From 69577a6e0803a01b20d7912a482344cb23339910 Mon Sep 17 00:00:00 2001 From: Klaas van Schelven Date: Tue, 23 Feb 2021 11:17:54 +0100 Subject: [PATCH 1/4] Documentation: add a warning about "dependency confusion" vulnerability See #9612 --- docs/html/reference/pip_install.rst | 28 ++++++++++++++++++---------- docs/html/user_guide.rst | 2 +- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/docs/html/reference/pip_install.rst b/docs/html/reference/pip_install.rst index 742c4ddb3c6..32dbbc78426 100644 --- a/docs/html/reference/pip_install.rst +++ b/docs/html/reference/pip_install.rst @@ -1123,37 +1123,45 @@ Examples py -m pip install --index-url http://my.package.repo/simple/ SomePackage - Search an additional index during install, in addition to `PyPI`_ + Install from a local flat directory containing archives (and don't scan indexes): .. tab:: Unix/macOS .. code-block:: shell - python -m pip install --extra-index-url http://my.package.repo/simple SomePackage + python -m pip install --no-index --find-links=file:///local/dir/ SomePackage + python -m pip install --no-index --find-links=/local/dir/ SomePackage + python -m pip install --no-index --find-links=relative/dir/ SomePackage .. tab:: Windows .. code-block:: shell - py -m pip install --extra-index-url http://my.package.repo/simple SomePackage + py -m pip install --no-index --find-links=file:///local/dir/ SomePackage + py -m pip install --no-index --find-links=/local/dir/ SomePackage + py -m pip install --no-index --find-links=relative/dir/ SomePackage - Install from a local flat directory containing archives (and don't scan indexes): + Search an additional index during install, in addition to `PyPI`_ + + .. warning:: + + Using this option to search for packages which are not in the main + repository (such as private packages) is unsafe, per a security + vulnerability called "dependency confusion": an attacker can claim the + package on the public repository in a way that will ensure it gets + chosen over the private package. .. tab:: Unix/macOS .. code-block:: shell - python -m pip install --no-index --find-links=file:///local/dir/ SomePackage - python -m pip install --no-index --find-links=/local/dir/ SomePackage - python -m pip install --no-index --find-links=relative/dir/ SomePackage + python -m pip install --extra-index-url http://my.package.repo/simple SomePackage .. tab:: Windows .. code-block:: shell - py -m pip install --no-index --find-links=file:///local/dir/ SomePackage - py -m pip install --no-index --find-links=/local/dir/ SomePackage - py -m pip install --no-index --find-links=relative/dir/ SomePackage + py -m pip install --extra-index-url http://my.package.repo/simple SomePackage #. Find pre-release and development versions, in addition to stable versions. By default, pip only finds stable versions. diff --git a/docs/html/user_guide.rst b/docs/html/user_guide.rst index 92887885baf..527c14fd424 100644 --- a/docs/html/user_guide.rst +++ b/docs/html/user_guide.rst @@ -125,7 +125,7 @@ does not come with it included. pip install keyring echo your-password | keyring set pypi.company.com your-username - pip install your-package --extra-index-url https://pypi.company.com/ + pip install your-package --index-url https://pypi.company.com/ .. _keyring: https://pypi.org/project/keyring/ From c1d3b2786dd55f038c84d11adf344928f4b58109 Mon Sep 17 00:00:00 2001 From: Klaas van Schelven Date: Tue, 23 Feb 2021 11:58:37 +0100 Subject: [PATCH 2/4] Add news entry --- news/9647.doc.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 news/9647.doc.rst diff --git a/news/9647.doc.rst b/news/9647.doc.rst new file mode 100644 index 00000000000..c087da23991 --- /dev/null +++ b/news/9647.doc.rst @@ -0,0 +1 @@ +Add warning about --extra-index-url and dependency confusion From 0501ad7e4a64cd29d00382d1635aa3e9d69011a3 Mon Sep 17 00:00:00 2001 From: Klaas van Schelven Date: Wed, 24 Feb 2021 14:38:52 +0100 Subject: [PATCH 3/4] Add link to paper about dependency confusion --- docs/html/reference/pip_install.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/html/reference/pip_install.rst b/docs/html/reference/pip_install.rst index 32dbbc78426..23137b1a7d0 100644 --- a/docs/html/reference/pip_install.rst +++ b/docs/html/reference/pip_install.rst @@ -1147,9 +1147,10 @@ Examples Using this option to search for packages which are not in the main repository (such as private packages) is unsafe, per a security - vulnerability called "dependency confusion": an attacker can claim the - package on the public repository in a way that will ensure it gets - chosen over the private package. + vulnerability called + `dependency confusion `_: + an attacker can claim the package on the public repository in a way that + will ensure it gets chosen over the private package. .. tab:: Unix/macOS From 1a8ca4ca4e886379a5bc50954beb7e0dca284ea9 Mon Sep 17 00:00:00 2001 From: Klaas van Schelven Date: Thu, 25 Feb 2021 16:30:54 +0100 Subject: [PATCH 4/4] Documentation formatting Co-authored-by: Tzu-ping Chung --- news/9647.doc.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/news/9647.doc.rst b/news/9647.doc.rst index c087da23991..70917817611 100644 --- a/news/9647.doc.rst +++ b/news/9647.doc.rst @@ -1 +1 @@ -Add warning about --extra-index-url and dependency confusion +Add warning about ``--extra-index-url`` and dependency confusion