[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]

Stefan Krah stefan at bytereef.org
Thu May 8 14:12:02 CEST 2014 

Victor Stinner <victor.stinner at gmail.com> wrote:
> I don't understand your email. Can you please elaborate?

There is nothing wrong with the package.  The remark is a joke provoked by
a long history of a campaign [1] against external packages on distutils-sig.

Many tools (like crate.io, when it was still up) have made derogatory
remarks about external packages.  Now the latest version of the officially
sanctioned download tool (pip) spits out copious warnings, one of which
is the subject of this thread.


External packages are being singled out unfairly:

  1) Anyone can upload any package to PyPI (i.e. the index is not curated
     at all).

  2) Last time I looked, access credentials (via "lost login") were sent
     out in plaintext.

  3) AFAIK people can upload a different (malicious) version of a
     package with *the exact same name*.

  4) pip generally downloads the latest version, so a malicious person
     can provide a good package for several years until people trust
     him, then change to a trojaned version.

  5) Looking at the list of certificates that is in my default cert
     store, I don't find SSL trustworthy at all.

  6) D.J. Bernstein, who is somewhat security minded, has been shipping
     his software *for years* with just plain HTTP and published checksums.


To sum it up:

  1) Don't use pip to install packages directly from PyPI if security
     really matters.

  2) The best security we currently get is either

      a) with package signatures (*if* you can get the author's key via
         a trustworthy channel, which is rarely the case).

      b) with decent checksums that are recorded on public mailing
         lists at the time the package is announced (it would be
         hard for an attacker to modify all mailing list archives.)

     Whether a package is internal or external is orthogonal to both points.


With all these points, I find it questionable for an "official" install
tool to make security related remarks about just one category of weaknesses.

After all, people might be led to believe that pip is some sort of apt-get
and all uploaded packages are safe.


Stefan Krah



[1] Note that the joke is quite innocent in comparison to what I've read on
    distutils-sig about the subject.

More information about the Python-Dev mailing list