Verify get-pip.py

[tomaszzielinski]

Currently get-pip.py is downloaded from a remote server and installed without checking that it's legitimate [1]

I'm aware that there's no official way to verify the downloaded file and also that it might change at any time, so IMHO it might be good to keep a local, known to be good, version of that file and update it from time to time.

[1]

python/3.7/stretch/Dockerfile

Line 110 in 13ae0c0

wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \

[yosifkit]

We could have our update.sh download and sha512sum get-pip.py and embed the sum in the Dockerfile. That will do little than assure that the build servers get the same version that we saw earlier.

We should probably note where the sha512sum comes from in the Dockerfile. Concurrently we should see if we can file an issue with the Python Packaging Authority to see if they would be willing to publish a sha512sum along with get-pip-py (a detached gpg signature would be even better).

[tianon]

I think pulling from a specific Git commit out of https://github.com/pypa/get-pip might be worthwhile too (since then our checksum would be more meaningful/stable).

[yosifkit]

In case anyone wants to follow or bump: pypa/get-pip#41

[tomaszzielinski]

I think that fixing the checksum would still be a small step forward--if Homebrew Cask had been more strict at a time at checking the checksums then the Handbrake malware failure wouldn't have happened (at least for Cask users..) [1].

Pulling a specific commit sounds even better, as the commit hash is a checksum on its own. Also, I believe it's easier to detect a compromise of a GitHub repository than changes in what effectively is a binary blob.

[1] Homebrew/homebrew-cask#33536

[tianon]

Pulling a specific commit sounds even better, as the commit hash is a checksum on its own. Also, I believe it's easier to detect a compromise of a GitHub repository than changes in what effectively is a binary blob.

We really need to do both -- we're not going to use git clone, so the commit reference is only going to get us an unchanging file which we can actually verify. 😄

Additionally, I wouldn't put too much stock in verifying updates to that file; see pypa/get-pip@404c941 for example (it includes all of pip, so it's pretty much impossible to review those updates), but at least it's something which is better than where we're at now. 😅

[tomaszzielinski]

Wow, that was fast!

Thank you for adding the checksum, I realize it's suboptimal because it requires maintenance and also it doesn't solve the problem completely, but it's much better than it was yesterday!