0

Rather by accident I found myself in a situation in a previous role where the previous admin apparently installed "Python bindings" of InfluxDB and Docker-Compose and magically both applications where available on the systems while I was sure that they where written in Go.

I had a few issues with that:

  • It's incomprehensible what happens here, there should be some go binary belonging to the application but I can't find it by name, I doubt that docker-compose and influxdb have been rewritten in Python just to have one more option available while at least docker-compose static binaries are available on Github for direct download. It doesn't make a lot of sense to me.
  • Undermining security guidelines set by the organization and best practices for systems administration.
  • Dependency Confusion

Links to the packages on PyPI:

I haven't looked into Python wheels and packaging before beyond Debian packaging, I just got curious again the get to the bottom of this strange usage pattern.

Docker-Compose refers to https://github.com/docker/compose a project consisting of 95.5% Go code according to GitHub, which isn't really helpful since the source package and wheel package on PyPI look completely different and at first sight I'm overwhelmed by the amount of Python files. InfluxDB seems to be a better example but I would really appreciate help from a Python developer or package maintainer explaining to me what happening there. Thanks.

Edit 2022-09-10:

  • From the show notes of Security Now 887: https://www.grc.com/sn/sn-887-notes.pdf

    a researcher at Checkmarx noted in a technical report they published last week that “A worrying feature in pip/PyPI allows code to automatically run when developers are merely downloading a package.” He added that the feature is alarming because “a great deal of the malicious packages we are finding in the wild use this feature of code execution upon installation to achieve higher infection rates.”

    With my preexisting misconception about some PyPI packages like docker-compose, that sounded alarming to me.

  • The following article mentions that compiled libraries from C, Rust, Go and others can be bundled in packages, but no applications "hidden" as artifacts, which I assumed. https://realpython.com/python-wheels/

mhall119
  • 522
  • 2
  • 3
Benjamin
  • 229
  • 1
  • 6
  • 15
  • 1
    Python code is in different branch(es): https://github.com/docker/compose/tree/master – phd Sep 10 '22 at 14:15
  • 1
    What is the actual question? It feels to me like this is out of scope for StackOverflow. – sinoroc Sep 10 '22 at 14:15
  • 4
    "[_Docker Compose V2 is a major version bump release of Docker Compose. It has been completely rewritten from scratch in Golang (V1 was in Python)_](https://github.com/docker/compose#about-update-and-backward-compatibility)", and yes the version on PyPI is a version `1.something`. -- For InfluxDB, this is just a Python client for the actual InfluxDB server, typically client and server do not have to be written on the same language, that is one of the points of the client-server architecture, there is a clear interface (communication protocol) that both client and servers need to adhere to. – sinoroc Sep 10 '22 at 14:32
  • @sinoroc Thanks for the heads up, I must have overlooked that and it makes sense that V2 of docker-compose is not on PyPI. – Benjamin Sep 10 '22 at 17:09

0 Answers0