= Prioritizing some extant (mostly security) issues = 22 March 2019 Participants: * Dustin Ingram * Donald Stufft * Ernest W. Durbin III * William Woodruff * Sumana Harihareswara Warehouse issues to discuss: * https://github.com/pypa/warehouse/issues/4440 Implement soft deletes for projects, releases and files * Still open questions about how to implement this? Priority? * Dustin has an open branch * wants feature sooner rather than later... * needs help making query efficient * Donald + Ernest thinks it's a nice to have, not a prereq for any planned upcoming work * TODO: Dustin to link to branch in issue -- '''DONE''' * https://github.com/pypa/warehouse/issues/5247 Roadmap update for TUF support * Facebook money? Pradyun work? * Ernest: part of Facebook research grant intends for some form of [signing].... decisions [on implementation] will be part of Q3/4 RFI/RFP..... mid-April, get RFI out .... July kickoff for project .... decide whether TUF is what we go with ..... this is on the radar .... funding exists .... * Will: is a little familiar with TUF, knows some NYU Tandon people working on it, no strong opinions on whether it's the right tool here * TODO: Sumana to update issue and link to blog post http://pyfound.blogspot.com/2018/12/upcoming-pypi-improvements-for-2019.html -- '''DONE''' * https://github.com/pypa/warehouse/issues/4470 Add javascript/frontend validation of breached passwords * Facebook money? Priority? * don't add to OTF scope .... unless we have a lot of empty hands at end of this funding/project * Dustin: we already do some breached password checking .... not as important to also do on frontend ... would be nice if a volunteer comes along with JS experience * Will: agrees * TODO: Sumana to seek volunteers (lowkey) -- '''DONE''' * https://github.com/pypa/warehouse/issues/798 Security Notification Systems for Python Packages * Facebook money? Priority? * Dustin: this is? also a pip issue tracker bug .... how do we tell the user that they may be trying to install something taken down as malware??? this issue .... * related to the #345 and #3709 issues * related: https://github.com/pypa/warehouse/issues/3896, https://github.com/pypa/warehouse/issues/2982, etc... * design concerns.... * see next point * https://github.com/pypa/warehouse/issues/345 Ability to mark a version of a package as deprecated or unsupported AND https://github.com/pypa/warehouse/issues/3709 Offer a discouraged/deprecated releases option? * WIP PR: https://github.com/pypa/warehouse/pull/1462 * Ernest: we need a system for generic flags and statuses on projects ... marking for moderation and abuse .... * chewy big system design ..... big enough to get financial help or see if partners will help by implementing it -- Continuum maybe? * TODO: Sumana to list as part of "if we had money, we could have that thing" list seeking grants and donations -- '''DONE''' at [[Fundable Packaging Improvements|Fundable Packaging Improvements]] * https://github.com/pypa/warehouse/issues/3417 Add ability to configure a redirect for documentation previously hosted by PyPI * Read the Docs & Ernest -- what is the next step here? * Implemented in conveyor: https://github.com/pypa/conveyor/pull/3 * just needs UI in Warehouse to place the magic redirect file -- was ready last year * TODO: Ernest to update the issue. -- '''DONE''' * TODO: Sumana to massage issue to seek volunteers -- '''DONE''' * https://github.com/pypa/warehouse/issues/5584 Warehouse doesn't check whether uploaded packages ending in tar.gz are actually tarballs * Is this a problem? Priority? * Dustin: this is easy, we should just do it. Why aren't we doing it right now? Just an oversight. * Donald: legacy PyPI didn't do it; ported old behavior. Tarballs implemented 15 yrs ago, gzip 10 yrs ago :-) * Will: if easy to verify .... in audits, people will accidentally bomb their sys in recursive validation process. Sandbox the process! * verifying a tarball's soundness can make it easy to introduce !DoSes due to tarbombs * TODO: Will to update issue -- '''DONE''' * TODO: Sumana to ask for volunteers -- '''DONE''' Other: * Will seeking review on https://github.com/pypa/warehouse/pull/5567 WIP PR * Dustin: about to push new discussion re manylinux spec