Use requirements.txt as lockfile #30
Conversation
mailbox/requirements.in
Outdated
| @@ -0,0 +1 @@ | |||
| magic-wormhole-mailbox-server -e git+https://github.com/magic-wormhole/magic-wormhole-mailbox-server/tarball/4b358859ba80de37c3dc0a5f67ec36909fd48234#egg=magic-wormhole-mailbox-server | |||
There was a problem hiding this comment.
I think these github hashes (of magically-produced tarballs) are not stable...?
There was a problem hiding this comment.
That hash is the commit hash from the repo:
magic-wormhole/magic-wormhole-mailbox-server@4b35885
Pretty stable, you can also use a tag (but this is less stable).
Please note that the source URL did not change with this PR, we already used it before.
There was a problem hiding this comment.
Maybe it's a different thing, but there was some issue with using GitHub links (e.g. from the "Download" button, approximately). Maybe it was only for ZIPs?
There was a problem hiding this comment.
Had a chat with @hacklschorsch yesterday and he mentioned that the hashes from the archive have been differing in some cases. Here we use a Git hash to fix the source and we do not care about different archive hashes as long as they contain exactly the files which are from that Git hash we use.
There was a problem hiding this comment.
Right, okay that was it -- that the bits can change (so if you have a workflow that checks those, it'll fail -- but only "somtimes" e.g. when GitHub nukes a cache or something?)
There was a problem hiding this comment.
Can't we use the git hash to access the archive (w/o relying on git)?
Are you suggesting there could be some differences between sources cloned using Git CLI and those "mirrored" with plain HTTP(s)?
I was under the impression that tar and zip archives were part of Git itself (e.g.: git archive)!
There was a problem hiding this comment.
It still seems to work as expected with https only. At least for our purpose.
Pip freeze gives me the same result in both cases:
diff <(docker run --rm -t --entrypoint pip fab306454663 freeze) <(docker run --rm -t --entrypoint pip 64a7dd3f2103 freeze)
13c13
< magic-wormhole @ https://github.com/magic-wormhole/magic-wormhole/tarball/f66e759b2494d6713238d86eb0e8001f297ef553
---
> magic-wormhole @ git+https://github.com/magic-wormhole/magic-wormhole@f66e759b2494d6713238d86eb0e8001f297ef553
Only the second image is now 83MB bigger (not much, but still 50% increase!) and present a number of extra packages that could introduce more vulnerabilities:
19a20,21
> git-man/now 1:2.30.2-1+deb11u2 all [installed,local]
> git/now 1:2.30.2-1+deb11u2 amd64 [installed,local]
24a27
> less/now 551-2 amd64 [installed,local]
30a34,35
> libbrotli1/now 1.0.9-2+b2 amd64 [installed,local]
> libbsd0/now 0.11.3-1 amd64 [installed,local]
34a40
> libcbor0/now 0.5.0+dfsg-2 amd64 [installed,local]
36a43
> libcurl3-gnutls/now 7.74.0-1.3+deb11u7 amd64 [installed,local]
38a46,47
> libedit2/now 3.1-20191231-2+b1 amd64 [installed,local]
> liberror-perl/now 0.17029-1 all [installed,local]
41a51
> libfido2-1/now 1.6.0-2 amd64 [installed,local]
43a54
> libgdbm-compat4/now 1.19-2 amd64 [installed,local]
54a66,67
> libldap-2.4-2/now 2.4.57+dfsg-3+deb11u1 amd64 [installed,local]
> libldap-common/now 2.4.57+dfsg-3+deb11u1 all [installed,local]
56a70
> libmd0/now 1.0.3-3 amd64 [installed,local]
59a74
> libnghttp2-14/now 1.43.0-1 amd64 [installed,local]
67a83,84
> libperl5.32/now 5.32.1-4+deb11u2 amd64 [installed,local]
> libpsl5/now 0.21.0-1.2 amd64 [installed,local]
68a86,89
> librtmp1/now 2.4+20151223.gitfa8646d.1-2+b2 amd64 [installed,local]
> libsasl2-2/now 2.1.27+dfsg-2.1+deb11u1 amd64 [installed,local]
> libsasl2-modules-db/now 2.1.27+dfsg-2.1+deb11u1 amd64 [installed,local]
> libsasl2-modules/now 2.1.27+dfsg-2.1+deb11u1 amd64 [installed,local]
76a98
> libssh2-1/now 1.9.0-2 amd64 [installed,local]
86a109,115
> libx11-6/now 2:1.7.2-1 amd64 [installed,local]
> libx11-data/now 2:1.7.2-1 all [installed,local]
> libxau6/now 1:1.0.9-1 amd64 [installed,local]
> libxcb1/now 1.14-3 amd64 [installed,local]
> libxdmcp6/now 1:1.1.2-3 amd64 [installed,local]
> libxext6/now 2:1.3.3-1.1 amd64 [installed,local]
> libxmuu1/now 2:1.1.2-2+b3 amd64 [installed,local]
96a126
> openssh-client/now 1:8.4p1-5+deb11u1 amd64 [installed,local]
98a129
> patch/now 2.7.6-7 amd64 [installed,local]
99a131,133
Is this worth it? (I'm interested to know more about the risk you guys are talking about - also with @hacklschorsch)
There was a problem hiding this comment.
I was under the impression that tar and zip archives were part of Git itself (e.g.: git archive)!
I believe that's correct, but the output isn't stable. So if you have a process that checks hashes, it'll fail sometimes. (Certainly there are ways besides "use the github API" to get the sources of course, I was just highlighting that that particular method has a potential problem).
I believe this discusses the problem: https://github.blog/2023-02-21-update-on-the-future-stability-of-source-code-archives-and-hashes/
There was a problem hiding this comment.
I don't believe that pip freeze incantation is doing anything to check the contents...? (e.g. like --require-hahes in pip might)
|
It seems to me that overall pinned requirements would best come from upstream, as is common in lots of other Python command-line application (e.g. |
Projects usually allow ranges of versions in order to work together with other dependencies, for example see magic-wormhole-mailbox-server/setup.py Line 33: That is the reason why we lock the dependency versions here in order to have a better reproducibility. |
|
The recommended approach is for libraries to be open-ended, but for programs to be way more specific (ideally, locking to precise versions). The latter is what e.g. magic-folder does: https://github.com/LeastAuthority/magic-folder/blob/main/requirements/base.txt |
|
(I suspect the |
Yeah, what I'm suggesting is that it could be better to put that effort upstream, since it makes sense to lock them there too. (That is, because it's "a program" and not "a library"). |
Then just open an issue upstream, this topic needs to be discussed there and reference this repo. |
|
Sure, please open a ticket -- I don't know your requirements nor what discussion you believe needs to happen? |
You had the idea to do this, there are no requirements outside of what we were talking about. So just go ahead. |
|
As for the upstream dependencies not (yet) been pinned, it could be improved (I can open an issue if that would help). |
|
The (Also, as I said above, if this effort was directed upstream in such a way that releases were done like this, more people would benefit and the actual upstream authors would hopefully take a look at the dependencies themselves) |
|
Used hashes with the Git repo which led to errors like We can try again, as we are back to the tarball now. |
|
Seems to work. Now we might get errors with archives having a different hash in the future, but that should be easy to fix. |
Thank you. At least, this should bring us a step closer to have an accurate view over the known vulnerabilities in our images. |
* avoid git package - unused since #30 * re-order and document steps * use environment variables as parameter * expose ports Signed-off-by: Benoit Donneaux <[email protected]>
* avoid git package - unused since #30 * re-order and document steps * use environment variables as parameter * expose ports Signed-off-by: Benoit Donneaux <[email protected]>
* avoid git package - unused since #30 * re-order and document steps * use environment variables as parameter * expose ports Signed-off-by: Benoit Donneaux <[email protected]>
* Improve Dockerfiles * avoid git package - unused since #30 * re-order and document steps * use environment variables as parameter * expose ports * Remove useless apt step --------- Signed-off-by: Benoit Donneaux <[email protected]>
The basic requirement is contained in
requirements.in.requirements.txtcan be updated by usingpip-compilefrom thepip-toolspackage.