pypi / warehouse Goto Github PK
View Code? Open in Web Editor NEWThe Python Package Index
Home Page: https://pypi.org
License: Apache License 2.0
The Python Package Index
Home Page: https://pypi.org
License: Apache License 2.0
Ensure that user passwords always match some level of password complexity/strength.
When using wheel and twine to upload a package, PyPI and Warehouse will have information about the dependencies of said package. It would be very nice to be able to look up the reverse relationship, the dependents, on the package's listing in Warehouse.
Long description can be None
instead of ""
. Right now this cases an exception.
Stacktrace (most recent call last):
File "raven/middleware.py", line 31, in __call__
iterable = self.application(environ, start_response)
File "site-packages/guard.py", line 62, in __call__
return self.application(environ, _start_response)
File "warehouse/middleware.py", line 28, in __call__
return self.app(environ, _start_response)
File "werkzeug/wsgi.py", line 40, in <lambda>
return update_wrapper(lambda *a: f(*a)(*a[-2:]), f)
File "warehouse/application.py", line 260, in wsgi_app
return view(self, request, **kwargs)
File "warehouse/utils.py", line 90, in wrapper
resp = fn(app, request, *args, **kwargs)
File "warehouse/utils.py", line 173, in wrapper
resp = fn(app, request, *args, **kwargs)
File "warehouse/packaging/views.py", line 78, in project_detail
description_html = htmlize(release["description"])
File "recliner/renderer.py", line 152, in htmlize
html = render(text)
File "recliner/renderer.py", line 108, in render
settings_overrides=settings,
File "docutils/core.py", line 448, in publish_parts
enable_exit_status=enable_exit_status)
File "docutils/core.py", line 662, in publish_programmatically
output = pub.publish(enable_exit_status=enable_exit_status)
File "docutils/core.py", line 217, in publish
self.settings)
File "docutils/readers/__init__.py", line 71, in read
self.input = self.source.read()
File "docutils/io.py", line 426, in read
return self.decode(self.source)
File "docutils/io.py", line 99, in decode
data_encoding = self.determine_encoding_from_data(data)
File "docutils/io.py", line 142, in determine_encoding_from_data
if data.startswith(start_bytes):
Resolving this issue should resolve https://app.getsentry.com/pypi/warehouse/group/9475461/ as well.
It would be nice for them to at least be case insensitive unique, but great if they were just in general case insensitive like the citext module.
PyPI allows logging in via OpenID, we need to either implement this or deprecate it and provide a migration path.
It would be a good idea to refactor out the project name normalization.
If a user has both the maintainer and the owner role for a package they will show up twice in the Maintainers list. This should be set to be a distinct query so that they only show up once.
When the users are manually on a page other than the latest version, they should get a link/message telling them that and pointing them to the latest version.
The database should (if supported) create a constraint that prevents any particular using from having more than one primary email address at any one time.
PyPI offers the ability to be an OpenID provider, we need to add this feature to Warehouse or deprecate it from PyPI itself.
Ideally the entire site will be protected by a CSP policy. However because of the admin we might need to exclude /admin from that, at least until the Django admin no longer uses inline javascript or CSS.
list_packages
package_releases
release_urls
release_data
search
browse
updated_releases
changelog
changelog_last_serial
changelog_since_serial
changed_packages
release_downloads
package_roles
user_packages
package_hosting_mode
top_packages
list_packages_with_serial
The ability to relocate virtual environments was called out specifically.
Currently we are using a forked copy of webassets (webassets-py3k). Once upstream has released a Python 3 compatible release we should switch back to upstream.
Keywords are an ArrayField and currently is not editable in the Django Admin due to issues with djorm-ext-pgarray.
In #93 a Content Security Policy was added, however reports are not being sent anywhere. Ideally they would go to something like Sentry (perhaps even sentry itself?).
The classifiers need to be linked to some sort of "browse" page.
We don't really need to do this. It makes it harder to ever adjust how we render the pages and overall caching is a better method of dealing with any sort of expensiveness in rendering.
The current PyPI UI is pretty horrible. Crate tried to improve on this but while it's an improvement it's not all that great itself. Perhaps we can find a really great designer/ux person to contribute?
Here's a list of UI centric routes from the current PyPI to give an idea of what sort of views we need.
Need to be able to see what user accounts own/maintain a particular project. It would be cool if this included some sort of avatar support instead of just raw usernames.
Currently there's no verification that a person owns the GPG key they claim they do. We should verify this before allowing this key.
We need some functional tests to ensure that Warehouse functions at a high level. Ideally this would use webtest to avoid needing to parse http and simply use the wsgi application.
Currently PyPI allows using the tag to host images anywhere, this has a few problems. Namely that those images are often not available via HTTPS, making those pages have mixed content, and it forces us to allow anything in the img-src
directive in the CSP policy.
Possibly this can be solved similarly to how github solved this and use https://github.com/atmos/camo.
/cc @coderanger
For development ease css & js will be in multiple files and unoptimized. Figured out a decent asset pipeline to use to handle both development and production.
Once models settle down a bit and it makes sense to, we need to switch from syncdb to using South for migrations.
It would be nice to support logging into Warehouse via Persona.
Currently the database is littered with "UNKNOWN"
. This "helpfully" comes from distutils who will fill it in for a missing required value. We should strip these from the database and strip it from new incoming data.
Copy and Pasting the Surrogate-Key handling code all over the place is far from optimal, we should figure out how to turn it into a decorator (ideally) or at the very least make it a utility function that can be called.
There's already some logging being done by the app - the web requests. There will be more logging done explicitly by code as users do things (dumb things or good things).
I'm going to add a new section to the configuration file called logging which will have the following structure (closely mirroring the standard logging configuration file structure, but not requiring us to actually have a separate INI syntax file).
logging:
formatters:
simpleFormater:
format: '%(asctime)s - %(levelname)s: %(message)s'
datefmt: '%Y/%m/%d %H:%M:%S'
handlers:
console:
class: logging.StreamHandler
formatter: simpleFormater
level: DEBUG
stream: ext://sys.stdout
file:
class : logging.FileHandler
formatter: simpleFormater
level: WARNING
filename: output.log
loggers:
clogger:
level: DEBUG
handlers: [console]
flogger:
level: WARNING
handlers: [file]
root:
level: DEBUG
handlers: [console, file]
This example is way more complex than I imagine any given configuration would actually be.
This configuration is then loaded with some code like:
# config = loaded yaml config
logging_conf = config['logging']
logging_conf.setdefault('version', 1)
logging.config.dictConfig(logging_conf)
For a more concrete dev configuration I anticipate something like:
logging:
handlers:
console:
class: logging.StreamHandler
level: DEBUG
stream: ext://sys.stdout
root:
level: DEBUG
handlers: [console]
(which will hopefully work; actual results may vary of course given it's the logging module we're talking about)
Implement ON DELETE at the database level for the ForeignKey from warehouse.accounts.models.Email
to warehouse.accounts.models.User
.
We're copy/pasting some hardcoded method for generating a Link url, ideally we should be able to simply modify an attribute on a Response
to set this.
Currently recliner is using a forked copy of bleach (bleach-py3k) in order to support Python 3. Once upstream has released an updated version that should be switched back.
/simple/
)/packages/
)/daytime
) (Is this something we need?)/pypi/<packagename>/json
)This is a current issue on PyPI. Usernames are case sensitive so I can have dstufft, Dstufft, etc.
We need to both make sure this cannot happen in Warehouse, and figure out what sort of transition plan we will use.
Cascading deletes make it easier to programatically delete whole packages (or releases). While this is convenient it does mean that that we must protect against the case where we don't want to allow cascaded deletes.
On the other hand if we prevent cascading deletes that forces people to be explicit by default if they want to delete whole chunks of data and that seems like a better option to me.
-infinity
is actually a terrible "we don't have a value" value, so make date_joined
nullable and set anything with -infinty
to NULL
.
When viewing dependencies on the project page, the names should be a link that take you to that dependency's project page.
It would be nice if we had real mimetypes for packages and not just application/x-tar
or application/octect-stream
.
Currently there are some headers and processes that expect Varnish, or more explicitly Fastly. As reusable software Warehouse really shouldn't depend on Fastly for proper operation. This should be something pluggable.
It'd be useful to add a X-Powered-By header to enable easily checking to see what version of Warehouse is running.
The fields that came from Django have timezone=True, the old fields have timezone=False, we should pick one and use it.
This would include the ability to upload a requirements.txt adn get notified for everything in it.
note by @brainwane 2018-03-22: see update
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.