[Distutils] PEP470 installation security problems

holger krekel holger at merlinux.eu
Wed Oct 8 14:17:38 CEST 2014

On Wed, Oct 08, 2014 at 13:05 +0100, Paul Moore wrote:
> On 8 October 2014 12:40, holger krekel <holger at merlinux.eu> wrote:
> > I am concerned about the fact that public PyPI links are merged in even
> > for my private packages residing on the extra index.
> Bluntly, that's irrelevant.

I disagree.  The PEP uses merging of public and private links in
the main rationale section which comes before discussing migration
strategies.  It's used as motivation aka "look how easy it is
to use additional/multi indexes" and not as a particular migration
strategy that shouldn't be used otherwise.

> That's how pip works. Maybe it's not the best way, maybe a feature
> request for pip would be worth pursuing, maybe you could even argue
> that it's a security issue with pip. But it's not relevant to this
> PEP, which simply says that "for this *specific" problem, multi-index
> support is a viable solution". Asking for a change in behaviour from
> pip in this specific case is not what the PEP is about. Actually,
> pip's behaviour in general is not subject to the PEP process (as
> Donald pointed out, trying to make it be is what got PEP 438 in
> trouble).

Well, for one i think "--extra-index-url" is indeed broken UI exposing
people to compromise without any warning.

Also, i am worried on principle grounds if pip maintainers are putting
themselves outside PEP reach, yet pip is distributed along with Python.


More information about the Distutils-SIG mailing list