What are the security considerations of using --allow-external
or --allow-all-externals
options of pip
?
The documentation sections where these options are described (pip install, pip wheel) are very terse and do not explain the dangers of using them. I couldn't also find any resource on the Internet that would do so either.
They are not safe. It would be easy to upload malicious code to PyPI. Important to note, the reason it's not "guaranteed" to be safe when you run pip install <foo> has nothing to do with package signing. It's becasue there are no gatekeepers on PyPI while there are gatekeepers on the various Linux repositories.
Use Pip --user installs for your default environment Notice the line /home/vagrant/. local/lib/python2. 7/site-packages . This is the path containing packages that have been installed with the Pip --user option. Python packages often install scripts (executables) as well as Python modules.
The pip install <package> command always looks for the latest version of the package and installs it. It also searches for dependencies listed in the package metadata and installs them to ensure that the package has all the requirements that it needs.
I have asked this question on the FreeNode #pip
channel. The following is my interpretation of the replies I've got there. Thanks go to agronholm
and dstufft
from #pip
for answering my question.
Packages can be maintained on PyPI in three different ways:
Directly on PyPI. If a package is hosted on PyPI, no additional switch is required to install it. Connection to PyPI is secured by HTTPS, therefore the downloads are considered as trusted.
On an external site, with PyPI storing a secure checksum of the relevant files. In this case pip
requires the --allow-external
switch to proceed. While the download might potentially come from an unsecured server, downloaded files are checked against the secure checksum stored on PyPI. Because of that, this case is also considered secure.
On an external site, without PyPI storing any checksum. In this case there is no way to ensure that the download is safe. --allow-external
is not enough to enable installation in this case, pip
requires --allow-unverified
.
Therefore, --allow-external
alone is considered a safe switch, and only using --allow-unverified
is a potential security issue. This is also why pip
has an --allow-all-external
option, but no --allow-all-unverified
.
As a side note, --allow-external
was introduced not as a security feature, but due to the potential speed, uptime and convenience issues while dealing with third party websites.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With