[Important] Blocked, unable to make new releases.

[vphilippon]

Edit, see 2nd reply and onward
Hi all!

As you might have noticed, I've been preparing stuff for the 1.10.0 release.

But, as I tried to create 1.10.0rc1, I stumbled upon an error with the upload on PyPI. I've contacted the Jazzband roadies, and it seems they disabled PyPI releases while they are investigating a security related issue (jazzband/help#64).

So once this is fixed, I'll release 1.10.0rc1, give some time for the brave out there to test it, and then go for 1.10.0.

While I'm here: Thanks again to all for your time and for taking the time to make community-maintainable contributions. It's not as easy as when having one BDFL, but it's necessary and lets people like me sleep a little better at night.
Cheers!

[vphilippon]

Heads up: Still waiting for the roadies to investigate and/or address the security issue and reactivate the PyPi uploads. I try to monitor this daily, so you'll be notified as soon as I get the green light.

Also, no promises, but I'll try to get some simple PRs merged and add them to the 1.10.0 release, as this release issue is taking longer than I expected.

Thanks for your patience!

[dfee]

@vphilippon any updates on this front?

[vphilippon]

@dfee None, unfortunately. I'm still waiting for a reply from the roadies about the PyPi authentication.

@nvie By any chance, do you still have access to PyPi to make a pip-tools release, or were your rights revoked when moving to jazzband?

[dfee]

Strange as it sounds, is it possible to back this repo out of the jazzband organization, as it's been going on three months now where you've been unable to push code?

[vphilippon]

Small update here: It seems the original security issue is still in cause (according to a recent reply from @jezdez to another similar issue).

@dfee I feel like it's not a small decision to take (which I can't take either), and we might have other solutions to look at right now.
Also, small clarification just in case: we're still able to merge PRs and push code. We just can't publish the package to PyPi.

@jezdez As a roadie, in the current situation, is it possible for you to manually perform an upload to PyPi for us?
I don't intend to ask for a release each week, but at least we could release the work from the past few months.

[vphilippon]

Good news: While the release-on-tag feature is still disabled, @jezdez indicated he'll be able to do a one-off release of pip-tools.

I've marked PR #567 and PR #557 for the 1.10.0 release, as they'll fix some common issues. I suggest we get those in, and then go ahead for the 1.10.0 release.

[vphilippon]

Hi all, the last PRs for 1.10.0 are merged, I've given the go for the release, so we'll freeze the code until the release.

[vphilippon]

🎉 pip-tools 1.10.0 was officially released! 🎉

[vphilippon]

@jezdez We missed a pretty awful bug, essentially breaking pip-sync on Python 3. If you find some time for releasing 1.10.1, that would be great.
Sorry about that.

[vphilippon]

@jezdez We got another important bugfix in that would require a 1.10.2 release, if you have the time.
If we ever meet at PyCon or somewhere, I owe you a coffee.

[vphilippon]

Great news: We should be able to get back on making pip-tools releases. I'll let you all read up here:
jazzband/help#64 (comment)

So @davidovich and myself are currently assuming the new Lead role on pip-tools. This essentially means that we are responsible for approving any release before it reaches the main PyPi.

I intend to release 1.10.2 soon. I'll report back to confirm that we're unblocked once I'll see the release on PyPi.

[vphilippon]

1.10.2 is out, everything is rolling!
🍰