pyvex package should not secretly download sources from github master

[rofl0r]

the pyvex package on pypi cheats and downloads the sources from current master. this results in

• no reproducible build result
• build-time dependency on the internet
• several times downloading the same stuff when the build fails
• pwned computer if someone impersonates github or breaks the account of someone with write access (the distro will much likely have a checksum of the pypi package, but not of intermediate stuff getting downloaded behind the back)

[rhelmot]

Can be done pretty easily. Pyvex is one of the oldest packages we maintain, and since the original version of it we've learned a lot about how to do package distribution with python. Thanks for bringing this to our attention.

[zardus]

The actual question of shipping VEX with pyvex on pypi aside, if you're using pypi to install all your packages (like we all do), then github probably isn't the weak link, security-wise :-)

[bannsec]

Funny thing, i was just thinking about this as well today. Would love to have angr fully installable from pypi.

[rhelmot]

This has been resolved in https://github.com/angr/pyvex/commit/fa1e969ede02b8a2420fdb907036136ff1feb63c. Well technically, it'll be resolved next time we make a release, but that should be any day now!