Home Original page

[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]

Stefan Krah stefan at bytereef.org
Thu May 8 16:36:50 CEST 2014 
Donald Stufft <donald at stufft.io> wrote:
> There is support for trusted externally hosted packages, you put the URL in
> PyPI and include a hash in the fragment like so:
> 
> http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=655f9fd72f7a21688f903900ebea6f56

That is exactly the mode I was using until today.  This mode produced the
subject's warning message.

Today I've switched to manual install mode with manual sha256sum verification
which is *far* safer than anything you get via pip right now.


> [2] For the definition of safe that PyPI/pip operate under, which is that the
>     author of a package is assumed to be trusted by the person electing to
>     download their package.

No, there are other holes, which you have conceded in your previous mail.


> I don't think the warning is FUD, and it doesn't mention anything security
> related at all. The exact text of the warning is in the subject of the email
> here:
> 
>     cdecimal an externally hosted file and may be unreliable
> 
> Which is true as far as I can tell, it is externally hosted, and it may be
> unreliable[1]. If there is a better wording for that I?m happy to have it and
> will gladly commit it myself to pip.

Do you honestly not see a difference between the cited warning and the
*intended* warning "the server's availability may be unreliable"?

Even the latter is FUD or a truism (it applies to any server).

The real question is:  Why is there a warning if the person running pip
has explicitly allowed external packages?


Stefan Krah
More information about the Python-Dev mailing list