Reputation: 279
What's going on with Go applications on PyPI?
Rather by accident I found myself in a situation in a previous role where the previous admin apparently installed "Python bindings" of InfluxDB and Docker-Compose and magically both applications where available on the systems while I was sure that they where written in Go.
I had a few issues with that:
- It's incomprehensible what happens here, there should be some go binary belonging to the application but I can't find it by name, I doubt that docker-compose and influxdb have been rewritten in Python just to have one more option available while at least docker-compose static binaries are available on Github for direct download. It doesn't make a lot of sense to me.
- Undermining security guidelines set by the organization and best practices for systems administration.
- Dependency Confusion
Links to the packages on PyPI:
I haven't looked into Python wheels and packaging before beyond Debian packaging, I just got curious again the get to the bottom of this strange usage pattern.
Docker-Compose refers to https://github.com/docker/compose a project consisting of 95.5% Go code according to GitHub, which isn't really helpful since the source package and wheel package on PyPI look completely different and at first sight I'm overwhelmed by the amount of Python files. InfluxDB seems to be a better example but I would really appreciate help from a Python developer or package maintainer explaining to me what happening there. Thanks.
Edit 2022-09-10:
From the show notes of Security Now 887: https://www.grc.com/sn/sn-887-notes.pdf
a researcher at Checkmarx noted in a technical report they published last week that “A worrying feature in pip/PyPI allows code to automatically run when developers are merely downloading a package.” He added that the feature is alarming because “a great deal of the malicious packages we are finding in the wild use this feature of code execution upon installation to achieve higher infection rates.”
With my preexisting misconception about some PyPI packages like docker-compose, that sounded alarming to me.
The following article mentions that compiled libraries from C, Rust, Go and others can be bundled in packages, but no applications "hidden" as artifacts, which I assumed. https://realpython.com/python-wheels/
Upvotes: 0
Views: 104
Answers (0)
Related Questions
- How do I install python3 in docker with golang as my base image?
- Install golang external packages in docker container
- Docker for golang application
- Dockerfile for golang and python
- Build Docker with Go app: cannot find package
- Go applications fails and exits when running using docker-compose, but works fine with docker run command
- Python: Question about packaging applications docker vs pyinstaller
- How correctly set up third-party libraries of golang application with the help of docker compose?
- Unable to build golang app in docker
- building go package using docker