Closed
Bug 1253583
Opened 10 years ago
Closed 9 years ago
Verify the checksums of packages downloaded from S3 by the Python buildpack
Categories
(Tree Management :: Treeherder: Infrastructure, defect, P2)
Tree Management
Treeherder: Infrastructure
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: emorley, Assigned: emorley)
References
Details
The Heroku Python buildpack has pre-built versions of Python, that the buildpack downloads from their S3 bucket and extracts as part of the buildpack compile.
However these aren't verified in any way (other than being transferred over HTTPS), so we could install a compromised version of Python and be non the wiser - which makes the hash-checking as part of pip install less useful.
As such, I've added hash-checking support to the Python buildpack, and have a PR for that here:
https://github.com/heroku/heroku-buildpack-python/pull/282
If/when that is merged, I'll update the Heroku apps to use the latest version of the buildpack.
|
Assignee | |
Comment 1•10 years ago
|
||
Rebased and added the sha256sums for the new geos on proj libraries that were added to master, but still waiting for the PR to be reviewed/merged.
|
|
Assignee | |
Comment 2•10 years ago
|
||
Not exactly a helpful reply so far:
"""
I don't think I'm going to accept this — for a few reasons I won't get into here. I haven't decided yet though, so I'm leaving the PR open.
"""
|
|
Assignee | |
Comment 3•10 years ago
|
||
Still waiting for a reply to me asking why he didn't want to accept the PR.
|
|
Assignee | |
Comment 4•10 years ago
|
||
I've updated the PR against master several times, as other things landed.
Still awaiting a reply as to whether it will be accepted however.
|
|
Assignee | |
Updated•10 years ago
|
|
|
Assignee | |
Comment 5•10 years ago
|
||
Rebased on master and added hashes for the new pypy 5.1.0 and 5.1.1 runtimes on cedar-14.
Have also pinged Kenneth again.
|
|
Assignee | |
Comment 6•9 years ago
|
||
After 3 months we now have a more detailed response & decision - they won't be accepting the feature:
https://github.com/heroku/heroku-buildpack-python/pull/282#issuecomment-223881752
Which is fair enough - at least we know now :-)
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
|
|
Assignee | |
Comment 7•9 years ago
|
||
(And it's not worth us using a custom fork of the buildpack for it IMO)
You need to log in
before you can comment on or make changes to this bug.
Description
•