SECURITY: Potential supply chain compromise

tnyblom commented 1 year ago

Hi,

I just tried to install crossbar using pip as a part of installing buildbot. However it errored out and the packages it tries to download seems very suspicious (ethereal api/account etc).

$ pip3 install crossbar
Collecting crossbar
  Downloading crossbar-22.6.1-py2.py3-none-any.whl (843 kB)
     |████████████████████████████████| 843 kB 14.2 MB/s
Collecting txtorcon>=20.0.0
  Downloading txtorcon-23.0.0-py3-none-any.whl (260 kB)
     |████████████████████████████████| 260 kB 80.0 MB/s
Collecting lmdb>=1.1.1
  Downloading lmdb-1.4.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (298 kB)
     |████████████████████████████████| 298 kB 77.1 MB/s
Collecting bitstring>=3.1.5
  Downloading bitstring-4.0.2-py3-none-any.whl (46 kB)
     |████████████████████████████████| 46 kB 6.5 MB/s
Collecting hexbytes>=0.2.1
  Downloading hexbytes-0.3.0-py3-none-any.whl (6.4 kB)
Requirement already satisfied: txaio>=22.2.1 in /usr/local/lib/python3.9/dist-packages (from crossbar) (23.1.1)
Requirement already satisfied: constantly>=15.1.0 in /usr/local/lib/python3.9/dist-packages (from crossbar) (15.1.0)
Requirement already satisfied: cryptography>=2.6.1 in /usr/local/lib/python3.9/dist-packages (from crossbar) (40.0.2)
Collecting pycryptodome>=3.7.1
  Downloading pycryptodome-3.17-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.1 MB)
     |████████████████████████████████| 2.1 MB 79.4 MB/s
Collecting zlmdb>=22.6.1
  Downloading zlmdb-23.1.1-py2.py3-none-any.whl (74 kB)
     |████████████████████████████████| 74 kB 2.9 MB/s
Requirement already satisfied: setuptools>=36.2.7 in /usr/lib/python3/dist-packages (from crossbar) (52.0.0)
Collecting docker>=3.5.0
  Downloading docker-6.1.1-py3-none-any.whl (147 kB)
     |████████████████████████████████| 147 kB 89.6 MB/s
Requirement already satisfied: autobahn[compress,encryption,scram,serialization,twisted,xbr]>=22.6.1 in /usr/local/lib/python3.9/dist-packages (from crossbar) (23.1.2)
Collecting pytrie>=0.3
  Downloading PyTrie-0.4.0.tar.gz (95 kB)
     |████████████████████████████████| 95 kB 8.0 MB/s
Collecting cookiecutter>=1.6.0
  Downloading cookiecutter-2.1.1-py2.py3-none-any.whl (36 kB)
Collecting humanize>=0.5.1
  Downloading humanize-4.6.0-py3-none-any.whl (109 kB)
     |████████████████████████████████| 109 kB 108.9 MB/s
Collecting pynacl>=1.1.2
  Downloading PyNaCl-1.5.0-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.manylinux_2_24_x86_64.whl (856 kB)
     |████████████████████████████████| 856 kB 51.7 MB/s
Collecting werkzeug<2,>=0.14.1
  Downloading Werkzeug-1.0.1-py2.py3-none-any.whl (298 kB)
     |████████████████████████████████| 298 kB 72.8 MB/s
Collecting base58>=2.1.0
  Downloading base58-2.1.1-py3-none-any.whl (5.6 kB)
Collecting pygments>=2.2.0
  Downloading Pygments-2.15.1-py3-none-any.whl (1.1 MB)
     |████████████████████████████████| 1.1 MB 24.3 MB/s
Collecting urllib3>=1.26.8
  Downloading urllib3-2.0.2-py3-none-any.whl (123 kB)
     |████████████████████████████████| 123 kB 98.0 MB/s
Collecting setproctitle>=1.1.10
  Downloading setproctitle-1.3.2-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (30 kB)
Collecting stringcase>=1.2.0
  Downloading stringcase-1.2.0.tar.gz (3.0 kB)
Collecting web3>=5.13.1
  Downloading web3-6.3.0-py3-none-any.whl (574 kB)
     |████████████████████████████████| 574 kB 73.6 MB/s
Collecting treq>=20.4.1
  Downloading treq-22.2.0-py3-none-any.whl (64 kB)
     |████████████████████████████████| 64 kB 2.3 MB/s
Collecting iso8601>=0.1.12
  Downloading iso8601-1.1.0-py3-none-any.whl (9.9 kB)
Collecting priority<2.0,>=1.1
  Downloading priority-1.3.0-py2.py3-none-any.whl (11 kB)
Collecting pyqrcode>=1.2.1
  Downloading PyQRCode-1.2.1.zip (41 kB)
     |████████████████████████████████| 41 kB 1.2 MB/s
Requirement already satisfied: pyyaml>=4.2b4 in /usr/local/lib/python3.9/dist-packages (from crossbar) (6.0)
Collecting MarkupSafe<2,>=1.1.1
  Downloading MarkupSafe-1.1.1-cp39-cp39-manylinux2010_x86_64.whl (32 kB)
Collecting sdnotify>=0.3.1
  Downloading sdnotify-0.3.2.tar.gz (2.5 kB)
Collecting eth-typing>=2.2.2
  Downloading eth_typing-3.3.0-py3-none-any.whl (6.3 kB)
Collecting hyperframe<6.0,>=5.2
  Downloading hyperframe-5.2.0-py2.py3-none-any.whl (12 kB)
Collecting cbor2>=5.2.0
  Downloading cbor2-5.4.6-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (223 kB)
     |████████████████████████████████| 223 kB 106.6 MB/s
Collecting pyopenssl>=17.1.0
  Downloading pyOpenSSL-23.1.1-py3-none-any.whl (57 kB)
     |████████████████████████████████| 57 kB 4.8 MB/s
Collecting pyasn1>=0.4.5
  Downloading pyasn1-0.5.0-py2.py3-none-any.whl (83 kB)
     |████████████████████████████████| 83 kB 1.9 MB/s
Collecting cfxdb>=22.6.1
  Downloading cfxdb-23.1.1-py2.py3-none-any.whl (290 kB)
     |████████████████████████████████| 290 kB 59.6 MB/s
Collecting mistune>=0.8.4
  Downloading mistune-2.0.5-py2.py3-none-any.whl (24 kB)
Collecting jinja2-highlight>=0.6.1
  Downloading jinja2-highlight-0.6.1.tar.gz (3.4 kB)
Requirement already satisfied: incremental>=17.5.0 in /usr/local/lib/python3.9/dist-packages (from crossbar) (22.10.0)
Collecting passlib>=1.7.1
  Downloading passlib-1.7.4-py2.py3-none-any.whl (525 kB)
     |████████████████████████████████| 525 kB 69.8 MB/s
Collecting prompt-toolkit>=2.0.10
  Downloading prompt_toolkit-3.0.38-py3-none-any.whl (385 kB)
     |████████████████████████████████| 385 kB 79.7 MB/s
Collecting pyasn1-modules>=0.2.4
  Downloading pyasn1_modules-0.3.0-py2.py3-none-any.whl (181 kB)
     |████████████████████████████████| 181 kB 119.8 MB/s
Collecting parsimonious>=0.8.1
  Downloading parsimonious-0.10.0-py3-none-any.whl (48 kB)
     |████████████████████████████████| 48 kB 11.0 MB/s
Requirement already satisfied: jinja2>=2.10.1 in /usr/local/lib/python3.9/dist-packages (from crossbar) (3.1.2)
Collecting watchdog>=0.8.3
  Downloading watchdog-3.0.0-py3-none-manylinux2014_x86_64.whl (82 kB)
     |████████████████████████████████| 82 kB 366 kB/s
Requirement already satisfied: twisted[conch,http2,tls]>=21.7.0 in /usr/local/lib/python3.9/dist-packages (from crossbar) (22.10.0)
Collecting netaddr>=0.8.0
  Downloading netaddr-0.8.0-py2.py3-none-any.whl (1.9 MB)
     |████████████████████████████████| 1.9 MB 81.3 MB/s
Requirement already satisfied: requests>=2.20.0 in /usr/lib/python3/dist-packages (from crossbar) (2.25.1)
Collecting colorama>=0.4.3
  Downloading colorama-0.4.6-py2.py3-none-any.whl (25 kB)
Collecting service-identity>=17.0.0
  Downloading service_identity-21.1.0-py2.py3-none-any.whl (12 kB)
Collecting morphys>=1.0
  Downloading morphys-1.0-py2.py3-none-any.whl (5.6 kB)
Collecting tabulate>=0.7.7
  Downloading tabulate-0.9.0-py3-none-any.whl (35 kB)
Collecting bcrypt>=3.1.6
  Downloading bcrypt-4.0.1-cp36-abi3-manylinux_2_28_x86_64.whl (593 kB)
     |████████████████████████████████| 593 kB 72.7 MB/s
Collecting psutil>=5.8.0
  Downloading psutil-5.9.5-cp36-abi3-manylinux_2_12_x86_64.manylinux2010_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (282 kB)
     |████████████████████████████████| 282 kB 81.3 MB/s
Collecting u-msgpack-python>=2.4.1
  Downloading u_msgpack_python-2.7.2-py2.py3-none-any.whl (10.0 kB)
Requirement already satisfied: idna>=2.5 in /usr/lib/python3/dist-packages (from crossbar) (2.10)
Collecting py-ubjson>=0.9.0
  Downloading py-ubjson-0.16.1.tar.gz (50 kB)
     |████████████████████████████████| 50 kB 11.0 MB/s
Collecting click>=7.0
  Downloading click-8.1.3-py3-none-any.whl (96 kB)
     |████████████████████████████████| 96 kB 10.7 MB/s
Collecting wsaccel>=0.6.2
  Downloading wsaccel-0.6.4-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (815 kB)
     |████████████████████████████████| 815 kB 92.1 MB/s
Collecting ujson>=5.1.0
  Downloading ujson-5.7.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (52 kB)
     |████████████████████████████████| 52 kB 2.8 MB/s
Requirement already satisfied: zope.interface>=4.4.2 in /usr/local/lib/python3.9/dist-packages (from crossbar) (6.0)
Collecting flask>=1.1.1
  Downloading Flask-2.3.2-py3-none-any.whl (96 kB)
     |████████████████████████████████| 96 kB 13.0 MB/s
Collecting h2<4.0,>=3.2
  Downloading h2-3.2.0-py2.py3-none-any.whl (65 kB)
     |████████████████████████████████| 65 kB 4.2 MB/s
Collecting sortedcontainers>=2.4.0
  Downloading sortedcontainers-2.4.0-py2.py3-none-any.whl (29 kB)
Collecting numpy>=1.20.0
  Downloading numpy-1.24.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (17.3 MB)
     |████████████████████████████████| 17.3 MB 84.6 MB/s
Collecting py-eth-sig-utils>=0.4.0
  Downloading py_eth_sig_utils-0.4.0-py3-none-any.whl (11 kB)
Collecting xbr>=21.2.1
  Downloading xbr-21.2.1-py2.py3-none-any.whl (1.1 MB)
     |████████████████████████████████| 1.1 MB 29.3 MB/s
Requirement already satisfied: attrs>=17.2.0 in /usr/local/lib/python3.9/dist-packages (from crossbar) (23.1.0)
Collecting importlib-resources>=4.1.1
  Downloading importlib_resources-5.12.0-py3-none-any.whl (36 kB)
Collecting validate-email>=1.3
  Downloading validate_email-1.3.tar.gz (4.7 kB)
Requirement already satisfied: six>=1.13.0 in /usr/lib/python3/dist-packages (from crossbar) (1.16.0)
Collecting eth-account>=0.5.4
  Downloading eth_account-0.8.0-py3-none-any.whl (102 kB)
     |████████████████████████████████| 102 kB 81.2 MB/s
ERROR: Invalid requirement: 'eth-abi@ git+https://github.com/ethereum/eth-abi.git@v4.0.0-beta.2#egg=eth-abi; extra == "xbr"'

tnyblom commented 1 year ago

After some more digging this seems to be on purpose. But expecting to install a message broker and getting crypto currency libraries unfortunately makes this a no-go for us.

oberstet commented 1 year ago

Yes, this is on purpose. However, you are mixing things up: Ethereum is a blockchain, not a cryptocurrency.

The use case with Crossbar.io is:

assume Alice and Bob each operate their own router
assume Carol wants to control a routing realm, hosted on the routers of Alice and Bob

The routers of Alice and Bob can mesh up via router-to-router links and provide one uniform, transparent realm that spans both routers.

Now, how do Alice, Bob and Carol establish trust in each other?

There is no single, centralized entity but router nodes and realm are fully decentralized. Etherum is used as the decentralized infra for that.

Users can use the public Ethereum mainnet blockchain, or any other Ethereum compatible blockchain instance.

crossbario / crossbar

SECURITY: Potential supply chain compromise #2078