Could you help upgrade the vulnerble dependency in atlite ?

[JoeGardner000]

trafficstars

Hi, @coroa , @FabianHofmann , I'd like to report a vulnerability issue in atlite_0.2.7.

Issue Description

I noticed that atlite_0.2.7 directly depends on rasterio_1.2.10. However, rasterio_1.2.10 sufferes from the vulnerabilites which the C libraries exposed as following dependency graph shows.

Dependency Graph between Python and Shared Libraries

Suggested Vulnerability Patch Versions

rasterio has upgraded these vulnerable C libraries to patch versions refer to issue url.

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (atlite has 3,849 downloads per month), could you please upgrade this vulnerable dependency?

Thanks for your help~ Best regards, Joe Gardner

[euronion]

Thanks @JoeGardner000 for bringing up this issue. Do you have some best practice recommendations on how to tackle this (and similar issues) with research software?

My 2 cents: I don't think we should do anything to adress this issue for now:

• The best option would be to pin rasterio to the current master branch version (as a new rasterio has yet to be released), but I don't consider that a good approach.
• This is software for research with all its caveats.
• We're researchers, not sofware engineers/security professionals. I don't consider me qualified to do any assessment or offer a trust-worthy fix. And I certainly don't want to make this impression on users, that we do security assessments and monitoring.

If someone is concerned with security vulnerabilities, atlite can always be build and installed from the GitHub repo with the most-up-to-date dependencies.

What do you think @FabianHofmann ?

[FabianHofmann]

I agree, my preference would be to wait for a new rasterio release and add a minimum requirement.