[Distutils] The sad and insecure state of commercial private package indexes

Wayne Werner waynejwerner at gmail.com
Fri Apr 21 16:25:03 EDT 2017

On Fri, 21 Apr 2017, Jannis Gebauer wrote:

> They could, of course, fix this very easily by running their own PyPi mirrors.

And now they have two problems.

On the one hand, I agree that there is a potential from some abuse and
vulnerabilities... but I think that I'd argue that if you're in a
position where you're worried about that attack vector and you're using
pypi.python.org then *you're doing it wrong!*

On systems where I'm worried about pypi as an attack vector, I've
downloaded the packages, built wheels, and stuck them in an S3 bucket,
and I install with `--no-index --find-links=/path/to/my/wheelhouse`.

I'm not sure if there are any improvements that you could make to the
security of pip/pypi that are much better, but I'm not a security expert


More information about the Distutils-SIG mailing list