Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

installation instructions tell the user to inspect an encoded blob for malevolence

See original GitHub issue

The instructions at https://pip.pypa.io/en/stable/installing/#installing-with-get-pip-py state:

Inspect get-pip.py for any malevolence.

Inside get-pip.py is:

def main():
    tmpdir = None
    try:
        # Create a temporary working directory
        tmpdir = tempfile.mkdtemp()

        # Unpack the zipfile into the temporary directory
        pip_zip = os.path.join(tmpdir, "pip.zip")
        with open(pip_zip, "wb") as fp:
            fp.write(b85decode(DATA.replace(b"\n", b"")))

        # Add the zipfile to sys.path so that we can import it
        sys.path.insert(0, pip_zip)

        # Run the bootstrap
        bootstrap(tmpdir=tmpdir)
    finally:
        # Clean up our temporary working directory
        if tmpdir:
            shutil.rmtree(tmpdir, ignore_errors=True)


DATA = b"""
P)h>@6aWAK2mnx)lT08w7f~7j000;O000jF003}la4%n9X>MtBUtcb8d5e!POD!tS%+HIDSFlx3GBnU
L&@)ux<pKauO9KQH000080Iz0(OfD@VU`7D|0CfTY01p5F0B~t=FJE76VQFq(UoLQYT~fhL!!QiJPuf
3N+Myj99cQE+IC4eYqtH5QM4E)yRoUMYrwbeOl*E4T+3(e)Fo9BL<~gBKV5b-ogZ`l4W=6H%x0~(eS_
$-fqzg%52d@Se1f3Al?7j78FhZ+g84=w9^e_OAxL$#SAiJn}6!80K3AA%zq0%&yJ|n~nkHJH<@$sQsM
t967u%0+~-d^)4CQl!A|CvE~{L=}V=6Sn;{Ox2f>&jO2m+7d~q^(z~i<jDLY$AriCa))iUUZ0)jRe6!
bB|~aK-dRA+!~}K^EQ?24QX~PPRN>~FRK;i%y#p_GNCgS^-_G&d~Xp@5OaI&Yc^SD1(fnBCsG=_>*($
Odv#&IUtyKG%XVVo_UTZV_L61EEemwYdd7@*RaLeJO;Bu*VSV`0<-d>wMCfXNHLAuSa`<hzE$^*N@dH
px0|XQR000O8uV#WwFj~#$KMVi>;~@Y582|tPaA|NaUukZ1WpZv|Y%gD5X>MtBUtcb8d7T++Z`(%ly8
.....

Obviously the encoded DATA blob cannot be inspected. get-pip.py should be plaintext code, and not have encoded data blobs.

Issue Analytics

State:
Created 5 years ago
Comments:5 (4 by maintainers)

Top GitHub Comments

1reaction

pfmoorecommented, Jun 26, 2018

I’d be inclined to simply take the following text:

Installing with get-pip.py
To install pip, securely download get-pip.py. [1]:
    curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
Inspect get-pip.py for any malevolence. Then run the following:
    python get-pip.py

and replace it with:

Installing with get-pip.py
To install pip, securely download get-pip.py and run it:
    curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
    python get-pip.py
As when running any script downloaded any software off the web, you should ensure that you have reviewed the code and are happy that it works as you expect.

We could publish signatures for get-pip.py, I guess. I don’t know enough about the security issues involved to say precisely how checking a signature for a file served over https from a server you have chosen to trust would add extra security, but if it does then I see no reason not to add it. But I don’t think that was the OP’s point, which seems to be that we’re suggesting he should review code that he doesn’t understand (which frankly is always a problem in my experience with the sort of generic “make sure you’re happy with the code” comments needed here - you have to choose for yourself what level of trust you’re willing to give).

0reactions

lock[bot]commented, Jun 2, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

Top Results From Across the Web

Azure Policy Regulatory Compliance controls for Azure ...

This page lists the compliance domains and security controls for Azure Resource Manager. You can assign the built-ins for a security control ...

Detecting and Classifying Malevolent Dialogue Responses

We design a questionnaire-based user study to investigate the validity of the. HMDT taxonomy and determine how it is related to user malevolence...

HTML5 - W3C

"Decoder error" was mistakenly listed as a URL-related definition when it is in fact Encoding-related; "Parsed URL" has been given a proper ...

English - Debian

Abstract This document contains installation instructions for the Debian ... Be sure to check the Debian 8 pages for any last-minute information about...

Libmetal and OpenAMP User Guide - Xilinx

After booting the Linux Kernel the remoteproc driver is already loaded. If not, check it has been enabled in the kernel config and...