https://pantsbuild.org/ logo
#pex
Title
# pex
w

wooden-thailand-8386

11/24/2020, 7:35 PM
hey folks, would any of you be kind enough to write a paragraph or two on how/why
pants
downloads a package from pypi and then uses a binary from github/releases? I’m having a lot of push back from my company’s security team and I’m submitting an approval request to waive
pex
as something that’s not evil 👿 They literally told me to get something from “the developer or app owner”
h

hundreds-father-404

11/24/2020, 7:52 PM
We release Pex through two different mechanisms for more flexibility for users to get set up with the tool. The GitHub releases file is a PEX file built by PEX. It allows distributing Pants through a single binary, which can be useful for users who are not able to download from an artifactory/“cheeseshop” like PyPI. The wheel release allows for installing PEX through tools like
pip
and
pipx
. It also allows for using PEX as a library, rather than as an executable.
w

wooden-thailand-8386

11/24/2020, 8:00 PM
so is it possible for me to use
pex
without having it download the pex binary?
h

hundreds-father-404

11/24/2020, 8:02 PM
Yes, when you run
pipx install pex
, then
pex req1 req2 -m entry_point --output-file result.pex
, you are never using the
pex
binary from GitHub releases However, Pants will always run Pants by downloading the Pex binary from GitHub releases, as Pants cannot/should not do something like
pip install pex
. This is where your solution to host your own Pex binary is relevant
w

wooden-thailand-8386

11/24/2020, 8:05 PM
oh ok so I should also include that, bc the whole issue started with the fact that when I bootstrap
pants
it install
pex
with other libraries but when I run
pants
it’ll also download the pex binary. That’s somewhat confusing to them bc they don’t have much context on
pants
nor any python development.
h

hundreds-father-404

11/24/2020, 8:08 PM
that when I bootstrap pants it install pex with other libraries
Yeah, this is because Pants uses Pex as a library in its own code at pantsbuild/pants. When you run
./pants
the first time, the script literally runs
pip install pantsbuild.pants
, so it installs all transitive deps of Pants. Pants also runs Pex through subprocesses if you are using Pants for Python code. You download this binary, rather than cheating and using the wheel installed in order to run Pants. By not cheating, users are able to a) change the version of Pex used, and b) host their own Pex binary
w

wooden-thailand-8386

11/24/2020, 8:12 PM
That’s great info! Thanks @hundreds-father-404 I’m adding all that to my case, hopefully they’ll at least try to understand.
❤️ 2
🤞 2
👖 1
h

hundreds-father-404

11/24/2020, 8:13 PM
I think the main insight is that
pip
has the same vulnerabilities as Pex, afaict. For example, that --extra-index vulnerability is the exact same as pip. All Pex does is vendor pip and pass the flag through to pip
👍 1
j

jolly-midnight-72759

11/30/2020, 8:14 PM
So instead of approving
pants
they'll also ban
pip
?!? 🔓 😆
💯 1
😂 1
We solve this by not using pypi and mirroring it locally. This way we are pulling from a repository we control. The way packages get to the repository is fairly straight forward, but can be adjust to have as many boarder agents stamp each package's passport as your company wants.
👍 1