Uploaded image for project: 'Nuxeo Drive '
  1. Nuxeo Drive
  2. NXDRIVE-1757

Set module hashes in requirements files

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 4.1.3
    • Fix Version/s: 4.2.0
    • Component/s: Packaging / Build, Security

      Description

      Improvement 1

      We are currently simply listing what module we need and its version.
      To prevent security breaches and distributing binaries containing malwares, we must set the packages hashes.

      Typically:

      nuxeo==2.2.1

      becomes:

      nuxeo==2.2.1 --hash=sha256::411522057e02eaad32e9983becdaec5166351f744733ab939557f3b8d8d8965f

      Improvement 2

      We must expand requirements files to list submodules and their hashes to ensure no unchecked submodule can be compromised too.
      And we need to ensure pip is installing only modules we are asking for.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours
                2h