[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?

Subject: Re: [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 17 Jul 2014 17:17:29 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 17 Jul 2014 13:17:36 -0400
In-reply-to: <049.8bb05b0b6f1dcc9caf9b607f1b0c43ce@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <049.8bb05b0b6f1dcc9caf9b607f1b0c43ce@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#12642: Can Network Attacker Downgrade Dependency Install Security?
---------------------------+---------------------
     Reporter:  earthrise  |      Owner:  hellais
         Type:  defect     |     Status:  new
     Priority:  normal     |  Milestone:
    Component:  Ooni       |    Version:
   Resolution:             |   Keywords:
Actual Points:             |  Parent ID:
       Points:             |
---------------------------+---------------------

Comment (by nathan-at-least):

 Note, this kind of problem is widespread in the python community, and
 several different projects are attempting a similar solution as found
 here.

 One example I've recently been introduced to is the petmail `safe_develop`
 `setup.py` command:
 https://github.com/warner/petmail/blob/master/setup.py#L131

 In this Ooni case, the README is correct, but I believe it's likely that
 users will fail to follow the instructions in various ways.  For example,
 if they pasted the quoted lines above into a bash script with the default
 `set +e` behavior, then they may not notice if pip fails and then
 `setup.py` proceeds to re-download (potentially malicious) dependencies.

 For another example, Least Authority (or someone else on `mlab1`) appears
 to have run `python ./setup.py install` without ever running the `pip`
 command, perhaps just from muscle memory.  After all, that's "how you
 install python packages", right?

 I don't know of a good solution at the moment.  I know that `pip install
 .` will delegate to `setup.py`, but would it be possible to convince `pip
 install .` to *also* do the equivalent of `pip install -r requirements.txt
 --use-mirrors` prior to delegating to `setup.py`?  In other words, is
 there a way to replace the quoted instructions above with "just run `pip
 install .` " ?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12642#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #9743 [Pluggable transport]: Think of a good name for the obfs-flash meta-proxy and create a repo for it
Next by Author: Re: [tor-bugs] #12641 [Ooni]: IStreamClientEndpointStringParser is Deprecated
Previous by thread: Re: [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
Next by thread: [tor-bugs] #12643 [Ooni]: Add service_identity to requirements.txt
Index(es):
- Author
- Thread