New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Jake doesn't support wheel-only installation #72
Comments
You should still vendorize that 2 function lib, but in the meanwhile, I've forked it (the maintainer has been gone for 10 years) and published a version with wheels, here: https://pypi.org/project/termcolor-whl/ |
And the other dependency with no wheels is |
And |
Hi @matthewdeanmartin - thanks for the report. A very important report indeed. We'll get this worked on to remove this dependency! Thanks for your input. |
I got ahold of the previous maintainer of terminaltables and we got that one updated with a wheel dist - https://pypi.org/project/terminaltables/#files One down, one to go. |
Thanks @matthewdeanmartin - to get a quick fix for this, we'll take the After this, we'll assess:
|
Signed-off-by: Paul Horton <phorton@sonatype.com>
…installation fix: ensure dependencies can be installed from binary packages #72
@matthewdeanmartin - Thanks |
I'll skip the analysis, but here is the output of
yaspin is pulling in the non-wheel termcolor. I thought you had a direct dependency on termcolor, but because it is transitive that means you'd need to vendorize yaspin. The maintainer of termcolor is just gone, so that blocks some more elegant solutions. I'm sorry I didn't notice that earlier, so you can drop the dep on termcolor-whl-- it doesn't help anyhow-- and I recommend vendorizing |
As a downstream packager of jake on conda-forge, we generally have to hustle rather hard to keep track of vendored code once introduced for license/distribution compliance purposes... sometimes thornier than "pure" technical concerns! So i guess i would just request that if the vendoring path is taken, please include the LICENSE files of the upstreams. Perhaps having the core As for the concrete problem of terminal pretties:
|
Thanks for the suggestion @bollwyvl of |
See #73 |
cyclonedx-python-lib
doesn't support wheel-only installation
CycloneDX/cyclonedx-python-lib#97
I would like to point out, that from a security point of view it does not make a difference whether a call to The solution can not be to create a fork of all projects out there, but to actually become the new upstream and improve its security workflow. @matthewdeanmartin it would be great if you could look into becoming the |
Describe the bug
Python packages come in two sorts, sdist and wheels. Sdist runs on installation setup.py, which allows for running malicious code. Wheels do not run setup.py on install, they just unpack the code & a user would have to invoke the malicious code intentionally via import or the like.
Jake has a dependency on termcolor, which doesn't not have a wheel. https://pypi.org/project/termcolor/#files
To Reproduce
export PIP_ONLY_BINARY=:all: pipenv install jake --skip-lock --verbose
Or
pip install jake --only-binary=:all:
(The flag names are misleading, because when the flag is active, it installs only the wheel version & will ignore sdist for the package and ALL dependencies, even if they are all pure python)
Expected behavior
Jake should install without having to run setup.py for it or any dependency. The audience of jake is enterprises who are taking supply chain risks serious, probably because they have something valuable to protect. If I were a malicious hacker, I'd target termcolor on pypi (just need to guess their password), upload a malicious sdist and then steal valuables from jake users when setup.py runs.
Screenshots
I would recommend vendorizing your entire dependency chain (or at least the wheel-less one), but that is just because I'm paranoid about supply chain risks.
The text was updated successfully, but these errors were encountered: