[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?



#12642: Can Network Attacker Downgrade Dependency Install Security?
---------------------------+---------------------
     Reporter:  earthrise  |      Owner:  hellais
         Type:  defect     |     Status:  new
     Priority:  normal     |  Milestone:
    Component:  Ooni       |    Version:
   Resolution:             |   Keywords:
Actual Points:             |  Parent ID:
       Points:             |
---------------------------+---------------------

Comment (by nathan-at-least):

 Note, this kind of problem is widespread in the python community, and
 several different projects are attempting a similar solution as found
 here.

 One example I've recently been introduced to is the petmail `safe_develop`
 `setup.py` command:
 https://github.com/warner/petmail/blob/master/setup.py#L131

 In this Ooni case, the README is correct, but I believe it's likely that
 users will fail to follow the instructions in various ways.  For example,
 if they pasted the quoted lines above into a bash script with the default
 `set +e` behavior, then they may not notice if pip fails and then
 `setup.py` proceeds to re-download (potentially malicious) dependencies.

 For another example, Least Authority (or someone else on `mlab1`) appears
 to have run `python ./setup.py install` without ever running the `pip`
 command, perhaps just from muscle memory.  After all, that's "how you
 install python packages", right?

 I don't know of a good solution at the moment.  I know that `pip install
 .` will delegate to `setup.py`, but would it be possible to convince `pip
 install .` to *also* do the equivalent of `pip install -r requirements.txt
 --use-mirrors` prior to delegating to `setup.py`?  In other words, is
 there a way to replace the quoted instructions above with "just run `pip
 install .` " ?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12642#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs