1. Forum
  2. Usenet
  3. LINUX.DEBIAN.PROJECT

  • Debian python package bytecode compatibility

    From Manoj Singh@21:1/5 to All on Tue Sep 28 17:20:01 2021
    Hi Team,

    For FIPS(federal information processing standards), required all python
    code in bytecode format(.pyc) instead of plain source .py.

    Please suggest if possible to convert all debian python packages to
    compiled bytecode (.pyc) format, Is there any impact if we to do that.

    Your help is much appreciated.

    Regards,
    Manoj

    <div dir="ltr">Hi Team,<div><br></div><div>For FIPS(federal information processing standards), required all python code in bytecode format(.pyc) instead of plain source .py.</div><div><br></div><div>Please suggest if possible to convert all debian python
    packages to compiled bytecode (.pyc) format, Is there any impact if we to do that.</div><div><br></div><div>Your help is much appreciated.</div><div><br></div><div>Regards,</div><div>Manoj    <br></div></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sam Hartman@21:1/5 to All on Tue Sep 28 21:30:02 2021
    "Manoj" == Manoj Singh <rosesingh123@gmail.com> writes:

    Manoj> Hi Team, For FIPS(federal information processing standards),
    Manoj> required all python code in bytecode format(.pyc) instead of
    Manoj> plain source .py.

    NIST publishes a lot of FIPS documents.
    Can you please point to the specific version of the specific standard
    and the clause within that standard that requires Python be shipped as
    byte code?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bastian Blank@21:1/5 to Manoj Singh on Wed Sep 29 10:30:02 2021
    On Tue, Sep 28, 2021 at 08:37:15PM +0530, Manoj Singh wrote:
    For FIPS(federal information processing standards), required all python
    code in bytecode format(.pyc) instead of plain source .py.

    All Python source is compiled into bytecode during installation.

    Bastian

    --
    We have found all life forms in the galaxy are capable of superior
    development.
    -- Kirk, "The Gamesters of Triskelion", stardate 3211.7

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Wise@21:1/5 to All on Wed Sep 29 15:40:01 2021
    On Wed, Sep 29, 2021 at 8:25 AM Bastian Blank wrote:

    All Python source is compiled into bytecode during installation.

    Scripts in the bin/ directories are not compiled into bytecode, and
    there are a number of packages that do not compile .py files into
    bytecode:

    https://lists.debian.org/msgid-search/4b0d37a23b7e605d68d079b56c7d45a64f188a20.camel@debian.org


    --
    bye,
    pabs

    https://wiki.debian.org/PaulWise
    https://bonedaddy.net/pabs3/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sam Hartman@21:1/5 to All on Wed Sep 29 21:10:01 2021
    "Paul" == Paul Wise <pabs@debian.org> writes:

    Paul> On Wed, Sep 29, 2021 at 8:25 AM Bastian Blank wrote:
    >> All Python source is compiled into bytecode during installation.

    Paul> Scripts in the bin/ directories are not compiled into
    Paul> bytecode, and there are a number of packages that do not
    Paul> compile .py files into bytecode:

    So, I think that this is coming out of FIPS 140-3 which requires that
    the installed software that is part of the validated cryptographic
    module not be susceptible to unauthorized modification.
    (There's discussions about unauthorized disclosure, although I think we
    can safely say that disclosure of any software packaged in Debian main
    is authorized)
    I'll admit to a certain skepticism about what fraction of the python
    code in Debian is reasonable to include in a validated cryptographic
    module. Let's assume there is some though.

    There's a chain of signatures for the installed files, and so you could presumably validate that the installed files have not been modified.
    That is much more challenging for files generated from the postinst.

    I think that using Debian as it exists today under the FIPS 140
    validation rules would be tricky at least.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Colin Watson@21:1/5 to Sam Hartman on Wed Sep 29 22:30:01 2021
    On Wed, Sep 29, 2021 at 12:42:56PM -0600, Sam Hartman wrote:
    There's a chain of signatures for the installed files, and so you could presumably validate that the installed files have not been modified.
    That is much more challenging for files generated from the postinst.

    I wondered about reproducibility of Python bytecode, and from a quick web-search before the children's bedtime I ran across a couple of links
    that look interesting to pursue:

    https://bugs.python.org/issue29708
    https://vulns.xyz/2021/08/reproducible-python-bytecode/

    I couldn't find anything under Debian's reproducible builds banner (it
    is after all slightly outside the usual area of building reproducible
    .debs), but maybe I missed something.

    --
    Colin Watson (he/him) [cjwatson@debian.org]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)