Reach out to 3rd party services about new pypi.org domain #2935
Comments
|
(Of course we shouldn't reach out to the auto-deploy-to-PyPI orgs till our new infrastructure can support the load.) Edited to add: I talked with Dustin in IRC just now. I'm running across sites/projects that could conceivably fit under this issue, like projects that upload to PyPI or that make "my project on PyPI" widgets for your site, etc. We decided pretty much any 3rd party that is referring to the old domain is valid for this issue, and it's fine to add to the checklist in the initial comment to keep the checklist all in one place. |
|
Open source release tracking services like release-monitoring.org and libraries.io will also be affected. I filed fedora-infra/anitya#531 for Anitya, and based on an initial review, the info we'll need for that migration is:
|
|
URLs should be the same or redirect to their new location, just with the domain changed. |
|
http://shields.io/ can do PyPI badges, they might need a heads up. |
|
@brainwane Perhaps we should put together a "Migrating from pypi.python.org to pypi.org" document for 3rd parties that answers the questions @ncoghlan has (and any other), which we can point them to when we "reach out" to them. |
|
@di We have https://packaging.python.org/guides/migrating-to-pypi-org/, but it's currently focused on migrations for tool configurations and interactive use. For the lower level details of API & URL migrations, I suspect a contributor focused document in Warehouse explaining the handling of the paths below Also providing updated answers for my own questions (based on @dstuft's advice above):
|
|
Huh, it looks like |
|
Turns out Anitya could handle the |
a step towards pypi#2935
I agree. Started in #3153. It would be great to have #3151 for this as well. |
|
pyup.io is notified 👍🏼 |
This is a step towards pypi#2935.
This is a step towards pypi#2935.
This is a step towards pypi#2935.
* Update contact info and copyright year * Add PyPI migration guide for third-party services This is a step towards #2935.
* Update contact info and copyright year * Add PyPI migration guide for third-party services This is a step towards pypi#2935.
|
So, we now have the migration guide at https://warehouse.readthedocs.io/api-reference/integration-guide/#migrating-to-the-new-pypi . I've started writing up a general "things that are changing in PyPI and packaging/distribution in general" thing to send out and am putting a text dump here. Close friends of mine are having an emergency so I need to drop things and go help them for the next few days, but other folks should feel free to pick this up, edit it, reuse it as they see fit, and get more of the checkboxes in the list above checked off. I'm the project manager for the new Python Package Index (Warehouse), which is currently in pre-production at http://pypi.org/ . On the Warehouse roadmap, it looks like the full switch will happen sometime in April, so here's a heads-up about why we're switching, what's changed, and what to expect. The legacy PyPI site at https://pypi.python.org started in the early 2000s. In recent years, users faced outages, malicious packages, and spam attacks, and the legacy codebase made it hard to maintain and even harder to develop new features. The new PyPI has a far more modern look, and is up-to-date under the hood as well; a proper web framework (Pyramid), 100% backend test coverage, and a Docker-based development environment, make it easier for current and new developers to maintain it and add features. Thanks to Mozilla's Open Source Support funding, developers have added many new features, overhauled infrastructure, and made steady progress towards redirecting traffic to the new site and shutting down the old one. As of the middle of last year, package releases must go through the new PyPI, and as of late February, new user account registration is only available on the new site. The full switch will include redirecting browser and Your site/service will probably be able to seamlessly switch to the new site, and thanks to redirects, may not have to change anything immediately. Here's a migration guide. Some new PyPI features:
Things that are going away, or already have (sometimes for policy or spam-fighting reasons), include:
And in the works:
For future updates, please sign up for the low-traffic PyPI announcements email list. Thank you for integrating with PyPI, and please let us know if you have any questions or problems with the new site! |
This isn't a new feature, legacy had it and Warehouse just mimic'd it. |
|
Regarding GPG signatures: one of the risks that publisher signatures defend against is a compromise of PyPI itself (whether that's a technical compromise by a third party, or malicious action by a PyPI admin). However, for them to effectively serve that purpose, signatures need to be obtained through a trusted channel that isn't PyPI. As a reference link, https://mail.python.org/pipermail/distutils-sig/2017-March/030252.html would be a reasonable one (both Donald and I have written about the topic at various points over the years, that's just the one that came up first for me in Google) Regarding PEP 541: the requirements for declaring a package as abandoned are pretty stringent, so we don't expect the number of transfer requests to increase substantially, but we do expect them to be resolved in a more timely fashion when they do come up. |
|
I updated a bit of the comment - thanks for your feedback, Donald and Nick. Now I'll use it to send notes to some of the sites and projects listed above. |
|
Reached out to TravisCI in travis-ci/dpl#779. I took out the bullet point about verification GPG signatures on packages & pointer to distutils-sig discussion because I saw travis-ci/dpl#727 (comment) . I looked at #25, pypa/twine#157, #1439, https://mail.python.org/pipermail/distutils-sig/2016-May/028933.html , and https://pypi.python.org/security, and as far as I can tell, Warehouse does not actually change anything regarding GPG package signatures, compared to legacy PyPI. |
|
As far as GPG and PyPI goes, the delta between legacy and Warehouse is uh:
I don't think anything else has changed, and both of those are UI things so it probably doesn't need called out specifically since a lot of UI stuff changed? |
|
@dstufft when you say "Warehouse doesn't expose the fact a file had a signature uploaded for it in the UI." I see, you mean the web UI, and Ernest was referring to the Simple API. Thanks. I do think the things you mention do need calling out because - in my experience - while "foo has moved over to another page/a sidebar" doesn't need much explicit guidance, "foo that you used to see/use is now gone" will cause confusion and support requests unless we explicitly forestall that by saying "you haven't missed it, it's actually gone now, deliberately." I'll add a brief note to my boilerplate. |
|
That works. If you want to see the difference you can look at https://pypi.python.org/pypi/pip versus https://pypi.org/project/pip/#files. The former has a (pgp) link, and the latter does not. I might be wrong about the managing your GPG key part, I just logged into legacy to get a link for the page and I don't see it anymore. I suspect @ewdurbin or @di removed it from legacy at some point and I didn't notice (or I forgot). That reminds me of another difference though, Warehouse no longer has a mechanism for managing your SSH key either (and PyPI still has this). The practical difference is minuscule though, because the code that utilized the user's SSH key got ripped out like 4 years ago so managing your SSH key doesn't really do anything except update an otherwise unused field in a database. |
|
mosquito/pypi-server#30, circleci.py#40, an email to CircleCI support, email to gemfury about badges, and email to PythonAnywhere sent. |
|
Emailed Paul Tagliamonte, Barry Warsaw, and Piotr Roszatycki with a heads-up and asked for it to be forwarded to the Am calling this complete. We can start a new issue if we start discovering more services to alert. |
|
@jayfk Noticed that pyup is still using pypi.python.org, anything we can do to help? |
I need some kind of cloning device :D. I have the updated URLs in a local branch, just need to re-run tests and merge it in. Thanks for keeping an eye out for this! |
|
We didn't reach out to https://pythonwheels.com, did we? |
|
Hey @meshy, are you aware of this? Anything we can do to help? |
|
Hey @di and @pradyunsg, thanks for reaching out! I've been aware of the upcoming changes for a while, thanks to @hugovk. They've been a star, and have done the leg-work for me in terms of migrating the project over to using BigQuery. I've not had the time to merge the required changes, but I hope that pythonwheels will be ready when the change comes. Also, amazing job on Warehouse! It's awesome! |
|
You're welcome. See https://hugovk.github.io/top-pypi-packages/ for a weekly dump of the 5,000 most-downloaded packages from PyPI, as a replacement for the old |
We should reach out to any 3rd party service that depends on the
pypi.python.orgdomain and encourage them to update topypi.org.A list of services that currently depend on
pypi.python.org:pypi.python.org)pypi.python.org)pip installwatchfolks anddevscripts(includinguscan) folks, such as Piotr Roszatycki, as they hit legacy PyPI (uscan,watch) and produce pypi.debian.net (example) and have asked about Warehouse supportinguscanmore cleanlyThe text was updated successfully, but these errors were encountered: