wooden-thailand-8386
11/24/2020, 7:35 PMpants
downloads a package from pypi and then uses a binary from github/releases? I’m having a lot of push back from my company’s security team and I’m submitting an approval request to waive pex
as something that’s not evil 👿
They literally told me to get something from “the developer or app owner”hundreds-father-404
11/24/2020, 7:52 PMpip
and pipx
. It also allows for using PEX as a library, rather than as an executable.wooden-thailand-8386
11/24/2020, 8:00 PMpex
without having it download the pex binary?hundreds-father-404
11/24/2020, 8:02 PMpipx install pex
, then pex req1 req2 -m entry_point --output-file result.pex
, you are never using the pex
binary from GitHub releases
However, Pants will always run Pants by downloading the Pex binary from GitHub releases, as Pants cannot/should not do something like pip install pex
. This is where your solution to host your own Pex binary is relevantwooden-thailand-8386
11/24/2020, 8:05 PMpants
it install pex
with other libraries but when I run pants
it’ll also download the pex binary. That’s somewhat confusing to them bc they don’t have much context on pants
nor any python development.hundreds-father-404
11/24/2020, 8:08 PMthat when I bootstrap pants it install pex with other librariesYeah, this is because Pants uses Pex as a library in its own code at pantsbuild/pants. When you run
./pants
the first time, the script literally runs pip install pantsbuild.pants
, so it installs all transitive deps of Pants.
Pants also runs Pex through subprocesses if you are using Pants for Python code. You download this binary, rather than cheating and using the wheel installed in order to run Pants. By not cheating, users are able to a) change the version of Pex used, and b) host their own Pex binarywooden-thailand-8386
11/24/2020, 8:12 PMhundreds-father-404
11/24/2020, 8:13 PMpip
has the same vulnerabilities as Pex, afaict. For example, that --extra-index vulnerability is the exact same as pip. All Pex does is vendor pip and pass the flag through to pipjolly-midnight-72759
11/30/2020, 8:14 PMpants
they'll also ban pip
?!? 🔓 😆jolly-midnight-72759
11/30/2020, 8:17 PM