is face-20.1.1-py3-none-any.whl legit?

Question

is face-20.1.1-py3-none-any.whl legit?

willkg opened this issue 2 years ago · 4 comments

face 20.1.1 was released January 22, 2020 as a .tar.gz and a py2-none-any.whl. 6 hours ago, someone uploaded a py3-none-any.whl. I think it's pretty unusual to get a new whl download for a release 3 years old.

The py2 and py3 whls seem the same, except that the older py2 whl contains a test_parse.py file the new py3 whl doesn't contain.

I don't see anything in the PR or issue trackers to suggest a face maintainer was uploading whls for older releases.

Is this new py3 whl release legit?

Answer 1 · 2023-01-19T14:32:59.000Z

Wow! Didn't expect anyone to notice. TLDR Yes, it's legit.

For this blog post I soft-launched glompad (glom in the browser). Glompad runs pyodide, and needs py3 wheels. I couldn't use face 22 because I wanted to do one last py2/py3 glom release. Easiest fix was to release a wheel for the old code :)

Thanks for keeping an eye out, though! I could see how this might be a vector for some less-than-pure intentions. Just curious, how did you spot it?

Answer 2 · 2023-01-19T14:38:30.000Z

We ran into this since we use pip-compile to pin our package hashes, which are then evaluated during pip install -r requirements.txt --require-hashes. We do this to protect against things like rogue binary uploads, which is what we were worried may have happened here as well! Thanks for the fast response 😄

Answer 3 · 2023-01-19T14:39:50.000Z

We do the same thing that @sizehnde does. Everything is good here, so I'm closing this out. I appreciate you replying so quickly! Thank you!

Answer 4 · 2023-01-20T14:11:17.000Z

@mahmoud
yes, our ci pipeline (using poetry which checks the hashes) failed too.
thx for the fast reply.