What are the security considerations of using --allow-external
or --allow-all-externals
options of pip
?
The documentation sections where these options are described (pip install, pip wheel) are very terse and do not explain the dangers of using them. I couldn't also find any resource on the Internet that would do so either.
I have asked this question on the FreeNode
#pip
channel. The following is my interpretation of the replies I've got there. Thanks go toagronholm
anddstufft
from#pip
for answering my question.Packages can be maintained on PyPI in three different ways:
Directly on PyPI. If a package is hosted on PyPI, no additional switch is required to install it. Connection to PyPI is secured by HTTPS, therefore the downloads are considered as trusted.
On an external site, with PyPI storing a secure checksum of the relevant files. In this case
pip
requires the--allow-external
switch to proceed. While the download might potentially come from an unsecured server, downloaded files are checked against the secure checksum stored on PyPI. Because of that, this case is also considered secure.On an external site, without PyPI storing any checksum. In this case there is no way to ensure that the download is safe.
--allow-external
is not enough to enable installation in this case,pip
requires--allow-unverified
.Therefore,
--allow-external
alone is considered a safe switch, and only using--allow-unverified
is a potential security issue. This is also whypip
has an--allow-all-external
option, but no--allow-all-unverified
.As a side note,
--allow-external
was introduced not as a security feature, but due to the potential speed, uptime and convenience issues while dealing with third party websites.