[tahoe-lafs-trac-stream] [tahoe-lafs] #2055: Building tahoe safely is non-trivial

tahoe-lafs trac at tahoe-lafs.org
Mon Mar 17 13:43:35 UTC 2014 

#2055: Building tahoe safely is non-trivial
-------------------------+-----------------------------------
     Reporter:  leif     |      Owner:  daira
         Type:  defect   |     Status:  new
     Priority:  normal   |  Milestone:  undecided
    Component:  unknown  |    Version:  1.10.0
   Resolution:           |   Keywords:  install security eggs
Launchpad Bug:           |
-------------------------+-----------------------------------

Comment (by dstufft):

 Oldish ticket, but it was linked to me today!

 So here's some information about various versions of packaging tools and
 what they support wrt HTTPS.

 pip < 1.3 - YOLO with HTTP all around
 pip 1.3 - Hits PyPI using HTTPS (does not fall back to HTTP), however it
 automatically scrapes things located on a packages /simple/foo/ page on
 PyPI, which may be hosted over HTTP, additionally if anything uses a
 setup_requires that is downloaded+installed by setuptools not pip,
 additonally if a package has dependency_links then pip will also scrape
 those which may be hosted via HTTP, uses an old copy of root certificates
 that were incorrectly taken from mozilla's trust root and are old.
 pip 1.4 - Mostly the same as 1.3, however it adds the ability to disable
 scraping external site to PyPI, uses an old copy of root certificates that
 were incorrectly taken from mozilla's trust root and are old.
 pip 1.5 - Switches the options in 1.4 to on by default, pip no longer
 scrapes sites other than PyPI by default, additionally disables processing
 dependency links by default. With the default configuration the only non
 HTTPS network access can come from setup_requires. Uses an up to date (at
 time of release) bundled ca bundle that was properly taken from Mozilla
 (via a tool agl wrote).
 pip 1.6 (future/proposed) - Removes the ability to enable dependency links
 at all, takes control of setup_requires so that setuptools no longer has
 any control over it and ``pip install <something>`` by default is only
 over verified HTTPS unless the user invoking pip explicitly uses a HTTP
 url somewhere.

 setuptools < 0.7 - YOLO with HTTP all around
 setuptools >= 0.7 - Will use HTTPS to hit PyPI, may or may not acually be
 active because it attempts to discover certificates and I believe it fails
 open, installing depends on an old version of certifi which incorrectly
 uses the mozilla cert bundle and is outdated. Can still use HTTP if listed
 on a project /simple/foo/ or inside of a dependency link. No way to
 specify it must be loaded over HTTPS but can restrict which hosts are
 used.

 FWIW pip --no-download is bad and you shouldn't use it. If you want to do
 that you should donwload the packages to a directory (you can use pip
 install --download <directory> [package [package ...]] for that) and then
 use pip install --no-index -find-links <directory> [package [package
 ...]].

 You can tell easy_install/setuptools not to hit the network by telling it
 the allowed hosts are 'None'
 (http://pythonhosted.org/setuptools/easy_install.html#restricting-
 downloads-with-allow-hosts).

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2055#comment:10>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list