Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
@dstufft has pointed out that the bootstrap technique for setuptools uses Python's urllib for downloading tarballs, and this technique, even though it uses SSL, does not do proper certificate validation, so is still subject to a man-in-the-middle attack.
One proposed suggestion is to simply deprecate the use of ez_setup and change the bootstrap instructions to direct users to download, extract, and install the tarball directly (presumably using a secure HTTP client).
Another possible approach is to secure the bootstrap script itself, such as is being discussed in #11.
I don't believe it's viable to deprecate the use of ez_setup for bootstrapping for two reasons: bootstrapping needs to be easy and bootstrapping needs to be programmatic.
Ease of Use
Most end users of setuptools aren't drawn to setuptools for its shiny features or functionality. Many install setuptools because the package they really want depends on it. As a result, many users are already in a pre-requisite step for their desired goals.
For that reason, and the fact that many users may not even be Python programmers or necessarily proficient with computers, the installation should be simple and as close to a "one-click install" as possible.
While "download, unpack, and run setup.py" sounds like a fairly straightforward step, when you extract the implicit steps, especially on Windows, it comes out to many steps:
(and if I really wanted to be pedantic and explicit, I would provide instructions on how to start Internet Explorer, where to click to enter a URL, etc.)
Even the current process, which is what Distribute promoted, was considered burdensome for novice users compared to setuptools, which provided Windows installers.
In addition to the manual invocation as advertised in the installation instructions, ez_setup.py is also used mechanically by projects that choose to bootstrap setuptools as part of their own package (via the
As a result, I suggest we focus on security the bootstrap script, whether that means bringing back bundled checksums or signing releases or another technique (perhaps shelling out to a system HTTP client).
thanks for the effort, but it bugs me that it can still be insecure w/o curl or powershell.