goodwill: good project, sooner or later I want to add that functionality to pip itself
though I think it'll require a new requirements.txt language
goodwill
I mean signage alone is awesome
dstufft
stuffing more things into the current one is kinda gross
goodwill
prolly
dstufft
on the "lets add cryptography into packaging" front, PEP 458 is probably a thing that's going to happen
goodwill
sontek: I do not even see add_command in click docs search
ah found it
there not examples for it
dstufft
which will enable better verification of things you downloading from PyPI (no longer requiring to trust the CDN or mirrors)
ree
and considering the current events, this sounds like a darn good idea
goodwill
right
dstufft
you still have to trust the servers that we run for PyPI, and you have to trust shady people like myself who run PyPI :D but other random people no
ree
better to do that before the nsa decides to poison packages in the cheeseshop
goodwill
:-P
dstufft: well assuming there could be other PyPi's
dstufft
the NSA can probably seize the servers that run PyPI since they are on US soil
goodwill
dstufft: have you decided what you want to use yet?
gavinc
meh, I don't trust libcrypto so I think we're mostly doomed at this point ;)
goodwill
this reminds me
welcome to Russia my fellow Americans ;)
ree
they won't seize it, they would inject malicious code into packages.
dstufft
goodwill: nope! I didn't mess with it much since earlier today. I've been working on getting pypi-legacy to stop using the filesystem to store packages and start using an object store
ree
which is how they infiltrate enough machines on the net for their operations
dstufft
so that I can make warehouse not need to run on the same machines ;(
goodwill
dstufft here is considering writing next PyPI maybe in Pyramid ... I say we group hug him to make it easier for him
:-D
ree
sounds like a good choice ;)
gavinc
woha, pypi currently exists on a single file system?
dstufft
gavinc: wellllll
it's a horrible glusterfs cluster
rafaelhbarros has quit
gavinc
heh
dstufft
it's 2x glusterfs nodes which are mounted via FUSE on x3 web nodes, with x2 8GB RAM/SSD boxes running postgresql
my plan is to move to using multiple mirrored object stores for the package files (and eventually the installer API alltogether) and have fastly hit the object stores directly
so that ``pip install whatever`` does not rely on moving parts on our end
gavinc
+1 more URLs, less file handles
sontek
devpi already uses pyramid so might as well keep the trend going
(although I wouldn't use them as a model pyramid project)