[tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jul 17 17:17:29 UTC 2014
#12642: Can Network Attacker Downgrade Dependency Install Security?
---------------------------+---------------------
Reporter: earthrise | Owner: hellais
Type: defect | Status: new
Priority: normal | Milestone:
Component: Ooni | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
---------------------------+---------------------
Comment (by nathan-at-least):
Note, this kind of problem is widespread in the python community, and
several different projects are attempting a similar solution as found
here.
One example I've recently been introduced to is the petmail `safe_develop`
`setup.py` command:
https://github.com/warner/petmail/blob/master/setup.py#L131
In this Ooni case, the README is correct, but I believe it's likely that
users will fail to follow the instructions in various ways. For example,
if they pasted the quoted lines above into a bash script with the default
`set +e` behavior, then they may not notice if pip fails and then
`setup.py` proceeds to re-download (potentially malicious) dependencies.
For another example, Least Authority (or someone else on `mlab1`) appears
to have run `python ./setup.py install` without ever running the `pip`
command, perhaps just from muscle memory. After all, that's "how you
install python packages", right?
I don't know of a good solution at the moment. I know that `pip install
.` will delegate to `setup.py`, but would it be possible to convince `pip
install .` to *also* do the equivalent of `pip install -r requirements.txt
--use-mirrors` prior to delegating to `setup.py`? In other words, is
there a way to replace the quoted instructions above with "just run `pip
install .` " ?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12642#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list