New submission from Jared Ondricek <flamableconcr...@gmail.com>:
I recently accidentally typed "pip install pip install <package-i-really wanted>" and it installed a package called "install" that has 1 star on GitHub. It is also in use by 2.3k repositories according to the GitHub dependency graph view. I don't think it's malicious, but it does seem a bit sketchy. I just know this sort of thing has been in the news lately, and maybe this is that sort of thing that ought to be looked at by someone smarter than me about security stuff. The way Perl deals with this specific issue is by using a specific dummy module so no one can do this on accident. Is this worth the time to discuss? Or am I just being paranoid about a third party library called install? PyPI entry: https://pypi.org/project/install/ GitHub page: https://github.com/eugenekolo/pip-install GitHub projects that depend on it: https://github.com/eugenekolo/pip-install/network/dependents?package_id=UGFja2FnZS0xMjU0NTI3MDI5 Perl dummy install module: https://metacpan.org/pod/install ---------- messages: 390647 nosy: flamableconcrete priority: normal severity: normal status: open title: "install" package on PyPI type: security _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue43796> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
