hey folks, would any of you be kind enough to write a paragraph or two on how/why

pants

downloads a package from pypi and then uses a binary from github/releases? I’m having a lot of push back from my company’s security team and I’m submitting an approval request to waive

pex

as something that’s not evil 👿 They literally told me to get something from “the developer or app owner”

We release Pex through two different mechanisms for more flexibility for users to get set up with the tool. The GitHub releases file is a PEX file built by PEX. It allows distributing Pants through a single binary, which can be useful for users who are not able to download from an artifactory/“cheeseshop” like PyPI. The wheel release allows for installing PEX through tools like

pip

and

pipx

. It also allows for using PEX as a library, rather than as an executable.

so is it possible for me to use

pex

without having it download the pex binary?

Yes, when you run

pipx install pex

, then

pex req1 req2 -m entry_point --output-file result.pex

, you are never using the

pex

binary from GitHub releases However, Pants will always run Pants by downloading the Pex binary from GitHub releases, as Pants cannot/should not do something like

pip install pex

. This is where your solution to host your own Pex binary is relevant

oh ok so I should also include that, bc the whole issue started with the fact that when I bootstrap

pants

it install

pex

with other libraries but when I run

pants

it’ll also download the pex binary. That’s somewhat confusing to them bc they don’t have much context on

pants

nor any python development.

that when I bootstrap pants it install pex with other libraries

Yeah, this is because Pants uses Pex as a library in its own code at pantsbuild/pants. When you run

./pants

the first time, the script literally runs

pip install pantsbuild.pants

, so it installs all transitive deps of Pants. Pants also runs Pex through subprocesses if you are using Pants for Python code. You download this binary, rather than cheating and using the wheel installed in order to run Pants. By not cheating, users are able to a) change the version of Pex used, and b) host their own Pex binary

That’s great info! Thanks @hundreds-father-404 I’m adding all that to my case, hopefully they’ll at least try to understand.

I think the main insight is that

pip

has the same vulnerabilities as Pex, afaict. For example, that --extra-index vulnerability is the exact same as pip. All Pex does is vendor pip and pass the flag through to pip

So instead of approving

pants

they'll also ban

pip

?!? 🔓 😆