I suppose semi-related to the current PyPI discussion is something that we discovered a while ago related to Debian package builds.
Typically, a Debian build rule will invoke `python setup.py build` at some point. Under some local build regimes (i.e. on my machine while testing a package build using sbuild), I can be fooled into thinking the build succeeds with only explicit dependencies, not specified in the setup.py, but in the debian/control file. In reality though, if a Debian dependency is missing, the local build will go out to PyPI and download the setup.py dependency. Because the output for this step can be buried in the hundreds of lines of package build output, I might not see that this happened. Ultimately, the package build will fail on the official Ubuntu build machines, because they do not have access to the internet. That's the good news. The bad news is that I won't see this until I upload the package and I get the failure notice. What we've been recommending for a while now is to add the following line to your debian/rules file: -----snip snip----- # Prevent setuptools/distribute from accessing the internet. export http_proxy = http://127.0.9.1:9 -----snip snip----- (Port 9 is the `discard` service, but the IP is historical.) This prevents local builds from accessing PyPI under the radar and will allow your local builds to fail in a similar way to the build daemons, so that you can fix your dependencies before you upload them. (The line can cause some unwanted side-effects if you have a get-orig-source rule, but you can just unset http_proxy temporarily in that target's relevant shell command.) (*Not* having the proxy line probably opens you up to local security issues such as being discussed in these threads. With sbuild, the local builds always happen in a chroot with an overlay file system, but I wouldn't claim that those local build environments are bulletproof. Other people use `sudo pbuilder` locally, and that *would* be vulnerable to all the security issues being discussed here.) Cheers, -Barry
signature.asc
Description: PGP signature
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
