PyPad

Arantor

@aitap this already happens to Google Chrome extensions today so… not like it’s a new as-yet unencountered problem.

Maybe we should just make everyone build everything from scratch again. You want networking, roll your fucking own.

I would miss talking to you all, though.

Applied Mediocrity

To re-rail the topic somewhat, the greatest problem I've had with 2FAs is that the phone or that other whachamacallit is not within reach, and I have to get up my arse to go and get it quick. So it's... uh, exercise is good for you.

Arantor

Y’all did know that GitHub is also going to mandate 2FA for all code contributors by the end of 2023, right?

GuyWhoKilledBear

@Arantor said in PyPad:

I would miss talking to you all, though.

All of us?

On the serious note, it seems like some of you are arguing that there's no moral way to buy a webserver and put up a page with some source code on it and say, "I found this useful. If you like it, use it. If not, don't. I'm not going to provide any support for you either way."

That seems wrong to me.

Kamil Podlesak

@Applied-Mediocrity said in PyPad:

@Kamil-Podlesak said in PyPad:

this is how it works in the real world.

Ah yes, the "real world" argument. Always an indicator of someone's imagined intellectual superiority,
because clearly your fellow developers - who do not, however, share your beliefs - must be imagining things.

Ok, I take it back and change it to

this is how it works in most cases, in my experience.

Will you take off your high horse and stop claiming that your fellow developers (those who do not, however, share your beliefs) are not imagining things? Or do you still claim your intellectual superiority?

sebastian.galczynski

@aitap said in PyPad:

Another question for me would be account recovery. If you lose the password or the TOTP device, what do you do next? This can make the situation back into a single-factor authentication scenario.

That device is usually a SIM card issued by the operator, who should give you a copy after verifying your ID. In theory. Because we already have problems with people getting such a duplicate SIM with a photocopied passport o no ID whatsoever.

Steve_The_Cynic

@Applied-Mediocrity said in PyPad:

I have to get up my arse to go and get it

Why do you keep your phone up your arse?

Applied Mediocrity

@Kamil-Podlesak Don't kink-shame, bro.

Arantor

@Steve_The_Cynic phones vibrate, right?

JBert

@sebastian-galczynski said in PyPad:

You all focus on open/closed source too much. The problem is completely different: repositories like pip or npm are not in any way curated and they let individual maintainers break shit.
Other repos, for example Linux distributions, don't work that way. You can't delete a package from Debian because you had a bad day. Now of course applying this kind of management to npm or pip is going to cost you a lot of money and slow down "progress", but it sure can be done.

Yeah, the most surprising thing still is that PyPi allows users to delete things. Sonatype, the maintainers of the Maven Central Repository, have a strict write-once-only policy and I guess people have gotten used to that and the other policies without so much fuss.

Meanwhile the Python guys have started discussing disallowing deletes (Trigger Warning: Discourse) and seem to swing between "but think of the users" and "but think of when a programmer makes a mistake!"

The response to the latter should IMHO be "ask the author to admit the mistake and push a new version, then rotate their private keys if they leaked something sensitive".

HardwareGeek

@Applied-Mediocrity said in PyPad:

most of the users do not contribute back in any useful way, they only take.

Given the competence of most users, do you really want them contributing?

topspin

@GuyWhoKilledBear said in PyPad:

On the serious note, it seems like some of you are arguing that there's no moral way to buy a webserver and put up a page with some source code on it and say, "I found this useful. If you like it, use it. If not, don't. I'm not going to provide any support for you either way."

That seems wrong to me.

Of course not. If he just wants to dump his code and not support it in any way, that's fine. PyPI might be the wrong place for that. Or not, no idea.

But did he actually say that? I don't know for sure, but since he's had multiple versions of it and uploaded it to that repository, I kind of assumed that's not the case. The point is, assuming he wants people to actually use his code and at least minimally support it, instead of being completely indifferent about it, his reaction of "I'll rather delete the code than authenticate it myself" seems to run opposite to that goal.

topspin

@JBert said in PyPad:

The response to the latter should IMHO be "ask the author to admit the mistake and push a new version, then rotate their private keys if they leaked something sensitive".

A short time frame (like one week) where edits are allowed before freezing it would also work, IMO.

Arantor

Christ even Packagist (PHP’s equivalent) gets this more right - no deletions after 100 downloads. Anything beyond that requires a conversation with the management.

Applied Mediocrity

The deletion problem is not unique to devlopers. NexusMods introduced their "collections" some time ago. It's basically sort of a distribution of a bunch of mods that makes sure all the right versions and dependencies are present. It's not only convenient, but it started to become a problem. Once included in such a collection, a mod could never be deleted from the site. A bunch of people got very pissed, yeeted all their stuff and left. Now everybody's worse for it. Why? Beats me. Temper-tantrum throwing tits that can't handle the least bit of order and responsibility.

aitap

@Arantor said in PyPad:

this already happens to Google Chrome extensions today so… not like it’s a new as-yet unencountered problem.

Exactly! Not sure about packages becoming malware after legitimately being transferred, but "legitimate developer uploading malware" includes typosquatting, which has already happened on PyPI.

I'd like to see some statistics on this, though. Maybe things like typosquatting are much rarer or have less expected impact than hackers taking over accounts of "critical" developers. I don't know.

Arantor

@Applied-Mediocrity thing is the street is far more two-way than we want to talk about. Namely, people that start using such things get shitty when the things don’t do exactly what they want, how they want it, because there’s a lot of shitty entitled people out there.

Case in point, I released over 100 addons for the SMF forum platform. (It’s open source, so are almost all my addons) But what ultimately soured me and discouraged me from supporting and maintaining them were the shits who decided that a thing I built for me and cared to share was almost what they wanted except for not really and would I possibly mind spending my free time to further their needs?

Now, some of these were really small stretch goals, as it were - things where I had made it do x and y where z was another half an hour’s work? Sure, fine, just don’t be a dick about it and I’ll try and help.

But when we’re in the territory of me spending maybe 20 hours on a thing and then being asked to retool it in such a way that would take another 10+ hours, for a setup that is pretty unique to that individual? In my spare time with no compensation? Fuck off with that. Then you want to trash talk me for it, or as in the one genius case actually threaten me? Fuck off, that’s when I start to consider taking my ball and going home.

This happens more than you’d think, and is part of the reason open source devs are “toxic” because they won’t unilaterally do whatever people ask just because they ask.

aitap

@sebastian-galczynski said in PyPad:

That device is usually a SIM card issued by the operator, who should give you a copy after verifying your ID. In theory. Because we already have problems with people getting such a duplicate SIM with a photocopied passport o no ID whatsoever.

My experience here is similar to @topspin's. Tying something to a phone number makes things extremely hard by the time I inevitably lose that number for bullshit reasons. I've been taking care of my phone numbers and I still lost one; thankfully, no accounts I couldn't live without were tied to it. A friend of mine who's not so careful and moved to a different country is currently on number 9 and has lost their WhatsApp and social network accounts at least once.

@loopback0 said in PyPad:

Apps like Authy have the option for backups or sync across multiple devices. Also most services I've got 2FA setup for offer recovery codes.

True, shared TOTP secrets I can at least back up, and PyPI does send two hardware tokens per developer for exactly this purpose. Formally, syncing the TOTP secrets from the phone to the computer makes it less than two-factor auth, but that's okay, I won't argue no true Scotsman here.

Mason_Wheeler

@HardwareGeek said in PyPad:

@Applied-Mediocrity said in PyPad:

most of the users do not contribute back in any useful way, they only take.

Given the competence of most users, do you really want them contributing?

Yes. Because even a bad implementation of a good idea can conceal a good idea that I didn't think of. So let them contribute a PR, and I can easily end up profiting from it even if I don't accept it as-written.

GuyWhoKilledBear

@topspin said in PyPad:

@GuyWhoKilledBear said in PyPad:

On the serious note, it seems like some of you are arguing that there's no moral way to buy a webserver and put up a page with some source code on it and say, "I found this useful. If you like it, use it. If not, don't. I'm not going to provide any support for you either way."

That seems wrong to me.

Of course not. If he just wants to dump his code and not support it in any way, that's fine. PyPI might be the wrong place for that. Or not, no idea.

But did he actually say that? I don't know for sure, but since he's had multiple versions of it and uploaded it to that repository, I kind of assumed that's not the case.

What he actually said, per TFA, was "I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so," wrote Unterwaditzer."

He wanted his code to be non-critical so he wouldn't have to support it as much.

The point is, assuming he wants people to actually use his code and at least minimally support it, instead of being completely indifferent about it, his reaction of "I'll rather delete the code than authenticate it myself" seems to run opposite to that goal.

The delete/reupload thing was a way to artificially reset the download count, which is how they decided which projects were critical (and thus needed to do the 2FA thing).

Ultimately, the thing he uploaded to the site was Python source code. Anyone who wants to audit their software supply chain can easily audit the code by looking at it and seeing if it's malware.

If you want to make a product with a secure supply chain, that should be your responsibility. Not the responsibility of some rando who you're not paying.

Mason_Wheeler

@Applied-Mediocrity said in PyPad:

The deletion problem is not unique to devlopers. NexusMods introduced their "collections" some time ago. It's basically sort of a distribution of a bunch of mods that makes sure all the right versions and dependencies are present. It's not only convenient, but it started to become a problem. Once included in such a collection, a mod could never be deleted from the site. A bunch of people got very pissed, yeeted all their stuff and left. Now everybody's worse for it. Why? Beats me. Temper-tantrum throwing tits that can't handle the least bit of order and responsibility.

The problem here isn't deletions; it's expectation management. In any system where one package can depend on another, it's intuitively obvious that the deletion of a dependency fundamentally needs to be verboten. So of course all sorts of contributors miss this point, which was so obvious that it was never made explicit, and confusion ensues. If NexusMods had simply stated this up-front, from the beginning, the problem would not exist. Instead, you have stupid mod authors who didn't understand the obvious complaining about the rules getting changed out from under them.

Applied Mediocrity

@Mason_Wheeler said in PyPad:

If NexusMods had simply stated this up-front

They did. The Big Boss put up a 10 paragraph long explanation of the whole ordeal. The comments thread had to be locked soon after.

Mason_Wheeler

@aitap said in PyPad:

@sebastian-galczynski said in PyPad:

That device is usually a SIM card issued by the operator, who should give you a copy after verifying your ID. In theory. Because we already have problems with people getting such a duplicate SIM with a photocopied passport o no ID whatsoever.

My experience here is similar to @topspin's. Tying something to a phone number makes things extremely hard by the time I inevitably lose that number for bullshit reasons. I've been taking care of my phone numbers and I still lost one; thankfully, no accounts I couldn't live without were tied to it. A friend of mine who's not so careful and moved to a different country is currently on number 9 and has lost their WhatsApp and social network accounts at least once.

@loopback0 said in PyPad:

Apps like Authy have the option for backups or sync across multiple devices. Also most services I've got 2FA setup for offer recovery codes.

True, shared TOTP secrets I can at least back up, and PyPI does send two hardware tokens per developer for exactly this purpose. Formally, syncing the TOTP secrets from the phone to the computer makes it less than two-factor auth, but that's okay, I won't argue no true Scotsman here.

How do you lose a phone number?

I've had the same number for close to 15 years now. I first got it with a work-issued perk phone. When I left the job I asked them if they would transfer control of the number to me, as I'd been there for years and had certain identity elements (such as those discussed ) tied to it, and they agreed. I sent them back the phone and kept the number on the new phone I bought, and I've been using it ever since.

Mason_Wheeler

@GuyWhoKilledBear said in PyPad:

Anyone who wants to audit their software supply chain can easily audit the code by looking at it and seeing if it's malware.

Mason_Wheeler

@Applied-Mediocrity said in PyPad:

@Mason_Wheeler said in PyPad:

If NexusMods had simply stated this up-front

They did. The Big Boss put up a 10 paragraph long explanation of the whole ordeal. The comments thread had to be locked soon after.

By up-front I mean "from the beginning, since NexusMods was first created." Is that what they did, and mod authors just didn't notice for a while, or...?

boomzilla

@GuyWhoKilledBear said in PyPad:

What he actually said, per TFA, was "I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so," wrote Unterwaditzer."

Back when I still had the time and energy I wrote a lot of OS code in a community. I had a couple of people approach me to pay me to support something and I declined because I didn't want to have to deal with that. I was happy that other people found my code useful but I definitely didn't want it to become another job instead of a fun hobby.

Applied Mediocrity

@Mason_Wheeler To be honest it was rather abrupt if you weren't keeping up with things. The collections feature was mulled over for several years, but never took off (until now). The deletion debate started along with it (because it's a logical question).

Then one day last summer an annoucement was made that you won't be able to delete stuff anymore, other than by submitting a request, with a rather short deadline of a couple weeks. It wasn't handled very well from either side, that much is true.

Mason_Wheeler

@Applied-Mediocrity Yeah. That was ; it should have been illegal to delete anything that's a dependency of another thing from day 1. This should have been enforced at the database foreign-key level, at the very least. Any lesser policy is simply stupid, because it invites exactly this sort of mess.

Applied Mediocrity

@Mason_Wheeler I agree. But you see that 1) people get irrationally pissy about that (or in fact anything attempting to bring order and responsibility peace and prosperity to my new empire) and 2) it doesn't even come to mind to most until it becomes a very serious problem.

Much like early programs and websites, game mods, up until recent times, didn't use to have very deep dependency trees. Most of them still have none at all. I figure it's good that it was recognized at all.

Mason_Wheeler

@Applied-Mediocrity said in PyPad:

But you see that 1) people get irrationally pissy about that

This is why I say that it's an expectations-management problem. If this had been understood from the very beginning, it would have served as a filter, keeping the people who would have gotten pissy about it from contributing in the first place.

Applied Mediocrity

@Mason_Wheeler Drawing heavy parallels with most open sores, it was all a hobbyist website, then it became a small business, and over the years slowly snowballed into a very big deal. One day someone had to make some tough decisions.

Some time ago they yanked lifetime memberships because hosting petabytes of crap on multiple CDNs all over the world was starting to become very expensive. That was yet another shitshow.

dcon

@Arantor said in PyPad:

See, not everyone who makes and releases open source is doing so for nerd cred, some of us do so simply because we made a thing for our own use and felt like sharing in the hopes it would be useful.

Can confirm.

I started writing my program in Dec 2002 and published it (initially) on SourceForge in July 2003.

dcon

@Gurth said in PyPad:

Hell, even if I would write something I suspect would sell well, I’d probably still give it away for free because I CBA to do all the work needed to sell it …

And there's that!

dcon

@topspin said in PyPad:

when the closed source crap disables the license servers

Adobe. Assholes. (I tried to move my copy of FileMaker8 from an old machine to a new one. Couldn't because the license server is gone. Even tho my license is valid.

Gurth

@dcon said in PyPad:

Adobe. Assholes.

Pleonasm spotted.

Parody

@aitap said in PyPad:

Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, United Kingdom, and the United States

I personally know more developers from outside these countries than ones living in these countries, but I suppose that PyPI have done their homework and chose the places where the developers of the "critical" packages actually live.

It has nothing to do with PyPI; ultimately Google is the one giving away the devices and those are the countries where you can buy them from the Google Store. It could have something to do with US export restrictions or it could just be where Google has fulfillment centers.

Groaner

@boomzilla said in PyPad:

This source code is provided AS IS, with no warranties of merchantability, fitness for a particular purpose, or promises of continued support. It is not the fault of Maintainer that the industry has bet the farm on there continuing to be Free¹ Shit maintained by unpaid volunteers to a standard that typically commands top dollar.

¹ That's free as in "we don't have to pay for it", Stallman.

Arantor

@Arantor said in PyPad:

Y’all did know that GitHub is also going to mandate 2FA for all code contributors by the end of 2023, right?

Just want to leave this here again. Expect this shitnado to come around again next autumn when npm authors suddenly have to comply too.

aitap

@Mason_Wheeler said in PyPad:

How do you lose a phone number?

I got that SIM card when I went to another country for an internship. Before I left the country, I made sure to top it up. I regularly turned it on and checked the balance, but one day, it just decided not to register with the network and never worked again. Last time I checked, they just didn't have offices around here.

dkf

@sebastian-galczynski said in PyPad:

The problem is completely different: repositories like pip or npm are not in any way curated and they let individual maintainers break shit.

Museums and libraries have known for a long time that curation is a very hard problem, and only really fixable by paying people to do it as a full-time job. That this also applies to software is unsurprising. It doesn't just happen by magic; while some gets done by the grace of people's goodness, it doesn't get spread across the whole range of things; it's the breadth (and avoiding of corners quietly rotting) that you need to pay for.

That's without passing any comment at all on whether the original things in the collection were any good.

dkf

@Kamil-Podlesak said in PyPad:

the source (usually the best documentation available

The source only really tells you what the program does, but not what it is intended to do or what the map of the ecosystem of expectation it sits within is. Some source is better than that, but an awful lot of it isn't.

dkf

@aitap said in PyPad:

I regularly turned it on and checked the balance, but one day, it just decided not to register with the network and never worked again.

It's possible that it was a SIM that only worked with older versions of GSM protocols and it stopped working when the support for that version was dropped by whoever your local network providers are. I'm not saying that was definitely it, of course, but it's the kind of thing that it could be; a tech service change under your feet that you weren't even aware of needing to care about.

Gurth

@dkf said in PyPad:

a tech service change under your feet that you weren't even aware of needing to care about.

Looks like we have come full circle in this thread.

Kamil Podlesak

@dkf said in PyPad:

@Kamil-Podlesak said in PyPad:

the source (usually the best documentation available

The source only really tells you what the program does, but not what it is intended to do or what the map of the ecosystem of expectation it sits within is. Some source is better than that, but an awful lot of it isn't.

If the intention cannot be deduced from the documentation nor from the source code, it's a clear sign to get rid of the whole thing. The same apply if there is a mismatch.

dkf

@Kamil-Podlesak said in PyPad:

If the intention cannot be deduced from the documentation nor from the source code, it's a clear sign to get rid of the whole thing. The same apply if there is a mismatch.

Or that someone needs to actually write that damn stuff down and get it to be expressed where people other than themselves can know it. Good documentation is often only present in systems that are mature (and an awful lot gets shipped without it); there are formal models of this in software engineering circles.

HardwareGeek

@dkf said in PyPad:

curation is a very hard problem ... avoiding of corners quietly rotting

True. That reminds me of one of the YT channels I subscribe to. It's put out by the curator of the Battleship New Jersey Museum and Memorial. One of the things he's mentioned in several videos is that typically old ships don't rust from the outside in, they rust from inside out. It's usually not the obvious seawater rusting the ship's hull that causes a problem. It's condensation and leaks in internal plumbing that causes rust in void spaces that nobody goes into that eventually eats through the hull from the inside.

Every once in a while, somebody needs to go into those quiet corners of the repo and check for rusty modules.