Andy McKay

Jul 13, 2015

Another reason to use peep


Peep is a library from Erik Rose that wraps around pip and checks the hash of the library before it installs. The main reason to use peep is to ensure that the dependencies you install have not been tampered with - a good security measure to have.

Today we had another example of how this can be useful. There are two projects that pull Python packages off a server, zamboni and solitude. One uses peep and the other doesn’t.

A wheel was made of one of the packages on our internal index. That’s a good thing to do and speeds all our builds up. But how the two projects reacted is interesting.

Not using peep

Zamboni docker containers continued to be built. However whenever you started up the project and accessed the container, you got an error about importing _mysql. The unit tests still passed because those are run in Travis CI which does not use the docker container.

That meant although the container was building, it was broken and people who tried to run it got an error. Fortunately since the container used supervisor as its entry point, it was easy enough to hop in, use ldd and see where the problems were.

Using peep

Solitude docker containers stopped being built. The hash of the library in question failed since it didn’t match what was expected. The hash of the wheel was different from the hash for the tarball.

Since the container was failing to build, people who pulled the container got the old outdated, but still working container.

Although I spotted the problem quickly in zamboni, it was nice to look at solitude and confirm the nature of the problem because the docker hub log clearly showed where the problem was.