alex Clark


[1] I am using pypissh, http://pythonpackages.com/info/pypissh (many thanks to Martin von Löwis for this).


--
Alex Clark · http://pythonpackages.com

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Re: New pythonpackages.com service coming soon

Alex Clark
On 1/22/12 12:35 PM, Tarek Ziadé wrote:

> Missed the reply all
>
> ---------- Forwarded message ----------
> From: "Tarek Ziadé" <[hidden email] <mailto:[hidden email]>>
> Date: Jan 22, 2012 9:35 AM
> Subject: Re: [Catalog-sig] New pythonpackages.com
> <http://pythonpackages.com> service coming soon
> To: "Alex Clark" <[hidden email] <mailto:[hidden email]>>
>
> The only concern I have is securiy. if someone breaks your server it can
> create havoc for those packages on PyPI.

To address this, I'll most likely move the site to heroku where it will
run on lxc-contained [1], ephemeral instances with configuration stored
in the environment only [2].

> Maybe there's a way to make
> this more secure, like making session based authorization ? Or that's
> what you planned maybe ?

I'm not sure what you mean, but I'm certainly planning lots of things
for the future, assuming things go well. WRT to sessions the app
currently uses Pyramid's auth_tkt policy, which configures a session for
anyone that authorizes the app on github.com.

> Otherwise cool idea

Thanks


Alex

[1] http://lxc.sourceforge.net/
[2] http://devcenter.heroku.com/articles/config-vars#an_example


>
> Cheers
> Tarek
>
> On Jan 22, 2012 9:04 AM, "Alex Clark" <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Folks,
>
>     I have created a new service aimed at making it easier to release
>     Python packages to PyPI. The primary user is currently: me. And to
>     date, I have only released a single package with it: Pillow (well,
>     in fact I really only tested a portion of the release process with
>     Pillow).
>
>     It works like this:
>
>     - I have created a "user" `pythonpackages` on PyPI
>     - I have uploaded an ssh key [1].
>     - I have added `pythonpackages` as a maintainer of `Pillow`.
>     - You can imagine the rest (and if you can't, it's a secret for now.)
>
>     Now, I read the TOS very carefully before creating the
>     `pythonpackages` "user". And there was nothing in it to indicate
>     this action is anything other than "fair use". But I want to bring
>     it to the attention of the PyPI maintainers now, in the event the
>     service becomes popular later (I know at least I am planning to use
>     it quite a bit. And we have ~70 beta users signed up to begin testing.)
>
>     The bottom line is: there is now a "user" on the PyPI called
>     `pythonpackages` that is in fact not a user, but a website
>     (pythonpackages.com <http://pythonpackages.com>). By adding the
>     "user" `pythonpackages` as a Maintainer to your package, you will be
>     able to use the pythonpackages.com <http://pythonpackages.com>
>     service to automate your release process in some exciting capacity,
>     to be revealed soon. This is just one aspect of the service I am
>     building, but it is an important milestone that I wanted to share
>     (for obvious reasons).
>
>     I welcome any comments/questions/concerns. It is my sincere hope
>     that at the most, I am not offending anyone with my actions and at
>     the least, I am not violating any terms or conditions that I don't
>     know about.
>
>     Sincerely,
>
>
>     Alex Clark
>
>
>     [1] I am using pypissh, http://pythonpackages.com/__info/pypissh
>     <http://pythonpackages.com/info/pypissh> (many thanks to Martin von
>     Löwis for this).
>
>
>     --
>     Alex Clark · http://pythonpackages.com
>
>     _________________________________________________
>     Catalog-SIG mailing list
>     [hidden email] <mailto:[hidden email]>
>     http://mail.python.org/__mailman/listinfo/catalog-sig
>     <http://mail.python.org/mailman/listinfo/catalog-sig>
>
>
>
> _______________________________________________
> Catalog-SIG mailing list
> [hidden email]
> http://mail.python.org/mailman/listinfo/catalog-sig


--
Alex Clark · http://pythonpackages.com

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: New pythonpackages.com service coming soon

Richard Jones-32
In reply to this post by Alex Clark
On 23 January 2012 04:04, Alex Clark <[hidden email]> wrote:

> - I have created a "user" `pythonpackages` on PyPI
> - I have uploaded an ssh key [1].
> - I have added `pythonpackages` as a maintainer of `Pillow`.
> - You can imagine the rest (and if you can't, it's a secret for now.)
>
> Now, I read the TOS very carefully before creating the `pythonpackages`
> "user". And there was nothing in it to indicate this action is anything
> other than "fair use". But I want to bring it to the attention of the PyPI
> maintainers now, in the event the service becomes popular later (I know at
> least I am planning to use it quite a bit. And we have ~70 beta users signed
> up to begin testing.)

My initial only concern is that the registering and uploading of
packages to the index might become too anonymous.

We are frequently called upon to identify the owners of packages (for
a variety of reasons: ownership disputes, transfer of ownership,
reclamation of zombies, that sort of thing).

Currently a person must be registered with PyPI an listed as an
owner/maintainer to be able to register package releases and upload
files for a package. Even if we required a non-pythonpackages user to
be listed against a package that association could become stale (the
person listed in PyPI could have no longer have anything to do with
the package.)


     Richard
_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: New pythonpackages.com service coming soon

Alex Clark
On 1/22/12 5:45 PM, Richard Jones wrote:

> On 23 January 2012 04:04, Alex Clark<[hidden email]>  wrote:
>> - I have created a "user" `pythonpackages` on PyPI
>> - I have uploaded an ssh key [1].
>> - I have added `pythonpackages` as a maintainer of `Pillow`.
>> - You can imagine the rest (and if you can't, it's a secret for now.)
>>
>> Now, I read the TOS very carefully before creating the `pythonpackages`
>> "user". And there was nothing in it to indicate this action is anything
>> other than "fair use". But I want to bring it to the attention of the PyPI
>> maintainers now, in the event the service becomes popular later (I know at
>> least I am planning to use it quite a bit. And we have ~70 beta users signed
>> up to begin testing.)
>
> My initial only concern is that the registering and uploading of
> packages to the index might become too anonymous.
>
> We are frequently called upon to identify the owners of packages (for
> a variety of reasons: ownership disputes, transfer of ownership,
> reclamation of zombies, that sort of thing).
>
> Currently a person must be registered with PyPI an listed as an
> owner/maintainer to be able to register package releases and upload
> files for a package. Even if we required a non-pythonpackages user to
> be listed against a package that association could become stale (the
> person listed in PyPI could have no longer have anything to do with
> the package.)



That shouldn't be a concern here because anyone that wants to use the
service (currently) must manually assign the Maintainer role to the
`pythonpackages` user for their package(s). We (currently) have no plans
to register any new packages with the `pythonpackages` user. Our plans
could change in the future, but at present this is a small, cautious
step towards release automation.


And in general, the service is not intended to anonymize releases;
rather, the initial set of uploads will be coming from folks that meet
the following criteria:

- Github user
- PyPI user with at least one released package
- pythonpackages.com beta member



Alex




>
>
>       Richard


--
Alex Clark · http://pythonpackages.com

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: New pythonpackages.com service coming soon

Richard Jones-32
On 23 January 2012 10:20, Alex Clark <[hidden email]> wrote:

> On 1/22/12 5:45 PM, Richard Jones wrote:
>>
>> On 23 January 2012 04:04, Alex Clark<[hidden email]>  wrote:
>>>
>>> - I have created a "user" `pythonpackages` on PyPI
>>> - I have uploaded an ssh key [1].
>>> - I have added `pythonpackages` as a maintainer of `Pillow`.
>>> - You can imagine the rest (and if you can't, it's a secret for now.)
>>>
>>> Now, I read the TOS very carefully before creating the `pythonpackages`
>>> "user". And there was nothing in it to indicate this action is anything
>>> other than "fair use". But I want to bring it to the attention of the
>>> PyPI
>>> maintainers now, in the event the service becomes popular later (I know
>>> at
>>> least I am planning to use it quite a bit. And we have ~70 beta users
>>> signed
>>> up to begin testing.)
>>
>>
>> My initial only concern is that the registering and uploading of
>> packages to the index might become too anonymous.
>>
>> We are frequently called upon to identify the owners of packages (for
>> a variety of reasons: ownership disputes, transfer of ownership,
>> reclamation of zombies, that sort of thing).
>>
>> Currently a person must be registered with PyPI an listed as an
>> owner/maintainer to be able to register package releases and upload
>> files for a package. Even if we required a non-pythonpackages user to
>> be listed against a package that association could become stale (the
>> person listed in PyPI could have no longer have anything to do with
>> the package.)
>
> That shouldn't be a concern here because anyone that wants to use the
> service (currently) must manually assign the Maintainer role to the
> `pythonpackages` user for their package(s). We (currently) have no plans to
> register any new packages with the `pythonpackages` user. Our plans could
> change in the future, but at present this is a small, cautious step towards
> release automation.

My concern was that in the longer term this could happen:

1. user registers package on pypi (and is thus owner)
2. user assigns pythonpackages as co-maintainer
3. user and others in package project use pythonpackages to submit new
releases (possibly automa[tg]ically using mechanisms set up by the
user from step #1 that they aren't fully aware of)
4. time passes and user from step #1 no longer participates in project
5. there is now effectively no useful human assigned to the package on
pypi, yet releases may still happen

As I said before, we frequently get requests for ownership
reassignment. In this case we the original owner is not contactable /
helpful (this happens a bit.) We can see there's more recent releases
but we don't know who is performing them. We are now in a bind, or
have to spend a bunch more effort to figure out what's going on - and
we're already somewhat stretched (for two volunteers) with the current
setup.


     Richard
_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Re: New pythonpackages.com service coming soon

Tarek Ziadé
In reply to this post by Alex Clark


On Sun, Jan 22, 2012 at 12:57 P

Maybe there's a way to make
this more secure, like making session based authorization ? Or that's
what you planned maybe ?

I'm not sure what you mean, but I'm certainly planning lots of things for the future, assuming things go well. WRT to sessions the app currently uses Pyramid's auth_tkt policy, which configures a session for anyone that authorizes the app on github.com.

I meant giving a temporary access to my PyPI packages from within your application when performing tasks, not a complete & permanent one where you application could perform unwanted tasks at PyPI if the server gets hacked.

I am not sure how this could be done practically speaking, it depends on the client UI.

Cheers
Tarek


 

Otherwise cool idea

Thanks


Alex

[1] http://lxc.sourceforge.net/
[2] http://devcenter.heroku.com/articles/config-vars#an_example



Cheers
Tarek

On Jan 22, 2012 9:04 AM, "Alex Clark" <[hidden email]
<mailto:[hidden email]>> wrote:

   Folks,

   I have created a new service aimed at making it easier to release
   Python packages to PyPI. The primary user is currently: me. And to
   date, I have only released a single package with it: Pillow (well,
   in fact I really only tested a portion of the release process with
   Pillow).

   It works like this:

   - I have created a "user" `pythonpackages` on PyPI
   - I have uploaded an ssh key [1].
   - I have added `pythonpackages` as a maintainer of `Pillow`.
   - You can imagine the rest (and if you can't, it's a secret for now.)

   Now, I read the TOS very carefully before creating the
   `pythonpackages` "user". And there was nothing in it to indicate
   this action is anything other than "fair use". But I want to bring
   it to the attention of the PyPI maintainers now, in the event the
   service becomes popular later (I know at least I am planning to use
   it quite a bit. And we have ~70 beta users signed up to begin testing.)

   The bottom line is: there is now a "user" on the PyPI called
   `pythonpackages` that is in fact not a user, but a website
   (pythonpackages.com <http://pythonpackages.com>). By adding the

   "user" `pythonpackages` as a Maintainer to your package, you will be
   able to use the pythonpackages.com <http://pythonpackages.com>

   service to automate your release process in some exciting capacity,
   to be revealed soon. This is just one aspect of the service I am
   building, but it is an important milestone that I wanted to share
   (for obvious reasons).

   I welcome any comments/questions/concerns. It is my sincere hope
   that at the most, I am not offending anyone with my actions and at
   the least, I am not violating any terms or conditions that I don't
   know about.

   Sincerely,


   Alex Clark


   [1] I am using pypissh, http://pythonpackages.com/__info/pypissh

   <http://pythonpackages.com/info/pypissh> (many thanks to Martin von
   Löwis for this).


   --
   Alex Clark · http://pythonpackages.com

   _________________________________________________
   Catalog-SIG mailing list
   [hidden email] <mailto:[hidden email]>
   http://mail.python.org/__mailman/listinfo/catalog-sig
   <http://mail.python.org/mailman/listinfo/catalog-sig>




_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig


--
Alex Clark · http://pythonpackages.com

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig



--
Tarek Ziadé | http://ziade.org

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Re: New pythonpackages.com service coming soon

Richard Jones-32
On 23 January 2012 10:37, Tarek Ziadé <[hidden email]> wrote:
> I meant giving a temporary access to my PyPI packages from within your
> application when performing tasks, not a complete & permanent one where you
> application could perform unwanted tasks at PyPI if the server gets hacked.

If I understand you correctly you are talking about using a mechanism
like OpenAuth? PyPI currently only provides OpenID support, not
OpenAuth. I don't recall there having been a discussion about adding
OpenAuth, though I certainly can't immediately think of a reason not
to add it (except that someone has to do it ;-)*


     Richard

* if there is interest I could do it during the US PyCon sprints...
_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Re: New pythonpackages.com service coming soon

Tarek Ziadé


On Sun, Jan 22, 2012 at 3:49 PM, Richard Jones <[hidden email]> wrote:
On 23 January 2012 10:37, Tarek Ziadé <[hidden email]> wrote:
> I meant giving a temporary access to my PyPI packages from within your
> application when performing tasks, not a complete & permanent one where you
> application could perform unwanted tasks at PyPI if the server gets hacked.

If I understand you correctly you are talking about using a mechanism
like OpenAuth? PyPI currently only provides OpenID support, not
OpenAuth. I don't recall there having been a discussion about adding
OpenAuth, though I certainly can't immediately think of a reason not
to add it (except that someone has to do it ;-)*

Yeah for example




    Richard

* if there is interest I could do it during the US PyCon sprints...





--
Tarek Ziadé | http://ziade.org

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: New pythonpackages.com service coming soon

Alex Clark
In reply to this post by Richard Jones-32
On 1/22/12 6:34 PM, Richard Jones wrote:

> On 23 January 2012 10:20, Alex Clark<[hidden email]>  wrote:
>> On 1/22/12 5:45 PM, Richard Jones wrote:
>>>
>>> On 23 January 2012 04:04, Alex Clark<[hidden email]>    wrote:
>>>>
>>>> - I have created a "user" `pythonpackages` on PyPI
>>>> - I have uploaded an ssh key [1].
>>>> - I have added `pythonpackages` as a maintainer of `Pillow`.
>>>> - You can imagine the rest (and if you can't, it's a secret for now.)
>>>>
>>>> Now, I read the TOS very carefully before creating the `pythonpackages`
>>>> "user". And there was nothing in it to indicate this action is anything
>>>> other than "fair use". But I want to bring it to the attention of the
>>>> PyPI
>>>> maintainers now, in the event the service becomes popular later (I know
>>>> at
>>>> least I am planning to use it quite a bit. And we have ~70 beta users
>>>> signed
>>>> up to begin testing.)
>>>
>>>
>>> My initial only concern is that the registering and uploading of
>>> packages to the index might become too anonymous.
>>>
>>> We are frequently called upon to identify the owners of packages (for
>>> a variety of reasons: ownership disputes, transfer of ownership,
>>> reclamation of zombies, that sort of thing).
>>>
>>> Currently a person must be registered with PyPI an listed as an
>>> owner/maintainer to be able to register package releases and upload
>>> files for a package. Even if we required a non-pythonpackages user to
>>> be listed against a package that association could become stale (the
>>> person listed in PyPI could have no longer have anything to do with
>>> the package.)
>>
>> That shouldn't be a concern here because anyone that wants to use the
>> service (currently) must manually assign the Maintainer role to the
>> `pythonpackages` user for their package(s). We (currently) have no plans to
>> register any new packages with the `pythonpackages` user. Our plans could
>> change in the future, but at present this is a small, cautious step towards
>> release automation.
>
> My concern was that in the longer term this could happen:
>
> 1. user registers package on pypi (and is thus owner)
> 2. user assigns pythonpackages as co-maintainer
> 3. user and others in package project use pythonpackages to submit new
> releases (possibly automa[tg]ically using mechanisms set up by the
> user from step #1 that they aren't fully aware of)
> 4. time passes and user from step #1 no longer participates in project
> 5. there is now effectively no useful human assigned to the package on
> pypi, yet releases may still happen


Releases may technically still be possible via pythonpackages.com, but
practically speaking they shouldn't happen because the only person able
to trigger them (from pythonpackages.com) is the user that disappeared.

However, you have got me thinking about a potential abuse scenario where
a "legitimate" but malicious pythonpackages.com user could release any
package that had `pythonpackages` as a Maintainer.

This makes think that at the very least, in addition to adding the
`pythonpackages` user as Maintainer, we (pythonpackages.com) must
require users to identify themselves with their PyPI openid (which of
course can be used for identification, but not releasing packages).

That way pythonpackages.com could verify that the package being released
has the right Owner, simply by checking the package metadata and
reconciling it with the openid (at least in my head this sounds like it
should work).



>
> As I said before, we frequently get requests for ownership
> reassignment. In this case we the original owner is not contactable /
> helpful (this happens a bit.) We can see there's more recent releases
> but we don't know who is performing them. We are now in a bind, or
> have to spend a bunch more effort to figure out what's going on - and
> we're already somewhat stretched (for two volunteers) with the current
> setup.


Indeed, I definitely don't want to create more work for anyone.



Alex



>
>
>       Richard


--
Alex Clark · http://pythonpackages.com

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Re: New pythonpackages.com service coming soon

Alex Clark
In reply to this post by Tarek Ziadé
On 1/22/12 6:53 PM, Tarek Ziadé wrote:

>
>
> On Sun, Jan 22, 2012 at 3:49 PM, Richard Jones <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 23 January 2012 10:37, Tarek Ziadé <[hidden email]
>     <mailto:[hidden email]>> wrote:
>      > I meant giving a temporary access to my PyPI packages from within
>     your
>      > application when performing tasks, not a complete & permanent one
>     where you
>      > application could perform unwanted tasks at PyPI if the server
>     gets hacked.
>
>     If I understand you correctly you are talking about using a mechanism
>     like OpenAuth? PyPI currently only provides OpenID support, not
>     OpenAuth. I don't recall there having been a discussion about adding
>     OpenAuth, though I certainly can't immediately think of a reason not
>     to add it (except that someone has to do it ;-)*
>
>
> Yeah for example
>
>
>
>
>          Richard
>
>     * if there is interest I could do it during the US PyCon sprints...


OAuth would be a most welcome addition!


>
>
>
>
>
>
> --
> Tarek Ziadé | http://ziade.org
>
>
> _______________________________________________
> Catalog-SIG mailing list
> [hidden email]
> http://mail.python.org/mailman/listinfo/catalog-sig


--
Alex Clark · http://pythonpackages.com

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Re: New pythonpackages.com service coming soon

"Martin v. Löwis"
> OAuth would be a most welcome addition!

Can you please flesh out a specification?

I'd be hesitant to add it without a *clear* commitment to using it.

We added OpenID support primarily to support pythonpackages.com,
only to find out that it now uses github accounts :-( I'd be angry
to learn that I implemented yet another feature which is then not
going to be used.

Regards,
Martin
_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Re: New pythonpackages.com service coming soon

Donald Stufft
Unrelated but: PyPI works as an openid provider? Is there any documentation for this?

On Monday, January 23, 2012 at 5:30 PM, "Martin v. Löwis" wrote:

OAuth would be a most welcome addition!

Can you please flesh out a specification?

I'd be hesitant to add it without a *clear* commitment to using it.

We added OpenID support primarily to support pythonpackages.com,
only to find out that it now uses github accounts :-( I'd be angry
to learn that I implemented yet another feature which is then not
going to be used.

Regards,
Martin
_______________________________________________
Catalog-SIG mailing list


_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Re: New pythonpackages.com service coming soon

"Martin v. Löwis"
Am 23.01.2012 23:37, schrieb Donald Stufft:
> Unrelated but: PyPI works as an openid provider? Is there any
> documentation for this?

Only on catalog SIG:

http://mail.python.org/pipermail/catalog-sig/2011-November/004066.html

You can (now) use pypi.python.org as the OpenID provider name, i.e.
log in with pypi.python.org into any compliant relying party.
If you want to type your full OpenID, it's
http://pypi.python.org/id/<username>

I plan to put this on the user's settings page.

Regards,
Martin
_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Re: New pythonpackages.com service coming soon

Richard Jones-32
On 24 January 2012 10:12, "Martin v. Löwis" <[hidden email]> wrote:
> Am 23.01.2012 23:37, schrieb Donald Stufft:
>> Unrelated but: PyPI works as an openid provider? Is there any
>> documentation for this?
>
> Only on catalog SIG:
>
> http://mail.python.org/pipermail/catalog-sig/2011-November/004066.html

Before you ask: we were waiting for one of the couple of interested
trial sites to implement the OpenID setup before announcing it more
publicly.


     Richard
_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Re: New pythonpackages.com service coming soon

Donald Stufft
Well I'm interested in PyPI OpenID ;) (or OAuth, either way… OAuth would be nice in that people could give authorization to specific packages, and be more comprehensive then just a Login)

On Monday, January 23, 2012 at 6:44 PM, Richard Jones wrote:

On 24 January 2012 10:12, "Martin v. Löwis" <[hidden email]> wrote:
Am 23.01.2012 23:37, schrieb Donald Stufft:
Unrelated but: PyPI works as an openid provider? Is there any
documentation for this?

Only on catalog SIG:


Before you ask: we were waiting for one of the couple of interested
trial sites to implement the OpenID setup before announcing it more
publicly.


Richard


_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Re: New pythonpackages.com service coming soon

Richard Jones-32
On 24 January 2012 10:47, Donald Stufft <[hidden email]> wrote:
> Well I'm interested in PyPI OpenID ;) (or OAuth, either way… OAuth would be
> nice in that people could give authorization to specific packages, and be
> more comprehensive then just a Login)

Could you explain what you mean by "people could give authorization to
specific packages"? Do you have a specific use-case in mind? Do you
have a site that intends to use PyPI's OpenID?


     Richard
_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Re: New pythonpackages.com service coming soon

Alex Clark
In reply to this post by "Martin v. Löwis"
Hi Martin,

On 1/23/12 5:30 PM, "Martin v. Löwis" wrote:

>> OAuth would be a most welcome addition!
>
> Can you please flesh out a specification?
>
> I'd be hesitant to add it without a *clear* commitment to using it.
>
> We added OpenID support primarily to support pythonpackages.com,
> only to find out that it now uses github accounts :-( I'd be angry
> to learn that I implemented yet another feature which is then not
> going to be used.

OpenID is still on the table, so I don't want you to get the impression
that we're jumping ship for OAuth. That said, I apologize about leaving
you hanging there; it was certainly not my intention (and I was unaware
until now that OpenId support was added for pythonpackages.com… unless
maybe you are confusing it with opencomparison.org?).

In any event, yes, I can put together a specification. Things should be
easier to discuss now that I have announced the details. Let me do this:

- Between now and March, I'll implement OpenId support on
pythonpackages.com.

- That support will, initially, only be used to verify that someone with
a Github account who has already signed in owns a particular package on
PyPI. As that is clumsy even to describe, I suspect it will only be a
stepping stone to a better approach (but I think it gets me what I want,
which is to publish packages that have shared the maintainer role with
`pythonpackages`. I certainly don't want any pythonpackages.com user to
be able to publish any package on PyPI that has done the same.)


Alex



>
> Regards,
> Martin


--
Alex Clark · http://pythonpackages.com

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Re: New pythonpackages.com service coming soon

Donald Stufft
In reply to this post by Richard Jones-32
If i'm the owner of package foo, and website bar.com wants to modify my PyPI listing, or get private information, or whatever OAuth could be used to securely grant bar.com authorization to the foo resource.

And I wasn't aware of PyPI's OpenID support, but now that I know of it I believe I have some ideas for taking advantage of it yes.

On Monday, January 23, 2012 at 7:13 PM, Richard Jones wrote:

On 24 January 2012 10:47, Donald Stufft <[hidden email]> wrote:
Well I'm interested in PyPI OpenID ;) (or OAuth, either way… OAuth would be
nice in that people could give authorization to specific packages, and be
more comprehensive then just a Login)

Could you explain what you mean by "people could give authorization to
specific packages"? Do you have a specific use-case in mind? Do you
have a site that intends to use PyPI's OpenID?


Richard


_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: Re: New pythonpackages.com service coming soon

Donald Stufft
The general gist is, that the only way to grant an external service any access to your package is by either giving them your username/password, or by having a general user account for that service (similar to Alex Clark's `python packages`) user. Utilizing OAuth (beyond a basic log into external site with pypi creeds) would give a secure way for an owner to grant authorization for an external service to a resource (in this case a package). Without needing to resort to the hackish fake user accounts.

On Monday, January 23, 2012 at 8:23 PM, Donald Stufft wrote:

If i'm the owner of package foo, and website bar.com wants to modify my PyPI listing, or get private information, or whatever OAuth could be used to securely grant bar.com authorization to the foo resource.

And I wasn't aware of PyPI's OpenID support, but now that I know of it I believe I have some ideas for taking advantage of it yes.

On Monday, January 23, 2012 at 7:13 PM, Richard Jones wrote:

On 24 January 2012 10:47, Donald Stufft <[hidden email]> wrote:
Well I'm interested in PyPI OpenID ;) (or OAuth, either way… OAuth would be
nice in that people could give authorization to specific packages, and be
more comprehensive then just a Login)

Could you explain what you mean by "people could give authorization to
specific packages"? Do you have a specific use-case in mind? Do you
have a site that intends to use PyPI's OpenID?


Richard



_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
12
Loading...