search

jku / pip

pip fork to experiment with PEP-458 implementation https://www.python.org/dev/peps/pep-0458/: See branch tuf-v2 (and tuf-mvp and tuf-mvp-vendored for earlier work)
https://pip.pypa.io/
MIT License
1 stars 0 forks source link

review multiple pip installs and metadata location #19

Open jku opened 4 years ago

jku commented 4 years ago

Currently metadata goes into ~/.local/share/pip/tuf -- review if there can be negative side-effects from using multiple pip installs (in virtualenvs etc)

jku commented 4 years ago

Multiple pip installs should work fine: Each install has a bootstrap metadata for pypi.org (the root.json version might not be same but refreshing that metadata will converge to the same up-to-date metadata). The first version to run will bootstrap the metadata into .local/share/ and that will be used by all versions from that point on.

There is a security aspect: If an attacker can create or modify the bootstrapped metadata location .local/share/, the pip installs have no way of verifying if the current metadata is 'compatible' with their bootstrap metadata: they will just run with whatever metadata is already installed.

This is not ideal but should lead to DOS at worst?

jku commented 4 years ago

This is looked at upstream in https://github.com/theupdateframework/tuf/issues/1168