On 1/7/22 08:38, Georg Pfuetzenreuter wrote:
On 1/6/22 14:56, Ben Greiner wrote:
Am 06.01.22 um 13:07 schrieb Martin Wilck:
At that point I'd rather say that we should resort to just shipping Python, pip, wheel & development libraries for all the Python versions that we wish to support. I'm very much against that. It means we essentially give up packaging
On Thu, 2022-01-06 at 12:40 +0100, Dan Čermák wrote: python modules.
Plus, it is just not possible. Every rpm package needs its dependencies in the system repositories. You can't tell it "get the rest online from PyPI, I don't care if it is safe".
Relevant, just found on planet.kernel.org: https://zaitcev.livejournal.com/263602.html Yes, delivery chain attacks are indeed a notorously underestimated risk.
But do you really think openSUSE/SLE or any other Linux distro is independent from PyPI? Just have a look at the Source: lines in Python packages. And no, replacing those lines with github URLs or similar does not help either. And IMO none of the Linux distros have really strong security controls in place to avoid more advanced delivery chain attacks. If distro maintainers claim something else they're naive or vain or both. And don't get me started commenting the security of widespread CI/CD, DevOps operational practices out there. Ciao, Michael.