PyPi deployment issue with the pip-tools project: 403

[vphilippon]

Hi,

As a jazzband member, I attempted to make a tag based release for the jazzband/piptools projet: 1.10.0rc1.
The deployment fails with a 401 error, stating that I must be identified to edit a project.

See this Travis-ci log: https://travis-ci.org/jazzband/pip-tools/jobs/240572077

I don't see any changes to the config since the last release (which was usually done by @davidovich )
Although in the log, there's a mention about using an old pypi route.

I ran the job a few times, in case it was only a temporary error, but it's not.
Any chance one of our roadies could help me out here? Thanks!

[jezdez]

@vphilippon We're in the process of investigating a security related issue and have disabled PyPI releases in the meantime.

[vphilippon]

@jezdez Ok, thanks for the heads up!
Notify me when it's done, or if you want to use me (and my release-candidate attempt) as a test subject.

[vphilippon]

@jezdez Do you have an ETA on this? Just to know if we're talking days, weeks or longer?

[vphilippon]

@jezdez Update here:
After retrying (on the same build linked above), I'm now hitting a different error:

HTTPError: 403 Client Error: Invalid or non-existent authentication information. for url: https://upload.pypi.org/legacy/

Is this currently expected, or is there something wrong?

[007]

Ping @jezdez @vphilippon - is this still a problem? Is pip-tools still blocked on releasing updates?

[vphilippon]

Yes, this is still blocking pip-tools releases.

[jezdez]

Hi all, I'm catching up on things after a long leave of absence this summer and will need more time to finish the fixes relating to this issue. In the meantime I'm happy to do a one-off release of pip-tools.

[vphilippon]

@jezdez Wonderfull! I'll prepare a few things for the release (like getting some bugfixes in), and I'll hit you up once it's ready.

[vphilippon]

@jezdez Hi, the last PRs for pip-tools 1.10.0 are merged.

You can go ahead with the release:

• Edit CHANGELOG.md to put the actual release date of 1.10.0.
• Put the 1.10.0 tag.
• Build and upload pip-tools 1.10.0 to Pypi.

The sooner, the better 😄!
Thank you for your time!

[jezdez]

@vphilippon Done! 🎁

[vphilippon]

While some releases were done manually, I have to reiterate that this is still a major blocking issue.

@jezdez Your help with manual releases was greatly appreciated, and I understand we can't just expect you to take care of the release of every project. But after 4 months, we need something to be done here.

If the issue cannot be fixed soon, maybe selecting a temporary "release manager" for project that requires it (active projects like pip-tools) to perform manual releases would be a workaround. That would reduce the bus factor on you.
I'm ready to take the role for pip-tools, and give it back as soon as release-on-tags are back.

As I don't have access to the details of the security issue, I'm sorry if this proposition is actually impossible. I'm looking for solutions and workarounds here.

[jezdez]

Good news everyone, especially @vphilippon, I've finished the feature for the site that will simplify the release process going forward and add the required precautions to prevent malicious releases. Thanks all for the patience.

The short version:

I've worked on a way for Jazzband members to join individual projects as "project members" and also to designate one or many of those to be "lead project members". The idea is to add a tiny bit more structure in the way Jazzband is organized right now and allow those project members to gain more powers that currently only the roadies have. As of right now I have not implemented creating Github teams for every project, but it's on my roadmap.

Once the project is set up for the process (currently a one-time-only process, but with the chance for fully automatic setup for new Jazzband projects) the "lead project members" are able to review package releases done via Travis-CI before they are released to PyPI.

More info here: https://jazzband.co/about/releases

Now I'm looking for someone or a few people who are willing to volunteer to be responsible for the release review of pip-tools. Any takers? @vphilippon?

[davidovich]

This is great news @jezdez. I'd like to propose @vphilippon also as he has taken over with great implication what I thought would be my role... :-). Projects on which we are assigned change and so dependencies also. This is why I think there should be more than one person with this role, if at all possible.

[vphilippon]

@jezdez This news lands 1 week before my birthday, that's one great early gift. Thank you very, very, very much!

I'm certainly interested in taking the role of "lead" project member for pip-tools.
If having multiple leads is an option, then @davidovich I'd propose you join in too if you're interested, so I can at least have someone else in there so I can go on vacation with my mind at ease 😄 .

[jezdez]

Ok, I've pushed the config update in jazzband/pip-tools@34d46b2 and added @vphilippon and @davidovich as lead members of the project.

The release process is the usual, tag/push to github, wait for travis, check your mails with release instructions, review the uploads and trigger the release on the Jazzband site.

Closing this as fixed. But let me know if something doesn't work.

[jezdez]

Woops, minor fix in jazzband/pip-tools@a28fae7.