Secure bootstrap technique

[ghost]

Originally reported by: jaraco (Bitbucket: jaraco, GitHub: jaraco)

---

@dstufft has pointed out that the bootstrap technique for setuptools uses Python's urllib for downloading tarballs, and this technique, even though it uses SSL, does not do proper certificate validation, so is still subject to a man-in-the-middle attack.

One proposed suggestion is to simply deprecate the use of ez_setup and change the bootstrap instructions to direct users to download, extract, and install the tarball directly (presumably using a secure HTTP client).

Another possible approach is to secure the bootstrap script itself, such as is being discussed in #11.

---

• Bitbucket: https://bitbucket.org/pypa/setuptools/issue/63

[ghost]

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):

---

I don't believe it's viable to deprecate the use of ez_setup for bootstrapping for two reasons: bootstrapping needs to be easy and bootstrapping needs to be programmatic.

Ease of Use

Most end users of setuptools aren't drawn to setuptools for its shiny features or functionality. Many install setuptools because the package they really want depends on it. As a result, many users are already in a pre-requisite step for their desired goals.

For that reason, and the fact that many users may not even be Python programmers or necessarily proficient with computers, the installation should be simple and as close to a "one-click install" as possible.

While "download, unpack, and run setup.py" sounds like a fairly straightforward step, when you extract the implicit steps, especially on Windows, it comes out to many steps:

1. Start Internet Explorer
2. Browse to the download page.
3. Scroll to the bottom.
4. Click on the download link.
5. Save the file.
6. Browse to 7-zip.org.
7. Download 7-zip for your bit size (recommend 32-bit if you don't know).
8. Install 7-zip from the file you just downloaded.
9. From the start menu, start 7-zip.
10. Open the setuptools tarball you just downloaded.
11. Extract it to a temporary directory.
12. Run setup.py from the directory you just extracted.
13. Delete the temporary directory.

(and if I really wanted to be pedantic and explicit, I would provide instructions on how to start Internet Explorer, where to click to enter a URL, etc.)

Even the current process, which is what Distribute promoted, was considered burdensome for novice users compared to setuptools, which provided Windows installers.

Programmatic Operation

In addition to the manual invocation as advertised in the installation instructions, ez_setup.py is also used mechanically by projects that choose to bootstrap setuptools as part of their own package (via the use_setuptools() function). Furthermore, tools like buildout rely on ez_setup.py for installing setuptools. Requiring users to bypass ez_setup.py would not eliminate the security risk posed by other mechanical uses of ez_setup, so is only a partial solution.

As a result, I suggest we focus on security the bootstrap script, whether that means bringing back bundled checksums or signing releases or another technique (perhaps shelling out to a system HTTP client).

[ghost]

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):

---

In d1b75a67cb31, I've drafted an idea that leverages available system tools (such as curl or powershell) to securely bootstrap setuptools.

[ghost]

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):

---

Updated changelog. Fixes #63.

[ghost]

Original comment by qwcode (Bitbucket: qwcode, GitHub: qwcode):

---

thanks for the effort, but it bugs me that it can still be insecure w/o curl or powershell.

couldn't ez_setup.py take the approach of get-pip.py, which basically has pip stuffed inside it, and literally uses pip (which has ssl cert support) to intall itself.

ez_setup.py could contain setuptools/easy_install and use easy_install, which has ssl support to install itself.