Am 09.01.22 um 13:39 schrieb Michael Ströder:
On 1/7/22 08:38, Georg Pfuetzenreuter wrote:
On 1/6/22 14:56, Ben Greiner wrote:
Am 06.01.22 um 13:07 schrieb Martin Wilck:
> At that point I'd rather say that we should resort to just > shipping Python, pip, wheel & development libraries for all the > Python > versions that we wish to support. I'm very much against that. It means we essentially give up packaging
On Thu, 2022-01-06 at 12:40 +0100, Dan Čermák wrote: python modules.
Plus, it is just not possible. Every rpm package needs its dependencies in the system repositories. You can't tell it "get the rest online from PyPI, I don't care if it is safe".
Relevant, just found on planet.kernel.org: https://zaitcev.livejournal.com/263602.html Yes, delivery chain attacks are indeed a notorously underestimated risk.
But do you really think openSUSE/SLE or any other Linux distro is independent from PyPI? Just have a look at the Source: lines in Python packages. And no, replacing those lines with github URLs or similar does not help either.
At least obs checks those lines at commit time and breaks if the source changes. This is significantly different than having pip (or npm or php composer for that matter) pull in a random package it finds at install time. And how does this help if an attacker managed to publish a manipulated
The blog post claims that the PyPI package for nose was "unofficial". Of course it is the packagers duty to make sure that only sane and official sources are included into the rpmbuild. And how should a packager really verify this? Given the lack of
On 1/9/22 14:00, Ben Greiner wrote: source distribution on PyPI? Or even worse the attacker managed to commit and release code on the code forge used, which also happened in the recent past? packagers reviewing each code line in each change is illusionary. Yes, you can do some plausibility tests. And in this particular example the module package "nose" was known to be dead and unmaintained, a strong indication that it should be hunked out from your delivery chain. But there are many packages in openSUSE where upstream project could be considered dead. Well, openSUSE still ships it and python-nose.spec contains PyPI URLs... Ciao, Michael.