[Distutils] The sad and insecure state of commercial private package indexes
Wayne Werner
waynejwerner at gmail.com
Fri Apr 21 16:25:03 EDT 2017
On Fri, 21 Apr 2017, Jannis Gebauer wrote:
> They could, of course, fix this very easily by running their own PyPi mirrors.
And now they have two problems.
On the one hand, I agree that there is a potential from some abuse and
vulnerabilities... but I think that I'd argue that if you're in a
position where you're worried about that attack vector and you're using
pypi.python.org then *you're doing it wrong!*
On systems where I'm worried about pypi as an attack vector, I've
downloaded the packages, built wheels, and stuck them in an S3 bucket,
and I install with `--no-index --find-links=/path/to/my/wheelhouse`.
I'm not sure if there are any improvements that you could make to the
security of pip/pypi that are much better, but I'm not a security expert
:)
-Wayne
More information about the Distutils-SIG
mailing list