[Catalog-sig] FYI: Debian build recommendations to prevent downloading from PyPI

Barry Warsaw barry at python.org
Tue Feb 5 17:52:17 CET 2013 

I suppose semi-related to the current PyPI discussion is something that we
discovered a while ago related to Debian package builds.

Typically, a Debian build rule will invoke `python setup.py build` at some
point.  Under some local build regimes (i.e. on my machine while testing a
package build using sbuild), I can be fooled into thinking the build succeeds
with only explicit dependencies, not specified in the setup.py, but in the
debian/control file.

In reality though, if a Debian dependency is missing, the local build will go
out to PyPI and download the setup.py dependency.  Because the output for this
step can be buried in the hundreds of lines of package build output, I might
not see that this happened.

Ultimately, the package build will fail on the official Ubuntu build machines,
because they do not have access to the internet.  That's the good news.  The
bad news is that I won't see this until I upload the package and I get the
failure notice.

What we've been recommending for a while now is to add the following line to
your debian/rules file:

-----snip snip-----
# Prevent setuptools/distribute from accessing the internet.
export http_proxy = http://127.0.9.1:9
-----snip snip-----

(Port 9 is the `discard` service, but the IP is historical.)

This prevents local builds from accessing PyPI under the radar and will allow
your local builds to fail in a similar way to the build daemons, so that you
can fix your dependencies before you upload them.

(The line can cause some unwanted side-effects if you have a get-orig-source
rule, but you can just unset http_proxy temporarily in that target's relevant
shell command.)

(*Not* having the proxy line probably opens you up to local security issues
such as being discussed in these threads.  With sbuild, the local builds
always happen in a chroot with an overlay file system, but I wouldn't claim
that those local build environments are bulletproof.  Other people use `sudo
pbuilder` locally, and that *would* be vulnerable to all the security issues
being discussed here.)

Cheers,
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130205/588f1ba1/attachment.pgp>

More information about the Catalog-SIG mailing list