[Distutils] PEP470 installation security problems

holger krekel holger at merlinux.eu
Wed Oct 8 13:40:49 CEST 2014

On Wed, Oct 08, 2014 at 21:22 +1000, Nick Coghlan wrote:
> On 8 October 2014 20:57, holger krekel <holger at merlinux.eu> wrote:
> > On Wed, Oct 08, 2014 at 20:27 +1000, Nick Coghlan wrote:
> > Well, for installing NAME from pypi you need to trust that the people
> > who registered and maintain NAME are not doing something bad (and the
> > machine is not compromised but in that case all bets are off obviously).
> > And i can make a choice to trust "django", "flask, "warehouse" and other
> > pypi names.  I am exposing myself to whatever the maintainers published
> > but it's my choice.  This is a very different thing compared to:
> >
> >     pip install --extra-index http://private.repo mypackage
> >
> > I may think i am trusting just "mypackage" from my private repo.
> > But in fact i am betting on nobody uploading "mypackage" to the pypi wiki.
> > I don't think this is very obvious to many -- it certainly wasn't
> > at EuroPython2014.
> So your concern is specifically with the fact that some users are not
> currently aware that "--extra-index" adds an *extra* index (which can
> then supply *any* package, as can the default index), and not a
> *replacement* index, and that they need to use --index-url in order to
> completely override the default index?

No, i am not concerned about the extra index supplying whatever packages.
After all, the users specifies the option and should trust that index.

I am concerned about the fact that public PyPI links are merged in even
for my private packages residing on the extra index.

> Would you be more comfortable if the existing admonition in PEP 470 to
> use a private devpi instance with whitelisting in situations with a
> low security risk tolerance was accompanied by a concrete example that
> noted the appropriate option to use for private index URLs?:
>     pip install --index-url private-repo.example.com mypackage

I rather think the whole rationale "Why additional repositories?" section
of the PEP needs a re-work and specifically not recommend
--extra-index-url.  Contrary to what Donald and Paul claim i don't see
it discussing just the particular issue of using extra indexes 
for publically registered packages:



More information about the Distutils-SIG mailing list