[Distutils] PEP470 installation security problems

Paul Moore p.f.moore at gmail.com
Wed Oct 8 21:09:34 CEST 2014

On 8 October 2014 19:35, M.-A. Lemburg <mal at egenix.com> wrote:
> On 08.10.2014 16:04, Donald Stufft wrote:
>>> I'd also like to request that you take Holger's concerns more
>>> seriously, perhaps add him as PEP author and let him participate
>>> in clarifying it (if he still feels like investing time in this).
>> I take all concerns and feedback seriously else I wouldn’t spend the many
>> hours I’ve spent just this morning responding to them. I don’t grok what
>> Holger’s actual concern is so it’s hard to turn those concerns into anything
>> actionable I can actually do on the PEP.
> Holger has made his points very clear in his emails.
> If you don't follow/grok his reasoning it may indeed be better to
> have him edit the PEP to add his improvements/changes.
> I share his view that it is not necessary to break existing
> setups to add multi-index support. This can be implemented as
> simple extension to what we already have:
> """
> Simply add the possibility for authors to register external indexes,
> have pip, setuptools, et al. crawl these in addition to what's
> up on the PyPI package page (using the logic that has existed in
> these tools for years) and then let the author decide whether they
> want to remove existing downloads from PyPI or not.
> This allows for older installations to continue working, while
> also (optionally) supporting a setup which does not use PyPI for
> hosting at all.
> """

OK, thanks for restating/clarifying. This was buried somewhat in the
extended debate about security concerns and the implications of using
multi-index support in contexts not relevant to the PEP.

For what it's worth, I am -1 on this suggested addition. My reasons are:

1. The additional complexity of crawling extra indexes like this makes
it harder to write new tools, or adhoc utilities (I know, I've tried
2. As the proposal stands, I don't see any way that I as a user can
exercise any choice. Without inspecting the PyPI index page, I cannot
know if "pip install foo" will access another website, which may be
contrary to my company policy.
3. What if I want to prohibit that external access (maybe by adding a
local index containing a verified copy of the package)? Unless I
disable PyPI access, which may not be acceptable for other reasons,
the crawl will still happen.
3. Dependency handling makes this even worse. What if a package I
require, fully hosted on PyPI, depends on another one that is hosted
elsewhere. How would I know?

That'll do for now. Maybe Holger has proposals to address these
concerns, which would be fine. It's much easier to address specifics
rather than debating general, badly understood points.

Once again, thanks for picking out the key point here.

More information about the Distutils-SIG mailing list