headers
Jp Calderone | 11 Oct 2005 03:49

Problems registering with PyPI

Today I tried to upload a package to PyPI today.  I didn't meet with success.  When I tried to use `python
setup.py register', I received this output:

Server response (400): Invalid classifier "('Intended Audience :: Developers', 'Programming Language
:: Python', 'Development Status :: 2 - Pre-Alpha', 'Topic :: Utilities')"

I pass a tuple of strings as the classifiers argument to setup.  What should I be doing instead?  Is this
documented anywhere?

Next I tried to upload the package information via the web interface.  I received this response:

    Error processing form

    Missing required field "name"

The PKG-INFO file I uploaded is the one `python setup.py sdist' spat out.  Among the fields present in it is
"Name: package".  What went wrong here?

I didn't try re-entering all my metainfo in the form on the website, so I can't say if that works or not.

Jp
Permalink | Reply | 0 comments |
headers
Ben Bangert | 13 Oct 2005 21:07
Gravatar

Policies for packages where the author is unavailable

Several packages out there, including Python Paste, and several I'm  
working on have dependencies on a Python package called WSGI Utils.  
Unfortunately WSGI Utils is not packaged for setuptools and the  
Cheese Shop, nor have I been able to contact the author about having  
it added. The name also needs to be changed to WSGIUtils as the space  
appears to cause problems.

What is the policy for having packages adapted to setuptools, and put  
on Cheese Shop in absence of official registration from the package  
author?

In the case of WSGI Utils, the license appears to be a BSD license so  
I see no license restrictions preventing the redistribution from  
Cheese Shop. It would be nice if there was some policy in place for  
people to be 'maintainers' of a CheeseShop package in the case the  
author is either not interested or unavailable to do this themself.

Thanks,
Ben
Permalink | Reply | 3 comments |
headers
Ian Bicking | 22 Oct 2005 21:20
Gravatar

Re: Policies for packages where the author is unavailable

Ben Bangert wrote:
> Several packages out there, including Python Paste, and several I'm  
> working on have dependencies on a Python package called WSGI Utils.  
> Unfortunately WSGI Utils is not packaged for setuptools and the  
> Cheese Shop, nor have I been able to contact the author about having  
> it added. The name also needs to be changed to WSGIUtils as the space  
> appears to cause problems.

Colin has applied some changes I've sent to him, but I haven't heard
back on a couple things I've sent him since then.  Oh well, it happens
to all of us at times.

> What is the policy for having packages adapted to setuptools, and put  
> on Cheese Shop in absence of official registration from the package  
> author?

Since I don't notice any responses to this, I suppose that means there's
no policy.  I think I've brought this up before, for the same kind of
reasons -- inaccuracies in entries (usually URLs), abandoned entries, or
missing entries.

Anyway, you can have multiple people with ownership (or at least admin
access) on an entry.  So I think it's okay to set up an entry (which in
this case would point to your own package, probably with a version
number that somehow distinguished it from the version it was [lightly]
forked from).

> In the case of WSGI Utils, the license appears to be a BSD license so  
> I see no license restrictions preventing the redistribution from  
> Cheese Shop. It would be nice if there was some policy in place for
(Continue reading)

Permalink | Reply | 2 comments |
headers
Phillip J. Eby | 23 Oct 2005 07:08
Gravatar

How to verify cheeseshop signatures?

Does anybody know how to verify cheeseshop signatures?  I was just trying:

    gpg --verify roundup-0.9.0b1.tar.gz.asc roundup-0.9.0b1.tar.gz

which results in:

gpg: Signature made Fri Oct  7 01:39:29 2005 EDT using DSA key ID 41C6E930
gpg: Can't check signature: public key not found

This seems to imply that to check a signature, you have to have the 
author's public key, and there's no way offered to get it via the cheese shop.

Or is it looking for *my* public key for some reason?  Or am I just 
confused about how this thing is supposed to work?
Permalink | Reply | 14 comments |
headers
Jp Calderone | 23 Oct 2005 08:55

Re: How to verify cheeseshop signatures?

On Sun, 23 Oct 2005 01:08:10 -0400, "Phillip J. Eby" <pje <at> telecommunity.com> wrote:
>Does anybody know how to verify cheeseshop signatures?  I was just trying:
>
>    gpg --verify roundup-0.9.0b1.tar.gz.asc roundup-0.9.0b1.tar.gz
>
>which results in:
>
>gpg: Signature made Fri Oct  7 01:39:29 2005 EDT using DSA key ID 41C6E930
>gpg: Can't check signature: public key not found
>
>This seems to imply that to check a signature, you have to have the
>author's public key, and there's no way offered to get it via the cheese shop.
>
>Or is it looking for *my* public key for some reason?  Or am I just
>confused about how this thing is supposed to work?
>

The required key is indicated in the message.  You just need to retrieve it:

gpg --import 41C6E930

Re-running --verify should now work.

Jp
Permalink | Reply | 13 comments |
headers
Martin v. Löwis | 23 Oct 2005 13:54
Picon
Gravatar

Re: How to verify cheeseshop signatures?

Jp Calderone wrote:
> The required key is indicated in the message.  You just need to retrieve it:
> 
> gpg --import 41C6E930
> 
> Re-running --verify should now work.

Partially, yes: it will verify that the signature was made by the public
key with that key ID. That doesn't mean you know for sure that the
person you assume to be behind the key really is the "owner" of the key.

For that, you would actually have to validate the public key, e.g. by
looking at the signatures on the public key, and checking whether you
recognize them, and whether you believe they would only sign keys for
people they have verified in person.

This is nothing cheeseshop could help with: the web of trust really is
between people, not between technology.

Regards,
Martin
Permalink | Reply | 12 comments |
headers
Phillip J. Eby | 23 Oct 2005 18:02
Gravatar

Re: How to verify cheeseshop signatures?


>Jp Calderone wrote:
> > The required key is indicated in the message.  You just need to 
> retrieve it:
> >
> > gpg --import 41C6E930
> >
> > Re-running --verify should now work.

It doesn't.  I get "gpg: can't open `41C6E930': No such file or directory".

At 01:54 PM 10/23/2005 +0200, Martin v. Löwis wrote:
>Partially, yes: it will verify that the signature was made by the public
>key with that key ID. That doesn't mean you know for sure that the
>person you assume to be behind the key really is the "owner" of the key.
>
>For that, you would actually have to validate the public key, e.g. by
>looking at the signatures on the public key, and checking whether you
>recognize them, and whether you believe they would only sign keys for
>people they have verified in person.
>
>This is nothing cheeseshop could help with: the web of trust really is
>between people, not between technology.

So, from a practical perspective, the current signature implementation is 
of no use whatsoever to the vast majority of cheeseshop users.

It seems like it would make more sense to use a format that includes a 
certificate signature chain (as with Ruby Gems).  Having to manually track 
the keys of individual authors sort of goes against the whole point.
(Continue reading)

Permalink | Reply | 11 comments |
headers
Jp Calderone | 23 Oct 2005 18:28

Re: How to verify cheeseshop signatures?

On Sun, 23 Oct 2005 12:02:17 -0400, "Phillip J. Eby" <pje <at> telecommunity.com> wrote:
>
>>Jp Calderone wrote:
>> > The required key is indicated in the message.  You just need to retrieve 
>>it:
>> >
>> > gpg --import 41C6E930
>> >
>> > Re-running --verify should now work.
>
>It doesn't.  I get "gpg: can't open `41C6E930': No such file or directory".
>

You may not have gnupg configured with any key servers.  I am currently using hkp://subkeys.pgp.net, if
that's any help.

>
>At 01:54 PM 10/23/2005 +0200, Martin v. Löwis wrote:
>>Partially, yes: it will verify that the signature was made by the public
>>key with that key ID. That doesn't mean you know for sure that the
>>person you assume to be behind the key really is the "owner" of the key.
>>
>>For that, you would actually have to validate the public key, e.g. by
>>looking at the signatures on the public key, and checking whether you
>>recognize them, and whether you believe they would only sign keys for
>>people they have verified in person.
>>
>>This is nothing cheeseshop could help with: the web of trust really is
>>between people, not between technology.
>
(Continue reading)

Permalink | Reply | 5 comments |
headers
Phillip J. Eby | 23 Oct 2005 18:47
Gravatar

Re: How to verify cheeseshop signatures?

At 12:28 PM 10/23/2005 -0400, Jp Calderone wrote:
>On Sun, 23 Oct 2005 12:02:17 -0400, "Phillip J. Eby" 
><pje <at> telecommunity.com> wrote:
>>
>>>Jp Calderone wrote:
>>> > The required key is indicated in the message.  You just need to 
>>> retrieve it:
>>> >
>>> > gpg --import 41C6E930
>>> >
>>> > Re-running --verify should now work.
>>
>>It doesn't.  I get "gpg: can't open `41C6E930': No such file or directory".
>
>You may not have gnupg configured with any key servers.  I am currently 
>using hkp://subkeys.pgp.net, if that's any help.

This worked:

$ gpg --keyserver hkp://subkeys.pgp.net --recv-keys 41C6E930
gpg: requesting key 41C6E930 from hkp server subkeys.pgp.net
gpg: key 41C6E930: public key "Richard Jones <richard <at> commonground.com.au>" 
imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --verify roundup-0.9.0b1.tar.gz.asc roundup-0.9.0b1.tar.gz
gpg: Signature made Fri Oct  7 01:39:29 2005 EDT using DSA key ID 41C6E930
gpg: Good signature from "Richard Jones <richard <at> commonground.com.au>"
(Continue reading)

Permalink | Reply | 4 comments |
headers
Martin v. Löwis | 23 Oct 2005 19:07
Picon
Gravatar

Re: How to verify cheeseshop signatures?

Phillip J. Eby wrote:
> 
>> Jp Calderone wrote:
>> > The required key is indicated in the message.  You just need to 
>> retrieve it:
>> >
>> > gpg --import 41C6E930
>> >
>> > Re-running --verify should now work.
> 
> 
> It doesn't.  I get "gpg: can't open `41C6E930': No such file or directory".

It's not --import, but --recv-keys. I get

martin <at> mira:~$ gpg --recv-keys 41C6E930
gpg: requesting key 41C6E930 from hkp server wwwkeys.pgp.net
gpg: key 41C6E930: "Richard Jones <richard <at> commonground.com.au>" 31 new 
signatures
gpg: public key CA66D0B1 is 24595 seconds newer than the signature
gpg: public key CA66D0B1 is 24557 seconds newer than the signature
gpg: 3 marignal-needed, 1 complete-needed, classic Trust-Modell
gpg: depth: 0  valid:   3  signed:  40  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: public key CA66D0B1 is 24557 seconds newer than the signature
gpg: depth: 1  valid:  40  signed: 120  trust: 36-, 0q, 0n, 0m, 4f, 0u
gpg: depth: 2  valid:  60  signed: 151  trust: 53-, 0q, 0n, 0m, 7f, 0u
gpg: depth: 3  valid:  29  signed:  78  trust: 26-, 0q, 0n, 0m, 3f, 0u
gpg: depth: 4  valid:   6  signed:   8  trust: 5-, 0q, 0n, 1m, 0f, 0u
gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2005-11-13
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
(Continue reading)

Permalink | Reply | 4 comments |

Gmane