Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport security fix #3885 for package hashes to 1.1 #4420

Merged
merged 3 commits into from
Aug 27, 2021
Merged

Backport security fix #3885 for package hashes to 1.1 #4420

merged 3 commits into from
Aug 27, 2021

Conversation

pietrodn
Copy link

Backport the security fix of #3885 on Poetry 1.1.
This commit has already been merged in master but it didn't make it to the 1.1 minor.

This fix is one of the two changes to make Poetry check the hashes of the downloaded files after poetry.lock.

Unfortunately this PR isn't sufficient to correct the bug, as this other PR needs to be backported to poetry-core 1.0.
Still, it is necessary.

Throw a specific exception in the case of finding a matching
name+version, but none of the digests for a link matching the
`poetry.lock` metadata.

Fixes Issue #2422

Co-authored-by: Nicolas Simonds <nisimond@cisco.com>
@sdispater sdispater mentioned this pull request Aug 27, 2021
2 tasks
@sdispater sdispater merged commit 634bb23 into python-poetry:1.1 Aug 27, 2021
@pietrodn pietrodn deleted the fix/hash-check-backport-1.1 branch August 27, 2021 12:56
@fredrikaverpil
Copy link
Contributor

Thank you so much for this @pietrodn !

@sdispater sdispater mentioned this pull request Sep 18, 2021
@jowparks
Copy link

jowparks commented Sep 21, 2021

FYI this backport broke our build since there is still a bug somehow with external pypi repos and md5 hashes

I downgraded our poetry to poetry==1.0.10 to fix for now.

error is documented here:
#2422 (comment)

Copy link

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants