[Distutils] The sad and insecure state of commercial private package indexes

[Jannis Gebauer]

I did some research on commercial private package indexes, namely Gemfury and packagecloud.

Both of them recommend to use `--extra-index-url` as a parameter to point to their own index servers hosting the private package. This is blatantly insecure.

Using `--extra-index-url` tells pip to use the server as an _extra_ index url (huge surprise). This basically means that, during pip install, PyPi and the private server share the same namespace. Pip queries both servers for available releases for a given package. On unpinned packages, the server with the latest release seems to win.

This means, If I’m using one of these private package indexes, an attacker is able to run arbitrary Python code (through setup.py during installation) simply by guessing my private package names and uploading them to PyPi.

I’ve contacted both Gemfury and packagecloud. Gemfury didn’t respond. Packagecloud basically said works as intended, wontfix. They could, of course, fix this very easily by running their own PyPi mirrors. 

I couldn’t care less about these companies, but I care about Python packaging in general. I talked to a couple of Python developers regarding this. All of them use pip and PyPi regularly but have no idea about the internals. This was a huge surprise to them. 

My problem with this is that PyPi and pip will look bad if this is ever going to be abused.

What are your thoughts on this?

—

Jannis Gebauer