[Distutils] PEP470 installation security problems

Nick Coghlan ncoghlan at gmail.com
Wed Oct 8 13:22:49 CEST 2014

On 8 October 2014 20:57, holger krekel <holger at merlinux.eu> wrote:
> On Wed, Oct 08, 2014 at 20:27 +1000, Nick Coghlan wrote:
> Well, for installing NAME from pypi you need to trust that the people
> who registered and maintain NAME are not doing something bad (and the
> machine is not compromised but in that case all bets are off obviously).
> And i can make a choice to trust "django", "flask, "warehouse" and other
> pypi names.  I am exposing myself to whatever the maintainers published
> but it's my choice.  This is a very different thing compared to:
>     pip install --extra-index http://private.repo mypackage
> I may think i am trusting just "mypackage" from my private repo.
> But in fact i am betting on nobody uploading "mypackage" to the pypi wiki.
> I don't think this is very obvious to many -- it certainly wasn't
> at EuroPython2014.

So your concern is specifically with the fact that some users are not
currently aware that "--extra-index" adds an *extra* index (which can
then supply *any* package, as can the default index), and not a
*replacement* index, and that they need to use --index-url in order to
completely override the default index?

Would you be more comfortable if the existing admonition in PEP 470 to
use a private devpi instance with whitelisting in situations with a
low security risk tolerance was accompanied by a concrete example that
noted the appropriate option to use for private index URLs?:

    pip install --index-url private-repo.example.com mypackage


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list