Closed tbeadle closed 2 years ago
one small note to clarify a bit more. in order to protect any python project, pip-compile
is used to enforce sha256 of each package, to avoid project hack and replace of the content, the problem is when master.zip
is specified, then on any update it breaks the security checks as sha256 wont match
pip-compile
comes from this neat project https://github.com/jazzband/pip-tools
Fixed the issue by removing sources from setup.py
I also uploaded pyxlsb2 v0.0.8 and xlrd2 v1.3.4 to pypi
Will make sure that pyxlsb2 and xlrd2 packages are updated more frequently to prevent requiring adding sources to setup.py...
Currently, in setup.py, the dependencies for pyxlsb2 and xlrd2 use:
This causes a problem for packages that depend on this one, such as https://github.com/kevoreilly/CAPEv2, where hashes are provided in their requirements.txt, because the hashes for pyxlsb2 and xlrd2 will change any time there is a commit to master. If that requirements.txt is changed to pin it to a specific commit (e.g. https://github.com/DissectMalware/pyxlsb2/archive/a751dc2c85f4134578232e0b1497d177775c2d2d.zip),
pip install -r requirements.txt
will (in addition to downloading that zip file) still try to download master.zip because of the declaration in XLMMacroDeobfuscator's setup.py, and, since there's no hash for master.zip in requirements.txt, it will fail: