warpfork
commented
1 year ago Hi! I see some enthusiasm here that I love 🎉
Let's say I'm someone who's already 10,000% sold on the value of reproducible builds and reproducible interactions with package management systems (I am!) and also already 100,000% sold on the value of doing it with content addressed data and data-structures (I am!). But also a tad unfamiliar with python packaging ecosystems :) and so could use some more background and connective information about how this project hopes to impact that space specifically.
- Can you give me a little more run-down and comparison to alternative systems?
- I know there's a lot of package systems in python, so a quick table or even just bulleted list of quickcompares would be immensely useful for helping readers understand why a new project is needed!
- This project description jumps pretty directly to describing itself in terms of Conda. Why Conda? Why about Conda channels makes them recurring concept in the description?
- Assume I don't know python packaging ecosystems -- how do I explain this choice to another person who also isn't familiar with python packaging ecosystems? (Even assuming we both care about the domain and outcomes!)
- Will this project depend on the continued existence and community of Conda to continue containing up-to-date information itself?
- Will this project "export" concepts from Conda to its downstream consumers? Will I need to read Conda docs to understand it, or use Conda tools to consume it?
- I see pip and pypi referred to also, but again, if the audience isn't an every-day-is-python developer, the map here is hazy and would benefit from more explanation :)
- I think it would be especially great to talk about what kind of data structures will be produced... And ideally, in terms of what new tools could do in navigating them.
- For example, I was recently at the Reproducible Builds Summit, and the community there talked at length about building "binary transparency logs" and "package release transparency logs", i.e. analogous to the transparency logs we nowadays have for TLS certs to make sure there's no misbehaviors or surprise-updates in the wild that would defy expectations.
- Will this project export data structures that might be desirable and easy to use to build such a (general, non-python-specific) PRTL service in the future?
- For example, I was recently at the Reproducible Builds Summit, and the community there talked at length about building "binary transparency logs" and "package release transparency logs", i.e. analogous to the transparency logs we nowadays have for TLS certs to make sure there's no misbehaviors or surprise-updates in the wild that would defy expectations.
- Which of these goals are key, and which are stretch?
- Some examples of things I'm a little surprised by because they seem like large scope or quite tangental (unless there's a connection I've not intuited -- but then others could probably use the explanation too)...
- "sandbox runner based on libseccomp" -> as someone who's worked in this area before, this sounds like a very big subtask :) How critical is this? Is there something off-the-shelf you will use? What happens if you don't do this, or it turns out to be a much bigger task than you expected, or turns out to be fragile even when completed, etc?
- What's the relevance of BitTorrent BEP-30?
- Some examples of things I'm a little surprised by because they seem like large scope or quite tangental (unless there's a connection I've not intuited -- but then others could probably use the explanation too)...
- Generally I think it would be nice to hear quite a bit more about potential risks and how to manage them, beyond "people don't use it" :) Why would that happen? Can we think of some reasons, and try to address them in advance (or even dismiss them, but knowingly)?
- What's this about "We can't lock down absolutely everything but there are things we can do to help." -- if there's a sandbox running based on seccomp... what can't be done? Would love an enumeration of what's seen as possible, and what's left as "impossible".
- I'm getting slightly mixed signals about who is involved, fwiw :) Maybe this has been more discusses elsewhere or offline, but from this doc above: I see both several specific names, but also a description of roles that need to be filled. Are the names already listed... People who have seens this design doc? Are interested and contributed revisions or reviews to the proposal? Will be continuingly involved in review or as downstream users? Will work directly on the project, or, will be working in parallel directions regardless of this grant? Are the other company names involved, or? Friends and additional eyeballs are always good, but I'm curious what degree of interest/alignment/commitment are being expressed :)
Thanks in advance for any more clarifications you can share :) I really am deeply excited by all work in this space!
raoramesh
ErinOCon
Open Grant Proposal:
Secure package repo for python Name of Project: Secure package repo for python
Proposal Category: Choose one of
core-dev,app-dev,devtools-libraries,integration-adoption,technical-design,docs,community,metaverse,research,greenLearn what these categories are here: https://github.com/filecoin-project/devgrants/tree/master/open-grants#readmeapp-dev
Proposer: prozacchiwawa
(Optional) Technical Sponsor:
If you have previously discussed this project with a member of the IPFS or Filecoin project teams and they have agreed to be a technical sponsor, include their name and/or github handle hereNoneDo you agree to open source all work you do on behalf of this RFP and dual-license under MIT, APACHE2, or GPL licenses?: Please respond with either "Yes" or "No" Yes
Project Description
An intrusive sandbox runner for pip that takes control of its package discovery and provides a pip compatible redirect structure around a conda channel that’s built on IPFS. Python installations will be able to be pinned to a single snapshot of the captured ecosystem simply by specifying the channel version they want to track. Conda doesn’t on its own version channels, but it will be possible to use IPFS infrastructure to provide a simple permanent history that allows the channel to be viewed both as updating through time and via its snapshots and allows software using pip to share this property.
The ultimate goal is to leverage IPFS features to provide an explorable, provable repository that serves pip and conda users allowing a single ecosystem snapshot to be imposed on a set of installers without modifying the software itself inside, regardless of how it functions.
This is because there is a lack of visible central coordination in the pip repository for discovering a trusted set of python packages, and for ensuring that one receives a reproducible set of packages every time an installation is performed. Malicious packages appear in the python repository somewhat frequently and hijacking of older packages is possible. Because pip doesn’t have a single downloadable index, it takes effort to track the comings and goings of packages in the repo and takes effort to make snapshots of. Files are advertised with sha256 hashes of themselves, but package indices aren’t and there’s no guarantee that the retrieved indices for individual packages reflect an evolution of a prior index state in a reasonable way. In addition, there are various means of hijacking that can allow an attacker to add new packages to an old package index and catch out uncareful setup processes.
Conda is a more consistent experience as it focuses more on metadata. Channels work adequately as a way of delivering a consistent package set for some purpose but have drawbacks:
You can snapshot your own dependencies but it’s entirely up to you. Something more like stack’s haskell lts versions would work just as well for most people and be safer. Conda channels lack a way of identifying a specific head state for the whole channel. Many installation systems use pip and can be vulnerable to malicious inputs, so conda won’t solve every problem even with an architecture focused on snapshotting and dependency management.
Proposed is a way of accommodating pip based python installations with incomplete dependency information by providing a surrogate upstream for pip while managing the actual package repository via a conda channel that provides easily discoverable snapshot channels useful in locking down a single ecosystem snapshot.
The structure of pip’s package system is very simple: Pip retrieves an index document, usually https://pypi.org/simple/ which is unversioned. This is an html file containing links to package indices which are unversioned. Pip retrieves a package index and that contains links to individual files with sha256 fragments. Pip requests the package it wants based on its constraint solver and the version number in the filename and is redirected to the contents of that file. Pip runs setup.py from the package and literally anything is possible.
Pip itself has a mixed record of ensuring even that all of its own traffic is done via proxy when specified and there’s currently no way to force imported packages to use a specific proxy or index if they choose not to in their own setup code. An intrusive approach to this using sandboxing would allow the installation and all subprocesses to be captured and directed to a specific snapshot.
Value
The Python ecosystem has emerged as the basis of much scientific computing. However, problems associated with bugs and vulnerabilities persist, and are underpinned by an absence of secured provenance in Python. While our overall, longer-term goal is to create the basis of a framework of a secure infrastructure for much computing, we propose a simple first step that secures data calls against unverified code. The value proposition is to exhibit IPFS as a tool for verifiability and reproducibility in more scenarios and encourage adoption by making an easy path to hosting one’s own python ecosystem snapshots, not only ensuring that the software one uses is always accessible but also sharing the upkeep responsibility with others on the same snapshot. Those who provide paid storage might take this on as a simple value add for storing things.
What's gained by providing this:
This provides users with a simple way to pin the python ecosystem at a specific moment in time and use that forever. There’s no danger that software built on it will stop working if you host your snapshot, and it would work well even with tricky situations such as docker builds that use pip or tricky package installs that use pip recursively to adjust the available packages. At the very least, it can be used to surface instances where the software being installed would leave the user’s control and allow action to be taken. There is a long tail of python packages, such as pytorch, scikit-learn, airflow, ray, tensorstore, matplotlib and others which are important in the python ecosystem but whose setup.py code is complex, not declarative and relies on interaction with upstream packaging and recursive use of setuptools, and while they aren't the majority several are very popular and their presence introduces uncertainty about what code in practice will actually be pulled when the python environment is set up. Some tools exist to make one's own code more predictable, but nothing currently prevents adjustments and additional traffic made by upstream packages while they're installing. We can't lock down absolutely everything but there are things we can do to help.
Some risks:
It just seems like a bad idea to many and nobody uses it. It could wind up taking longer than intended to replicate the pypi head end API due to performance, scaling or oddities in the way these HTTP endpoints are called by pypi. Bugs at the sandbox API level or holes in our API coverage leading to installations downstream being exposed to an uncurated view of the pypi ecosystem when it’s not expected. Same but allowing privilege escalation. While nothing prevents python packages from using the user’s privilege now to do basically anything, users might be less vigilant when their expectation is that they’re protected by having package installation confined to the LTS. This attack vector would be possible when users are using an old version of the sandbox code or the exploit is very new, are attempting an upgrade to a new snapshot and that newer snapshot has captured malware from the broader ecosystem without it being detected.
Deliverables
The final deliverables of this project:
A wide ecosystem build of whatever packages exist in pypi’s view, with as many built as possible using the most recent few revisions with all artifacts and discovery in a conda channel, stored on IPFS, along with scripts to gather, build, adjust and publish it. A sandbox runner that wraps pip but uses a conda channel as its package repo, providing a local proxy and ensuring that a view is presented that captures the preferred conda channel overlaying any other packages that can be retrieved using the user’s own proxy setting. HTML content and simplified url resolution pointing to packages sources will be synthesized from conda’s channel description json and html retrieved from the user’s other proxy source. An installer for linux, windows and mac that places a runnable replacement for pip in $HOME/.local/bin and gives an environment bundle to import into shells that aren’t interactive. A website describing the project which provides installer download and describes how to provide a data mirror or a repeatable builder.
Development Roadmap
The process will start with ad-hoc tools that support bringing up support:
Infrastructure to provide ecosystem collections and builds
Scripts to build channel inputs from requirements.txt, mostly for testing.
1 Person, less than a week. ($2000)
A pip proxy mimicking the url organization of pypi that uses conda style repodata and channeldata for package resolution, providing only the packages that exist in that data. Simple pip and setuptools installs should be able to work correctly using this proxy with an appropriate package set specified. This will be a flask app.
1 Person, likely about a month of effort. ($8000)
IPFS mirroring tool that copies the conda channel into IPFS space and rewrites configuration json to match, emitting a top level URL and sufficient cryptographic evidence to validate the description files, probably encoding them as a merkle tree as in bittorrent’s bep-30 (http://bittorrent.org/beps/bep_0030.html) and exporting the merkle root.
1 Person, likely about 3 weeks of effort. ($6000)
CI script which snapshots package versions from the pip ecosystem for later use by the build system.
1 Person, 1 week. ($2000)
CI script which, given an ecosystem snapshot runs antimalware scanners on the snapshotted data and flags
1 Person, 2 weeks. ($4000) AWS costs may occur here.
CI script which given an approved list of rebuilds and version number rewrites (for example, for packages whose contents changed in the same version), creates architecture specific wheels for amd64, aarch64, win64 and later mac m1 for packages that have comprehensible wheel builds in these environments (at first):
1 Person, 4 weeks. ($8000) AWS costs occur here.
CI script which finalizes a conda channel build, storing in IPFS and giving a full channel URL.
1 Person, 1 week. ($2000)
CI script to mark a channel build as released and give an official URL to it.
1 Person, 1 day. ($400)
Create a subscription membership system and payment reception based on existing payment API.
1 Person, 2 weeks. ($4000)
Membership gives higher priority votes in governance, priority to issues and access to early channel definitions.
To start the intrusive part, bring up a sandbox runner based on libseccomp that affects subprocesses that:
1 Person, 4 weeks. ($8000)
Build a basic curl | sh install for linux x64 and some preinstalled docker images (ubuntu, coreos, alpine) that start pre-sandboxed.
1 Person, 1 week. ($2000)
Build the base LTS version of the ecosystem and publish the first snapshot url.
1 Person, 1.5 weeks or so to get every build shepherded. ($3000) This will consume AWS resources to do quickly.
Build a dogfooded flask based website for the experimental service encouraging others to try it.
1 Person, 2 days. ($800)
At this point, we can start delivering releases to users to try
Provide a fallback classic libsandbox version.
1 Person, 3 days. $(1200)
Metric monitoring and scaling to provide regular updates, verify load on IPFS nodes and ensure proper scaleout for storage.
1 Person,
Use the website to promote experimenting with the system and giving feedback.
Tweet.
Adjust composition and pace based on feedback while exercising the CI and cloud tools.
Housekeeping.
Get in touch with users to begin discussing a desired path to distributed governance.
Likely 3-4 days accumulated time. ($1600)
Enhance the proxy to support a union of conda channels in case users want to access packages retired from later LTS versions or from other conda channels via classic pip, possibly giving better flexibility.
Windows support using debug API to ensure that the desired snapshot can’t be escaped easily.
1 Person, 2 weeks. ($4000)
MacOS support based on macos’ seatbelt API (re: chromium documentation).
1 Person, 2 weeks. ($4000)
From here on are nice to have features
Recognize attempts to load nonstandard setuptools and warn.
1 Person, 2-3 days (and ongoing improvement). ($1200)
Provide the option of detecting any path by which packages land in python's install arena (including those copying files ad-hoc and via alternate packaging systems) and allow warning, hard failure or a predetermined action, such as overwriting it with a version from the collection.
1 Person, 2 weeks. ($4000)
Gently redirect attempts to load an own or nonstandard setuptools to an appropriate standard one if the API shape can be matched, otherwise abort (or warn).
This is something for which a crude system can be delivered that detects obviously inconsistent assumptions and can be refined.
1 Person, Initially, about 1 week. ($2000)
Respond to community process by allowing users to conveniently flag packages to be reviewed in addition to the measures already in place to detect malware. Develop some online infrastructure to make this easier.
1 Person, Ongoing, initially 1 week or so. ($2000)
Ongoing costs:
AWS
est. ($10000)
Ongoing maintenance, community response, package vetting, IT.
2 IT/devrel people, ongoing for 1 year:
($150000) (2 junior-mid people, 1 year).
Ongoing management (part time).
2 1 Person, ongoing. ($30000).
Total Budget Requested
$256k The Python ecosystem has emerged as the basis of much scientific computing. However, problems associated with bugs and vulnerabilities persist, and are underpinned by an absence of secured provenance in Python. While our overall, longer-term goal is to create the basis of a framework of a secure infrastructure for much computing, we propose a simple first step that secures data calls against unverified code.
Maintenance and Upgrade Plans
It is hoped that membership will allow enough income to come in that at least one full time IT person will be able to continue vetting the ecosystem on at least a quarterly basis after the first year, along with support from those using the build wrapper and its package set.
Team
Art Yerkes 2 To hire.
Team Members
Coding1 - team lead: Art Yerkes (20+ years as software engineer -network protocols,media streaming and networked software, distributed ledgers; engine team at bittorrent, now chialisp at chia).
Coding2- TBD
Coding3- TBD
Management/Support: John Ryan, Ramesh Rao, Dan Conway, Jim Gettys (AI, decentralized tech)
Team Member LinkedIn Profiles
https://www.linkedin.com/in/artyerkes/
https://www.linkedin.com/in/jimgettys/
https://www.linkedin.com/in/johnconorryan/
https://www.linkedin.com/in/raoramesh/
https://www.linkedin.com/in/daniel-conway-b0a10b11/
Team Website
https://muinin.net
Relevant Experience
Art Yerkes 20+ years as software engineer (network protocols, media streaming and networked software, distributed ledgers with 3 patents in related areas); a lead coder at BitTorrent
Jim Gettys DEC, Bell Labs; creator of X Window System; V.P. of Software OLPC; HTTP/1.1 Editor; BS MIT and CS researcher, MIT, long association with Reproducible Builds / Debian project
Dan Conway Advisor on AI and decentralized technologies to military and communications tech leaders. Ph.D., Indiana University, Professor, Univ. of Arkansas blockchain center of excellence.
Ramesh Rao Software and executive lead at several tech startups in Silicon Valley and Hyderabad, India,IBM Research labs, Bell Labs, Racal, Imperial College, Ph.D. University of Surrey -Medical Imaging algorithms, massively parallel systems and distributed computing
John Ryan Dweb, Google [x], Taiwanese ODMs, Monitor Group corporate strategy, etc. Multiple startups. Ph.D. Physics, Imperial College
Team code repositories
https://github.com/prozacchiwawa/
Additional Information
Learnt about the Open Grants Program at filecoin presentation at dweb 2022
john@muinin.net