'pip install allmydata-tahoe' now works
Brian Warner
warner at lothar.com
Mon Jun 30 18:21:27 UTC 2014
On 6/30/14 8:07 AM, Leif Ryge wrote:
> If I am mistaken (and I hope I am!) someone should close
> https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2055 ("Building
> tahoe safely is non-trivial").
You are probably correct. Recent versions of "pip" will verify TLS
certificates, but your reliance set still includes the CA roots, the
site administrators of pypi, and the admins of the sites that the pypi
download links point to.
"Peep" (https://github.com/erikrose/peep) is a pip
alternative/enhancement which you configure with a list of tarball
hashes (the "requirements.txt" file contains both hashes and
pkgname+version lines). The goal is to not install anything that isn't
on that list. I haven't entirely figured it out (I'm not sure it
completely prevents unlisted sub-sub-dependencies from getting
installed), but it's quite promising.
It reduces the reliance set down to the contents of the top-level
package that you're installing (e.g. the author of requirements.txt,
plus anyone involved in your acquisition of that codebase), and
generally assumes that they (or other people installing from the same
hashes) have done some amount of review. At the very least, you'll be
installing the same thing as everyone else, so there's some sense of
"safety in numbers".
cheers,
-Brian
More information about the tahoe-dev
mailing list