tahoe-lafs/trac-2024-07-25
2
0
Issues 1.1k Wiki Activity

self-update command #2761

New issue
Open
opened 2016-03-30 19:06:43 +00:00 by warner · 3 comments
warner commented 2016-03-30 19:06:43 +00:00
Owner
Copy link

I had a wild idea this morning, related to #2055.

Start by using a hash-enabled requirements.txt file for the primary install: the install process would look like:

% wget https://tahoe-lafs.org/downloads/tahoe-lafs-requirements.txt
% virtualenv ~/.tahoe-venv
% ~/.tahoe-venv/bin/pip install --require-hashes -r tahoe-lafs-requirements.txt
% ~/.tahoe-venv/bin/tahoe --version

The first wget is TOFU (and depends upon TLS and the CAs), but after that you're installing exactly whatever the tahoe project said you should be installing.

Maybe we even encapsulate all that into an installer stub, like the "lightweight" installers that a lot of professional apps (Firefox, Dropbox, Chrome) are using. You download the (small) installer application in your browser, you run it, then that does the longer full download itself (with retries and hash-checking and localization and nicer error messages and install instructions).

(hm, maybe pipsi should acquire a --requirements= mode, that'd be even easier)

Now here's the wild part: if Tahoe knows that it's installed in a virtualenv, then it could run "pip" to upgrade things. We could add a "tahoe admin upgrade" command which:

  • downloads the current tahoe-lafs-requirements.txt file
  • checks an !Ed25519 signature against a baked-in release key
  • checks that the version string is greater than the current one
  • build wheels of all necessary dependencies, with --require-hashes
  • install those wheels into the current virtualenv

The process would we safer than the original install: the reliance set is only that !Ed25519 key (and the people who use it to sign the requirements file).

I suspect Google's cloud-services CLI tool (gcloud) does something similar. And it's safer than a pip install -U of everything that pip list --outdated reports: we can stick with specific versions (and hashes) that we've tested.

I had a wild idea this morning, related to #2055. Start by using a [hash-enabled requirements.txt](https://pip.pypa.io/en/stable/reference/pip_install/#hash-checking-mode) file for the primary install: the install process would look like: ``` % wget https://tahoe-lafs.org/downloads/tahoe-lafs-requirements.txt % virtualenv ~/.tahoe-venv % ~/.tahoe-venv/bin/pip install --require-hashes -r tahoe-lafs-requirements.txt % ~/.tahoe-venv/bin/tahoe --version ``` The first wget is TOFU (and depends upon TLS and the CAs), but after that you're installing exactly whatever the tahoe project said you should be installing. Maybe we even encapsulate all that into an installer stub, like the "lightweight" installers that a lot of professional apps (Firefox, Dropbox, Chrome) are using. You download the (small) installer application in your browser, you run it, then that does the longer full download itself (with retries and hash-checking and localization and nicer error messages and install instructions). (hm, maybe [pipsi](https://github.com/mitsuhiko/pipsi/) should acquire a `--requirements=` mode, that'd be even easier) Now here's the wild part: if Tahoe knows that it's installed in a virtualenv, then it could run "pip" to upgrade things. We could add a "tahoe admin upgrade" command which: * downloads the current `tahoe-lafs-requirements.txt` file * checks an !Ed25519 signature against a baked-in release key * checks that the version string is greater than the current one * build wheels of all necessary dependencies, with `--require-hashes` * install those wheels into the current virtualenv The process would we safer than the original install: the reliance set is only that !Ed25519 key (and the people who use it to sign the requirements file). I suspect Google's cloud-services CLI tool (`gcloud`) does something similar. And it's safer than a `pip install -U` of everything that `pip list --outdated` reports: we can stick with specific versions (and hashes) that we've tested.
tahoe-lafs added the
packaging
normal
enhancement
1.10.2
 labels 2016-03-30 19:06:43 +00:00
tahoe-lafs added this to the undecided milestone 2016-03-30 19:06:43 +00:00
leif commented 2016-03-31 11:18:27 +00:00
Author
Owner
Copy link

As I wrote recently on Ars Technica, I think a basic requirement for new update mechanisms being deployed at this point in history is that they not introduce new single points of failure like the one Ed25519 release key described above!

Anyway, it seems like this is something that should be implemented in pip or somewhere else outside of Tahoe. Perhaps pip could provide an API for applications like Tahoe to check if they are the latest version, and even initiate upgrades? And/or perhaps pip could have a cronjob to auto-update certain packages and their dependencies? I think removing the single points of failure from pip's authenticity-checking regime should be a much higher priority, though!

As I [wrote](http://arstechnica.com/security/2016/02/most-software-already-has-a-golden-key-backdoor-its-called-auto-update/) recently on Ars Technica, I think a basic requirement for new update mechanisms being deployed at this point in history is that they not introduce new single points of failure like the one Ed25519 release key described above! Anyway, it seems like this is something that should be implemented in pip or somewhere else outside of Tahoe. Perhaps pip could provide an API for applications like Tahoe to check if they are the latest version, and even initiate upgrades? And/or perhaps pip could have a cronjob to auto-update certain packages and their dependencies? I think removing the single points of failure from pip's authenticity-checking regime should be a much higher priority, though!
daira commented 2016-03-31 14:45:42 +00:00
Author
Owner
Copy link

IMHO this is not something that should be done per-application. If it is, >90% of applications will get it wrong (and that's optimistic). Even if every application did implement something secure by itself, then the resulting agglomeration of separate mechanisms would be completely unmanageable.

IMHO this is not something that should be done per-application. If it is, >90% of applications will get it wrong (and that's optimistic). Even if every application did implement something secure by itself, then the resulting agglomeration of separate mechanisms would be completely unmanageable.
warner commented 2016-03-31 18:29:30 +00:00
Author
Owner
Copy link

Leif: oh, sure, that !Ed25519 signature could be implemented as a quorum/TUF-style signature bundle, to turn that single-point-of-compromise into a quorum-of-compromise. I think that's extra credit, though, because almost all of the current schemes have multiple points of compromise.

(hey, that gives us a t-shirt version: "MPOC bad! SPOC better! QUOC best!")

I think the pip folks (especially dstufft) are keen on moving in this direction, at least partially. They've been working to add signatures to wheel files, and per-project pubkeys to the PyPI entries.

But everything I've seen so far is one-wheel-at-a-time. I don't think there's any support yet for whole-project hash-locked requirements.txt -based installs. Using requirements files, and therefore hashes, must be done manually, by downloading a requirements.txt (possibly by doing a git checkout or unpacking a tarball), then running pip install -r requirements.txt. There's no pip install tahoe-lafs -like thing that will automatically fetch one for you.

So anyways, I suspect that we'd have to be a trail-breaker here. We could prototype this in Tahoe and then help push it upstream into pip. I agree that this wants to live somewhere larger than just Tahoe, but it's not there yet, and ya gotta start somewhere.

Leif: oh, sure, that !Ed25519 signature could be implemented as a quorum/TUF-style signature bundle, to turn that single-point-of-compromise into a quorum-of-compromise. I think that's extra credit, though, because almost all of the current schemes have multiple points of compromise. (hey, that gives us a t-shirt version: "MPOC bad! SPOC better! QUOC best!") I think the pip folks (especially dstufft) are keen on moving in this direction, at least partially. They've been working to add signatures to wheel files, and per-project pubkeys to the PyPI entries. But everything I've seen so far is one-wheel-at-a-time. I don't think there's any support yet for whole-project hash-locked requirements.txt -based installs. Using requirements files, and therefore hashes, must be done manually, by downloading a requirements.txt (possibly by doing a git checkout or unpacking a tarball), then running `pip install -r requirements.txt`. There's no `pip install tahoe-lafs` -like thing that will automatically fetch one for you. So anyways, I suspect that we'd have to be a trail-breaker here. We could prototype this in Tahoe and then help push it upstream into pip. I agree that this wants to live somewhere larger than just Tahoe, but it's not there yet, and ya gotta start somewhere.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
No results found.
No results found.
Labels
Clear labels   
0.2.0

   
0.3.0

   
0.4.0

   
0.5.0

   
0.5.1

   
0.6.0

   
0.6.1

   
0.7.0

   
0.8.0

   
0.9.0

   
1.0.0

   
1.1.0

   
1.10.0

   
1.10.1

   
1.10.2

   
1.10a2

   
1.11.0

   
1.12.0

   
1.12.1

   
1.13.0

   
1.14.0

   
1.15.0

   
1.15.1

   
1.2.0

   
1.3.0

   
1.4.1

   
1.5.0

   
1.6.0

   
1.6.1

   
1.7.0

   
1.7.1

   
1.7β

   
1.8.0

   
1.8.1

   
1.8.2

   
1.8.3

   
1.8β

   
1.9.0

   
1.9.0-s3branch

   
1.9.0a1

   
1.9.0a2

   
1.9.0b1

   
1.9.1

   
1.9.2

   
1.9.2a1

   
LeastAuthority.com automation

   
blocker

   
cannot reproduce

   
cloud-branch

   
code

catch-all for anything that can be fixed by writing code but isn't classified better

  
code-dirnodes

anything involving tahoe directories

  
code-encoding

immutable-file encoding format/layout, cap format, encoding/decoding algorithms

  
code-frontend

general frontend things: new user-facing interfaces, FTP/SFTP servers, FUSE-like interfaces

  
code-frontend-cli

CLI tools

  
code-frontend-ftp-sftp

   
code-frontend-magic-folder

   
code-frontend-web

webapi interfaces, user-facing "WUI" interfaces

  
code-mutable

anything involving mutable files: encoding/decoding, share format

  
code-network

Introducer, locating storage servers, establishing/maintaining connections to them

  
code-nodeadmin

node startup/shutdown, tools to create nodes, logging tools, management/monitoring tools, manhole, disk-space-limiting tools

  
code-peerselection

server selection/sorting algorithm, rebalancing code, allocation policy, swarming-download

  
code-storage

storage-server implementation, share-storage directory layout, client-to-server share transfer protocol

  
contrib

problems with non-core things that live in the source:contrib/ directory

  
critical

   
defect

   
dev-infrastructure

things that help us build Tahoe: buildbot, automated speed/memory/code-coverage tests and results-displayers, IRC channels, mailing lists, this Trac instance

  
documentation

docs items. Also use 'docs' keyword on tickets in more specific components.

  
duplicate

   
enhancement

   
fixed

   
invalid

   
major

   
minor

   
n/a

   
normal

   
operational

things involved in running a tahoe grid, external tools to monitor/maintain a grid (like "nodeadmin" but larger-scale). Was also used for issues with the allmydata.com grid.

  
packaging

setup.py script, library dependencies, binary packages, licensing, installation instructions

  
somebody else's problem

   
supercritical

   
task

   
trivial

   
unknown

Uncategorized. All tickets default to this component until someone updates it.

  
was already fixed

   
website

things about the tahoe-lafs.org website (and sometimes this Trac instance, shared with 'dev-infrastructure')

  
wontfix

   
worksforme
No labels
0.2.0
0.3.0
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
1.0.0
1.1.0
1.10.0
1.10.1
1.10.2
1.10a2
1.11.0
1.12.0
1.12.1
1.13.0
1.14.0
1.15.0
1.15.1
1.2.0
1.3.0
1.4.1
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7β
1.8.0
1.8.1
1.8.2
1.8.3
1.8β
1.9.0
1.9.0-s3branch
1.9.0a1
1.9.0a2
1.9.0b1
1.9.1
1.9.2
1.9.2a1
LeastAuthority.com automation
blocker
cannot reproduce
cloud-branch
code
code-dirnodes
code-encoding
code-frontend
code-frontend-cli
code-frontend-ftp-sftp
code-frontend-magic-folder
code-frontend-web
code-mutable
code-network
code-nodeadmin
code-peerselection
code-storage
contrib
critical
defect
dev-infrastructure
documentation
duplicate
enhancement
fixed
invalid
major
minor
n/a
normal
operational
packaging
somebody else's problem
supercritical
task
trivial
unknown
was already fixed
website
wontfix
worksforme
Milestone
Clear milestone
No items
No milestone
undecided
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: tahoe-lafs/trac-2024-07-25#2761
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?