[RAPTOR-14742] python311: Use system site packages for pip CVE #1686
Conversation
|
The Needs Review labels were added based on the following file changes. Team @datarobot/genai-systems (#genai-systems) was assigned because of changes in files:public_dropin_environments/python311/Dockerfile public_dropin_environments/python311/env_info.json If you think that there are some issues with ownership, please discuss with C&A domain at #sdtk slack channel and create PR to update DRCODEOWNERS\CODEOWNERS file. |
|
Label Needs Review: GenAI Systems was removed because @yakov-g is part of GenAI Systems domain. |
nullspoon
force-pushed
the
aaron/python311-use-system-pip
branch
from
508c6e9 to
1ec9d7f
Compare
|
Hey @klichukb and @yakov-g This is really just an example PR of a change I wonder if we can make. This forces the use of system site packages (and system pip) so the vulnerability doesn't get reintroduced when the virtualenv is set up. Are we okay with this and/or do you two know of any use cases where this might be problematic? If it's fine still, I'd like to apply it to all of the other public dropin envs. Note that the fix will probably be available on pypi in a few days, so we can just take that route if wanted. With this PR, I'm just hoping to simplify the cve fixing process in the future where pip might have other vulnerabilities that chainguard fixes faster than upstream. |
|
I built the image and tried to do pip install. |
nullspoon
force-pushed
the
aaron/python311-use-system-pip
branch
from
1ec9d7f to
a6b1028
Compare
|
Updated to drop the virtualenv completely. |
nullspoon
force-pushed
the
aaron/python311-use-system-pip
branch
from
a6b1028 to
0cd42f5
Compare
nullspoon
changed the title
Pip currently has a security vulnerability, CVE-2025-8869, which has been fixed but not released. The release date is undetermined as there are apparently resource allocation issues on the pip maintainer team. However, chainguard has applied this patch on their builds of pip. That said, when built the virtual env, we pulled in a virutalenv copy of pip, which reintroduced the CVE to the image. As such, we now use system site packages and do not pull in an updated pip. That way we can will get chainguard fixes that have been applied to python resources.
nullspoon
changed the title
nullspoon
force-pushed
the
aaron/python311-use-system-pip
branch
from
0cd42f5 to
621ab6d
Compare
|
Alllrighty. Had a conversation with Bogdan. Looks like we can't remove the virtualenv, so this latest update goes back to using system site packages when creating the venv so we don't re-introduce the cve at build time. |
Pip currently has a security vulnerability, CVE-2025-8869, which has been fixed
but not released. The release date is undetermined as there are apparently
resource allocation issues on the pip maintainer team. However, chainguard has
applied this patch on their builds of pip.
That said, when built the virtual env, we pulled in a virutalenv copy of pip,
which reintroduced the CVE to the image.
As such, we now use system site packages and do not pull in an updated pip.
That way we can will get chainguard fixes that have been applied to python
resources.
This repository is public. Do not put here any private DataRobot or customer's data: code, datasets, model artifacts, .etc.
Summary
Rationale