New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve scheme check in repo url #602
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Try this:
urlparse('mailto:user@example.com')
And then continue to alter this until we have a real HTTP(S) URL
Yes, this gives the scheme as
I am not sure what you meant by "continue to alter this", are you asking me to alter the example, or the code to accept this as a valid repository URL (I assume it's not), or you want to add additional checks of schema. If we only allow
|
There are many URIs that It's not a matter of checking for the scheme being in that tuple (in fact, we would really rather never upload over plain-text). |
That's a very valid point. Also I think you are pointing towards using rfc3986 which you also pointed out in #597 (comment) I was actually under the assumption that a solution can be achieved by standard python modules, instead of using an external library will be preferred, but if that is not the case, I can surely update my PR to use this library. |
@deveshks how could I have been clearer in that message that a third-party library was an acceptable solution to the problem? |
So are you saying that a third party library is not an acceptable solution, or is it an acceptable solution (Sorry I couldn't understand it from this statement) Also when you said
What I understood from it that the check I have applied here using the scheme of the URL might not be enough to cover all the allowed cases, so it's not worth spending time on it. Instead add a library (like |
Hi, The last feedback I received in this PR wasn't really clear to me, and I asked a follow up comment above to clarify it. Could someone please look at the same and help me bridge the gap in my understanding and move this PR forward? |
Hi @sigmavirus24, Could you please let me know what changes need to be done here so that I can move this PR forward 😊 @bhrutledge , I would appreciate your thoughts as well on this. |
@deveshks A third-party library is an acceptable solution here.
My point isn't that it isn't worth spending time on doing it here, but that it won't be as complete as a third-party solution and it makes little sense to keep re-implementing the same things without a really good reason not to include that third-party solution. |
@sigmavirus24 , thank you for your response. Can I then go ahead and use rfc3986 to check the schema and update the PR? Also to include this library, do I need to update it on pyproject.toml:require, or are there other places I need to add it? |
Yes I think you need to update Line 36 in a0ec139
pyproject.toml is purely for packaging twine
|
I also observed that some places in the tests module, especially where we create the URLs for devpi-server we use How do we handle these cases, given that we should only allow Or do we simply allow both |
ce3e0e3
to
ba72c0c
Compare
I have made the necessary changes to use |
53888a0
to
392a498
Compare
a555561
to
96eab35
Compare
ee76b6e
to
9dbbd27
Compare
I do not find it desirable for URLs we know support TLS, e.g., pypi.org. That said, some folks could be using twine against internal instances (e.g., DevPI) and they may not want to manage TLS certificates for that. In that case, I think we also have code that looks for PyPI and replaces |
You are correct. Lines 140 to 144 in d5c6a98
Given this fact, I will go ahead and allow both |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good. Thanks again for working through the feedback; mine is mostly around code style.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the changes. I thought of a few more. 😅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I'm good with this, though I'm going to defer to @sigmavirus24 for final approval.
Fixed and closes #597