Am 09.01.22 um 14:15 schrieb Michael Ströder:
Am 09.01.22 um 13:39 schrieb Michael Ströder:
On 1/7/22 08:38, Georg Pfuetzenreuter wrote:
On 1/6/22 14:56, Ben Greiner wrote:
Am 06.01.22 um 13:07 schrieb Martin Wilck:
On Thu, 2022-01-06 at 12:40 +0100, Dan Čermák wrote: >> At that point I'd rather say that we should resort to just >> shipping Python, pip, wheel & development libraries for all the >> Python >> versions that we wish to support. I'm very much against that. It means we essentially give up packaging python modules.
Plus, it is just not possible. Every rpm package needs its dependencies in the system repositories. You can't tell it "get the rest online from PyPI, I don't care if it is safe".
Relevant, just found on planet.kernel.org: https://zaitcev.livejournal.com/263602.html Yes, delivery chain attacks are indeed a notorously underestimated risk.
But do you really think openSUSE/SLE or any other Linux distro is independent from PyPI? Just have a look at the Source: lines in Python packages. And no, replacing those lines with github URLs or similar does not help either.
At least obs checks those lines at commit time and breaks if the source changes. This is significantly different than having pip (or npm or php composer for that matter) pull in a random package it finds at install time. And how does this help if an attacker managed to publish a manipulated
On 1/9/22 14:00, Ben Greiner wrote: source distribution on PyPI? Or even worse the attacker managed to commit and release code on the code forge used, which also happened in the recent past?
It does not help. But you are moving the goal posts.
The blog post claims that the PyPI package for nose was "unofficial". Of course it is the packagers duty to make sure that only sane and official sources are included into the rpmbuild. And how should a packager really verify this? Given the lack of packagers reviewing each code line in each change is illusionary.
Yes, you can do some plausibility tests.
A link from the Github page or official website to the pypi page is a start.
And in this particular example the module package "nose" was known to be dead and unmaintained, a strong indication that it should be hunked out from your delivery chain. But there are many packages in openSUSE where upstream project could be considered dead.
Well, openSUSE still ships it and python-nose.spec contains PyPI URLs...
In fact, Matej has been working hard on eliminating nose from depending packages, even to the point of annoying upstream projects about it. We are down to 8 packages right now (unless the python36 drop and python310 addition masks some packages because they are unresolvable). Ipython is dropping it very soon in v8.0 [1] [ben@skylab:~]% osc whatdependson openSUSE:Factory python-nose standard x86_64 python-nose : anki python-boto python-hdf5storage python-ipykernel python-ipyparallel python-ipython:test python-pprintpp python-pysmb I cannot reproduce what Pete Zaitcev is talking about in his blog post regarding nose. Maybe it has been corrected at the PyPI side in the meantime. - The PyPI page lists the source maintainers, not sure why he needed to fuzzy-investigate in git logs. - https://nose.readthedocs.io/en/latest/ links to http://pypi.python.org/pypi/nose/1.3.7 - https://files.pythonhosted.org/packages/58/a5/0dc93c3ec33f4e281849523a5a913f... released on Jun2, 2015 is identical to https://codeload.github.com/nose-devs/nose/tar.gz/refs/tags/release_1.3.7 except for the test content and some development files. Again, a manipulation of nose-1.3.7.tar.gz at PyPI after the rpm package has been plausability checked and commited does not affect the rpm package. It does affect a pip install, however.
Ciao, Michael.