pip-requirements and hash-checking

[deeglaze]

Hi y'all, I'm attempting to not boil the ocean while building OVMF outside of our monorepo due to the transitive dependencies that we'd then have to own the reproduction for. One option we have ahead of first party reproduction of every package is to at least check the hashes of dependencies before use.

Here's an example for capturing the current state of things:

$ pip3 install pip-tools
$ pip-compile --generate-hashes --output-file=requirements.txt edk2-stable/pip-requirements.txt --unsafe-package setuptools --allow-unsafe

Would folks be against tracking these hashes in the upstream repo, and adding --require-hashes to the build tests to catch any unexpected change in the software supply chain?

[bexcran]

That sounds like a good idea!

[deeglaze]

Coming back to this and playing with it, the container definitions' pip install --upgrade pip -r <requirements> command is incompatible with a safe installation, since pinning the pip version is considered unsafe by the pip-tools folks (7 years ago). The container base must be trusted to have a good pip, but if we upgrade to a bad pip that disregards hashes and installs bad packages despite --require-hashes, then we've failed.

I don't see justification for the upgrade in tianocore/containers@46802aa so I would recommend removing it to maintain trust in the base container's pre-installed pip.

[deeglaze]

#10600