How to keep virtualenv install secure?
Hi,
I am looking for some advice: If we use the virtualenv install method, how does one keep track of security updates for all the installed dependencies?
I can think of:
- Upgrade regularly all installed packages inside the virtualenv. This might break mailman3 if there are incompatible updates.
- Try to track all dependencies and check if there are security updates published. This might be impossible to achieve.
- Security updates are so rare, we do not need to bother. ;)
Thanks, Bernhard
On Thu, Nov 7, 2024 at 5:18 PM Lichtinger, Bernhard < Bernhard.Lichtinger@lrz.de> wrote:
Hi,
I am looking for some advice: If we use the virtualenv install method, how does one keep track of security updates for all the installed dependencies?
I can think of: published. This might be impossible to achieve.
- Upgrade regularly all installed packages inside the virtualenv. This might break mailman3 if there are incompatible updates.
- Try to track all dependencies and check if there are security updates
- Security updates are so rare, we do not need to bother. ;)
I am no security expert, but what I know is that the MM3 installation pulls all the compatible packages during installation. Updating some may lead to incompatibilities/breakage. MM3 modules during updates will also pull in the correct versions of the packages. After that, we sit back and run :-)
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
On 11/7/24 01:31, Lichtinger, Bernhard wrote:
Hi,
I am looking for some advice: If we use the virtualenv install method, how does one keep track of security updates for all the installed dependencies?
I can think of:
- Upgrade regularly all installed packages inside the virtualenv. This might break mailman3 if there are incompatible updates.
You can do in the venv
pip install --upgrade --upgrade-strategy eager mailman psycopg2-binary
mailman-web mailman-hyperkitty
I'm not sure if this will update dependencies if there are no updates to the named package, but in any case, incompatibilities should be avoided because if a newer version of a dependency in incompatible, the dependency should be pinned to a compatible version in the project's requirements.
- Try to track all dependencies and check if there are security updates published. This might be impossible to achieve.
It shouldn't be too difficult to script this.
Get the output from `pip freeze` in the venv
for each line split it on `==` into PACKAGE and VERSION
get https://pypi.org/rss/project/PACKAGE/releases.xml
find the first <title>VERSION</title> and compare that VERSION to
the VERSION from `pip freeze`
This won't tell you if the newer version is a security update, but it will tell you which packages have newer versions.
- Security updates are so rare, we do not need to bother. ;)
For the Mailman dependencies, this is probably true.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
Lichtinger, Bernhard
-
Mark Sapiro
-
Odhiambo Washington