PyPI and pip are both under the "umbrella" of PyPA, but they're separate projects with (largely) separate maintainers. The audit was only scoped to the former, not the latter.
(FWIW, I don't think the security posture of pip is obvious to everyone[1], and I do think it would benefit from a separate audit!)
Does it matter if the code-execution happens at `pip install` or `python myapp.py`? Using 3rd party libraries inevitably means you're allowing code-execution to 3rd parties, that's the point after all.
Replace "manually read through every file" with "run your security code scanner against every file" and it becomes less nonsense, but just as applicable.
In reality this really isn't how code scans are done, so it's still a little silly, but I could theoretically see something like this being a desire.
25 comments
[ 3.2 ms ] story [ 66.8 ms ] threadThey seem to not have analysed client-side of PIP itself, but I suppose there isn't anything you could say that isn't already obvious to everyone.
(FWIW, I don't think the security posture of pip is obvious to everyone[1], and I do think it would benefit from a separate audit!)
[1]: https://yossarian.net/res/pub/hushcon-west-2022.pdf
`pip download --no-deps` allowing arbitrary code-execution is non-obvious, and IMO broken.
But every package manager seems to grant RCE to every installed package. I agree it's broken.
pip download?
This security model is utter nonsense because no one does this.
In reality this really isn't how code scans are done, so it's still a little silly, but I could theoretically see something like this being a desire.
granted it wasn't the most thorough of reviews, as is the nature with huge PRs
Evil Joe: Can you install this package in the system's python install? All users in the lab need it.
Naive Joe: Hm... Seems harmless enough enough. Let me just install locally and check if there aren't any setuid binaries in there
naivjoe:~ $ pip install --local getpwned
... checks all installed binaries look good ...
Naive Joe: Funny package name
naivjoe:~ $ sudo pip install getpwned
Naive Joe: Done!
Evil Joe: Thanks! evil laugh
Naive Joe: uh what's so funny?
Evil Joe: Nothing.
Careless, amateurish? Maybe. Obvious? Maybe not.
I'd guess high five figures or maybe low six figures?