'pip install allmydata-tahoe' now works

Leif Ryge leif at synthesize.us
Mon Jun 30 15:07:21 UTC 2014


Unfortunately (unless I'm missing something; I haven't investigated fully) the
statement "'pip install allmydata-tahoe' now works" is rather dangerously
misleading as it implies that that is a safe command to run on an
internet-connected computer.

Recent versions of pip verify SSL certificates and won't download over
unencrypted HTTP unless you specifically tell it to. But, unless I'm mistaken,
"pip install allmydata-tahoe" will still run tahoe's "setup.py build" which
will brazenly download and execute unverified code.

If I am mistaken (and I hope I am!) someone should close
https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2055 ("Building tahoe safely is
non-trivial").

~leif

On Mon, Jun 30, 2014 at 06:58:30AM -0700, Callme Whatiwant wrote:
> Huzzah!
> 
> On Mon, Jun 23, 2014 at 12:47 PM, Brian Warner <warner at lothar.com> wrote:
> > Just a heads up, the new Nevow-0.11.1 release a few days ago fixed
> > tahoe's #2032, which means that you should now be able to install tahoe
> > with just:
> >
> >  pip install allmydata-tahoe
> >
> > That should grab all the necessary dependencies for you, including Twisted.
> >
> > Hooray for easier installations!
> >
> > cheers,
> >  -Brian
> >
> > #2032: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2032
> > _______________________________________________
> > tahoe-dev mailing list
> > tahoe-dev at tahoe-lafs.org
> > https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
> _______________________________________________
> tahoe-dev mailing list
> tahoe-dev at tahoe-lafs.org
> https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20140630/71c7ad9f/attachment.pgp>


More information about the tahoe-dev mailing list