[Distutils] providing a way for pip to communicate extra info to users

Paul Moore p.f.moore at gmail.com
Wed Apr 11 17:01:09 EDT 2018

On 11 April 2018 at 20:16, Dwight Hubbard <dhubbard at oath.com> wrote:
> It would be useful as well for sites that run their own mirror
> infrastructure to be able to add motd text to the pip commands as well.
> However I don't think this should be implemented via the response code from
> a call to some rest api.  It would be trivial to proxy the call to a
> different location and send a different message.  Any implementation would
> need some way to sign and verify the message as authentic.

-1 on explicit signing and verification of messages. The
infrastructure needed for that is more than the feature warrants.

HTTPS access to the index server is fundamental to pip - if an
attacker can subvert that, they don't need to mess with a message,
they can just replace packages. So I don't see that displaying a
message that's available from that same index server is an additional
vulnerability, surely? But I'm not a security expert - I'd defer to
someone like Donald to comment on the security aspects of any proposal


More information about the Distutils-SIG mailing list