With respect to the current discussions, I’d like to ask (and probably should have stated at the original post) this.
Given we know that many orgs out there do not follow the best practices as laid out in this thread even if we announce it clearly and repeatedly:
What are some practical ways we can enhance their security?
I know that we are mostly volunteers, so we’re probably interested in things that have the highest impact for the least effort.
Things that I have seen pop up in this thread:
-
Undocumented non deterministic behaviour, e.g. the installation order determined by the resolution time of their respective locations
-
Announce within pip CLI when someone is trying to do something insecure with clear sign posting to documentation
-
Make the
pip freezeand installation from the freeze file more ergonomic, e.g. as simple as making a new command that dumps the versions straight to a file called “safeversions.txt” or something equally obvious.
I don’t think that we can detect or prevent “package shadowing” (pip install pdbpp shadows stdlib pdb, for example), or “package overriding” by configuring a different index-url (or MITM), or overriding by version number in an additional index without (1) signed per-package release keyrings; and (2) signed per-package-manifest-file hashes.
Why is that? Is it because setup.py can do arbitrary things to the python install that we can’t easily detect before hand?