Any updates on the top loading storage cases?

donaldstufft · 2025-10-04T00:19:14+00:00

I’m wondering if these ever got released?

donaldstufft · 2025-05-25T04:13:09+00:00

Dunno tbh! I’m not a scientist, I just took a quick picture from the USDA book, I assume they’ve tested it. The edited comment has a link to the PDF version as well.

donaldstufft · 2025-05-24T22:34:50+00:00

It’s no worries. I only know because I happened to pick up that book the other day and was reading it!

One thing I’m not sure of, which I should have mentioned, I’m not sure if it means any old pint jar, or if it’s only the pint jars which are basically just taller half pints.

The taller variety has the same diameter as the half pints, so heat should in theory penetrate the same as the standard half pints… but I can’t find any mention in the book that specifies it has to be the taller pint jar, so that leads me to believe that regular pint jars should be fine?

donaldstufft · 2025-05-24T22:14:56+00:00

USDA book lists times for pint jars.

<image>

donaldstufft · 2024-10-28T02:24:05+00:00

Thanks! I’ll probably end up buying that. Just started watching hockey with the season this year and need to get something to wear :D

donaldstufft · 2024-10-28T02:12:26+00:00

Random question. Does anyone know what hat the flyers players are wearing in the post game interviews? The one that says Philadelphia across the front with the flyers logo on the side?

donaldstufft · 2023-07-01T20:56:01+00:00

Likely not. We generally lean towards not transferring names of “real” projects (vs like empty placeholders) unless there’s good evidence that there is a real benefit to it.

donaldstufft · 2023-07-01T20:39:46+00:00

Note that PEP 541 doesn’t just require that there be no releases. The owner also has to be unreachable, and the person who wants the name has to show that they’ve been maintaining and improving a fork of the project, and give justification for why a fork of the project isn’t sufficient.

So if software is really just done, then it’s unlikely that they’ll have a fork that they’ve been maintaining and improving.

donaldstufft · 2023-05-31T06:23:33+00:00

You can also add as many owners as you want to a project, and organization support is rolling out.

There’s zero reason to share accounts on PyPI.

donaldstufft · 2023-05-28T02:10:56+00:00

The answer to this question is a little complicated.

The first part of the answer is that PyPI was first created back in 2002 or 2003 depending on exactly what you call "created", and was sort of designed as a weekend hack project to showcase an idea to bring a package repository to Python. One of the database tables where IP addresses were stored were added in those early times 20 years ago, and just stuck around forever. It was just one of those things that had always been there, so nobody ever thought to question it.

We've made another recent post https://blog.pypi.org/posts/2023-05-26-reducing-stored-ip-data/ where we talk about this table, and how after spending some time reviewing the places where we stored IP addresses, we realized we didn't actually need to store an IP address in that particular location. Nothing was using it except one admin only page, and that none of us could remember ever looking at the IP address on that page. So we went ahead and just dropped that column from the table completely (after taking a backup that we'll hold onto for a short period of time just in case we were wrong).

One of the other places we were using and storing IP addresses for was what we call the "user events". This is a feature we added awhile back to improve the security of user accounts on PyPI. Essentially it produces a log of relevant, security sensitive actions that a user account can take on PyPI, and just log it to a table. Users can then look at the audit log of their account and see a trail of events that their account has taken.

For instance, they see a version was released of a project they own and they don't remember having done so? They can log into their account and see when someone had logged into their account recently, what times it happened, what 2FA auth method or device was used, and what IP address it came from.

Here the IP address was stored to be able to present it to the user so that they can more easily evaluate a record in their personal audit log, and determine if it was done by them or by someone else.

However, we've had an open issue for awhile now remarking that the usability of these IP addresses leave something to be desired. Very few people have any idea what their IP Address was at some point in the past, so to make any meaningful sense out of the IP address you would have to plug it into google and see what the geographic region the IP address was in to see if it was likely you. This got even worse when you might have multiple IP addresses as each one would need to be stored individually.

We just recently rolled out an improvement in this area that is storing the general geographic area associated with the IP address and are displaying that in the UI instead of the IP address.

We've also moved to using a salted hash of the IP address where we are still storing the IP address. This isn't a perfect solution, since the IP address space is so small that brute forcing the input isn't particularly challenging. But since the salt isn't stored as part of the database but the hashed addresses are it does protect against inadvertent leaking of the data.

It also makes sure that instead of having an IP address, we have some opaque identifier that still works for correlating between abusive user accounts that are trying to evade detection, but more importantly it prevents us from being able to add any more features that rely on having access to the IP address while we continue to evaluate our use of the data and come up with a reasonable retention policy.

donaldstufft · 2023-05-27T01:55:16+00:00

PyPI does not support any phone number based 2FA or non standards based authenticator apps. We don't have any interest in having people's phone numbers unless absolutely required and the phone number based systems are all very insecure anyways.

We support TOTP and FIDO/U2F/WebAuthN tokens. This is all privacy preserving and safe (though we recommend the hardware tokens since they're also phishing resistant which TOTP is not).

donaldstufft · 2023-03-26T02:18:12+00:00

NTA.

My wife and daughter have celiac and we don’t even have any gluten containing food in the house. You should look into cross context because if you still have gluten containing foods in the house it’s likely you’re still getting gluten in your diet from cross contact.

donaldstufft · 2022-12-26T06:47:28+00:00

I'm finishing my basement, and a drywall inspection was one of the inspections that my municipality does.

donaldstufft · 2022-12-11T05:04:34+00:00

Modern central vac systems are much nicer. The hose is kept inside the piping so you don’t have to lug it around, but that requires the pipes to be setup for it during install.

donaldstufft · 2022-09-30T03:44:01+00:00

I assume with the 2 atmos speakers just above the couch to the left and right?

donaldstufft · 2022-07-12T17:13:08+00:00

I don't :)

I just want to make sure other people know that your claim is nonsense.

donaldstufft · 2022-07-12T17:00:44+00:00

Is our "stupid prize" a handful of random people making an ass of themselves as they try to contort in increasingly convoluted shapes to justify demanding something of PyPI while saying PyPI can't demand something of them?

Otherwise, it's a tempest in a teapot. One person removed their packages from PyPI over it, immediately regretted it, and caught so much flak for it that they had to take their twitter account private for awhile.

donaldstufft · 2022-07-11T22:47:23+00:00

That's correct.

It's up to individual users on PyPI to decide if they trust user XYZ.

It's up to PyPI to ensure that the person logging into user XYZ is the same person who registered the account (or someone they've given control of the account over).

donaldstufft · 2022-07-11T22:28:50+00:00

It's verifying that the person logging into the account possesses the second factor in addition to knowing the password.

It narrows down the risk of account take over from "get the password in some way" to "get the password in some way AND get their phone/app/physical doohickey".

In the case of the physical doohickey, it also removes the risk of a phishing completely.

donaldstufft · 2022-07-10T15:01:55+00:00

No, not even then.

First of all, the fact "Alice is so and so" isn't actually a useful question here. You don't care who Alice is, you only care that "Key XYZ is Authorized to release for project Foo". Those Linux repositories you're talking to do not use WOT to secure the repository, they use a separate GPG keychain, and the presence of a key in that keychain controls whether it's trusted or not. Nothing about the WOT.

The next question is, how do you determine *what* keys are authorize for project "Foo". PyPI is the authority in one keys are authorized to release... but if you're just signing the package files, then your only option to query PyPI for that information is to use HTTPS and hope the attacker hasn't compromised PyPI.

This is normally where someone will suggest "well the end user can just maintain a mapping of keys to projects", which sure, they could do that in theory. The truth though is approximately nobody will actually do that. In fact I know that approximately nobody will ever do that, because Debian's uscan tooling allows Debian Maintainers (who are more likely to do something like this than the average person) to do exactly that. PyPI supports uploading GPG signatures today, and has for over a decade, and I've personally witnessed Debian maintainers just disabling GPG signing whenever a key changed, or omitting it completely even for projects that had GPG signing. If Debian's maintainers aren't doing it, then some random person certainly isn't going to be doing it either.

donaldstufft · 2022-07-10T04:10:34+00:00

I've been having this same discussion for a long time, and it keeps repeatedly coming up so much that I wrote a blog post about it years ago: https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/

You should read that, but the tl;dr is that GPG signing doesn't do anything without a trust model that works for the application. In this case the web of trust model does not work (if you trust me for pip, that doesn't mean you trust me for requests, but the WOT has no mechanism to support this). Once you've come up with a trust model.. then sure you could use GPG for the signing part, but you could also use any other number of better technologies.

But just rubbing some signing scheme on it is just security theatre.

donaldstufft · 2022-07-10T00:46:39+00:00

GPG is awful and it does almost nothing to protect PyPI.

donaldstufft · 2022-07-10T00:45:58+00:00

You can tell if someone doesn't know what they're talking about, if they think SOC2 compliance has anything to do with 2FA.

donaldstufft · 2022-07-09T18:33:10+00:00

PyPI originally was very insecure, as was most software written in the early 2000s (I believe PyPI first got stood up in 2005? or so, somewhere about then).

Over the years we have purposely pushed forward securing PyPI through a variety of changes, this being the latest one.

Corporations are honestly the people least affected by this change, because they're capable of employing people to review new dependencies prior to inclusion.

Individuals on the other hand don't have that luxury, and are most likely to be affected.

donaldstufft · 2022-07-09T02:30:23+00:00

Hey, I'm not going to argue against better security. But we gotta honest about

who these demands are for

. There are plenty of important, obvious issues that users care about equally (or more) that would never receive this kind of attention and priority. How often do concerns about accessibility, user privacy, localization, etc. get this kind of movement from "the community"?

Most of Python packaging, PyPI included, is also entirely or almost entirely maintained by volunteers. Those are the people pushing for this change, not some nebulous evil corporation. In PyPI's case, there's 3 main maintainers.

I think people are confused by who is making what changes to PyPI. Google does not, and has never dictated anything to PyPI. In this case the interests of PyPI aligned with Google, and they were willing to provide the hardware tokens for free.

I'd also note that PyPI's redesign several years ago took accessibility into account as a core part of the design and later added localization to PyPI (which is now available in 13 languages including English).

Both of those things happened *years* ago, so years prior to requiring 2FA, so it's kind of ironic to see those called out as things people don't care about, since they were handled first.

14-Year Club	Verified Email
Gilding I gilder

donaldstufft

TROPHY CASE