Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secure bootstrap technique #63

Closed
ghost opened this issue Aug 7, 2013 · 4 comments
Closed

Secure bootstrap technique #63

ghost opened this issue Aug 7, 2013 · 4 comments
Labels

Comments

@ghost
Copy link

@ghost ghost commented Aug 7, 2013

Originally reported by: jaraco (Bitbucket: jaraco, GitHub: jaraco)


@dstufft has pointed out that the bootstrap technique for setuptools uses Python's urllib for downloading tarballs, and this technique, even though it uses SSL, does not do proper certificate validation, so is still subject to a man-in-the-middle attack.

One proposed suggestion is to simply deprecate the use of ez_setup and change the bootstrap instructions to direct users to download, extract, and install the tarball directly (presumably using a secure HTTP client).

Another possible approach is to secure the bootstrap script itself, such as is being discussed in #11.


@ghost
Copy link
Author

@ghost ghost commented Aug 7, 2013

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):


I don't believe it's viable to deprecate the use of ez_setup for bootstrapping for two reasons: bootstrapping needs to be easy and bootstrapping needs to be programmatic.

Ease of Use

Most end users of setuptools aren't drawn to setuptools for its shiny features or functionality. Many install setuptools because the package they really want depends on it. As a result, many users are already in a pre-requisite step for their desired goals.

For that reason, and the fact that many users may not even be Python programmers or necessarily proficient with computers, the installation should be simple and as close to a "one-click install" as possible.

While "download, unpack, and run setup.py" sounds like a fairly straightforward step, when you extract the implicit steps, especially on Windows, it comes out to many steps:

  1. Start Internet Explorer
  2. Browse to the download page.
  3. Scroll to the bottom.
  4. Click on the download link.
  5. Save the file.
  6. Browse to 7-zip.org.
  7. Download 7-zip for your bit size (recommend 32-bit if you don't know).
  8. Install 7-zip from the file you just downloaded.
  9. From the start menu, start 7-zip.
  10. Open the setuptools tarball you just downloaded.
  11. Extract it to a temporary directory.
  12. Run setup.py from the directory you just extracted.
  13. Delete the temporary directory.

(and if I really wanted to be pedantic and explicit, I would provide instructions on how to start Internet Explorer, where to click to enter a URL, etc.)

Even the current process, which is what Distribute promoted, was considered burdensome for novice users compared to setuptools, which provided Windows installers.

Programmatic Operation

In addition to the manual invocation as advertised in the installation instructions, ez_setup.py is also used mechanically by projects that choose to bootstrap setuptools as part of their own package (via the use_setuptools() function). Furthermore, tools like buildout rely on ez_setup.py for installing setuptools. Requiring users to bypass ez_setup.py would not eliminate the security risk posed by other mechanical uses of ez_setup, so is only a partial solution.

As a result, I suggest we focus on security the bootstrap script, whether that means bringing back bundled checksums or signing releases or another technique (perhaps shelling out to a system HTTP client).

@ghost
Copy link
Author

@ghost ghost commented Aug 10, 2013

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):


In d1b75a67cb31, I've drafted an idea that leverages available system tools (such as curl or powershell) to securely bootstrap setuptools.

@ghost
Copy link
Author

@ghost ghost commented Aug 10, 2013

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):


Updated changelog. Fixes #63.

@ghost
Copy link
Author

@ghost ghost commented Aug 21, 2013

Original comment by qwcode (Bitbucket: qwcode, GitHub: qwcode):


thanks for the effort, but it bugs me that it can still be insecure w/o curl or powershell.

couldn't ez_setup.py take the approach of get-pip.py, which basically has pip stuffed inside it, and literally uses pip (which has ssl cert support) to intall itself.

ez_setup.py could contain setuptools/easy_install and use easy_install, which has ssl support to install itself.

@ghost ghost added major bug labels Mar 29, 2016
@ghost ghost closed this Mar 29, 2016
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
0 participants
You can’t perform that action at this time.