Opened 2 years ago

Closed 23 months ago

Last modified 23 months ago

#28682 closed defect (fixed)

Carml lacks PGP singatures and instructions for secure installation

Reported by: wagon Owned by: meejah
Priority: Medium Milestone:
Component: - Select a component Version:
Severity: Normal Keywords: carml
Cc: meejah Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Meejah's carml isn't listed as officially supported by Tor Project, but meejah is somehow listed among Tor people and carml itself is officially advertised in Tor blog. So, I suppose this ticket can be accepted here.

Problem 1: no signatures

Correct me if I'm wrong. There are no PGP signatures of carml releases anywhere at project pages (however, txtorcon library is signed).

Problem 2: no python3 docs

Documentation on installation is written for python2 instead of python3. However, support of python3 is claimed. In particular, there is no virtualenv command for python3, as pyvenv is used instead.

Problem 3: no secure installation of carml dependencies

pip install <projectname> with automatic download of all dependencies from repository, as recommended in documentation, should never be used in secure environments, because packages in this repository are not signed (even if they are signed, their signatures are not checked by default). Actually, some dependencies (probably, old versions) can be installed as standard Debian packages, but pip will not be able to see them by default (especially in pyvenv environment). There is only one way to install it securely:

  1. Download carml bunndle and its signature.
  2. Download bundles for all carml dependencies and their signatures.
  3. Verify signatures of all downloaded bundles manually (don't ask me what to do if somebody release his code without signatures).
  4. Disconnect from network.
  5. Install carml and its dependencies as pip install /path/to/local-bundle
  6. Create some symlinks, so carml can find all dependencies it needs.

This is what I expect to see in documentation. For instance, for Nyx it was done exactly so (but it has only one dependence, Stem):

  1. Download Nyx, its signature, and verify it.
  2. Download Stem, its signature, and verify it.
  3. Install Stem, install Nyx, create necessary symlink.

As a workaround I'ld suggest to put all necessary dependencies in signed carml bundle, so users will not suffer during assembling of this constructor.

Child Tickets

Change History (10)

comment:1 Changed 2 years ago by nickm

Cc: meejah added
Component: Core Tor- Select a component

Is there a better place for this, meejah?

comment:2 Changed 23 months ago by meejah

Yes, please file tickets on github:

And yes, all the above points are valid and true; as carml started as a bunch of random utilities I valued "release easily and quickly" over "securely". However, that should be corrected.

Can you please file this as 3 separate tickets? thanks.

comment:3 Changed 23 months ago by meejah

Note that I do sign the tags (but they don't include locked/hashed dependencies).

comment:5 Changed 23 months ago by wagon

Thank you! I'm sorry, I wasn't registered at GitHub. As concerns commit: if only python3 is installed, current Debian uses pip3 command instead of pip.

Last edited 23 months ago by wagon (previous) (diff)

comment:6 Changed 23 months ago by meejah

Inside a virtualenv, pip should (and in fact, does) work fine. Arguably though it might be better to python3 -m pip which is I believe the recommended way these days?

Last edited 23 months ago by meejah (previous) (diff)

comment:7 Changed 23 months ago by wagon

Maybe. I'm not familiar with python, but, if I recall it correctly, in Debian:

  1. If only python3-pip is installed (python2 is not installed), there are no such commands as virtualenv or pip. The commands pyvenv and pip3 are used as replacements.
  2. If both python2 and python3 are installed, probably python can figure out which version to use, so maybe it uses python3 tools even though python2 commands are called. I don't know. As a python programmer you should know it better than me.

comment:8 Changed 23 months ago by wagon

About new installation:

Since Jessie doesn't have python3-humanize and python3-click yet, I tried manual installation which fails at this stage:

python3 -m pip install --require-hashes --no-deps --requirements requirements.txt

  /usr/bin/python3 -m pip install [options] <requirement specifier> ...
  /usr/bin/python3 -m pip install [options] -r <requirements file> ...
  /usr/bin/python3 -m pip install [options] [-e] <vcs project url> ...
  /usr/bin/python3 -m pip install [options] [-e] <local project path> ...
  /usr/bin/python3 -m pip install [options] <archive url/path> ...

no such option: --require-hashes

Is it because my python3 is too old?

$ python3 --version
Python 3.4.2
$ pip3 --version  
pip 1.5.6 from /usr/lib/python3/dist-packages (python 3.4)

In pip changelog the first mentioning of this option is for 8.1.0 released in 2016-03-05, while 1.5.6 was released in 2014-05-16. But changelog doesn't list added options in detail, so I'm not sure that 8.1.0 is the first version that supports it. If --require-hashes is deleted, it blames another option:

no such option: --requirements

Change of --requirements to -r leads to python crash.

To avoid all these troubles it would be good to have Tor-related software in Tor Debian repository. Now it shares only last version of Tor itself, while it could share also Stem, Nyx, Carml, Onionshare and similar tools.

Last edited 23 months ago by wagon (previous) (diff)

comment:9 Changed 23 months ago by meejah

yes, it would be great to have carml packaged by a Debian volunteer. txtorcon is already packaged for Debian. I am not a Debian developer however.

...and in the above, it appears your version of pip is really old. I'm not sure how to fix that on Debian jessie (without e.g. pip install --upgrade pip which will download from PyPI).

comment:10 in reply to:  9 Changed 23 months ago by wagon

Replying to meejah:

I am not a Debian developer however.

You could release signed deb-packet which can be installed manually with dpkg -i. However, it will still require proper dependencies to be already installed in the system. If versions of these dependencies (from Debian repositories) don't match your needs, it is a problem. Maybe it can be done with duplication, i.e. with packaging everything in deb packet Carml depends on. Then, it can be installed somewhere in /opt. It is how some heavy applications (also non-free ones) are usually installed.

Note: See TracTickets for help on using tickets.