0

Another question (Is it possible to block non-PyPI requests during pip install?) asked about locking down non-PyPI pip installs for security reasons. This doesn't deal with the problem of malicious packages within PyPI itself. So, I would like to know how to lock down PyPI without interrupting users "too much". I know that I can setup a local devpi cache/mirror of PyPI and restrict packages in that local mirror, but is there a way that I can have users transparently use the mirror without having them all set PIP_INDEX_URL in their local environment?

Compholio
  • 101
  • 1
  • This commonly makes sense in a corporate environment. You normally can control at the firewall level which sites are accessible independently of the user machine configuration. To have users transparently use a local mirror, you will have to use a *corporate configuration*. That means that the config is installed at the time the dev. environment is. Alternatively, on Windows you can use group policies to push environment elements to client machines of an AD network. – Serge Ballesta Mar 22 '22 at 17:00
  • That would only block very simple attacks, because if the attacker is aware that such requests are blocked it would be possibly to bypass by e.g. cloning a git repo (or USA any other for of distribution) and then install it locally by pip. – Robert Mar 22 '22 at 21:52
  • @Robert The fear that I think Compholio is trying to address is: what if a package *on PyPI* is malicious, or a malicious actor gets control of a PyPI package? The fear is a well-intentioned user or developer installing malicious code by accident. The reason the local mirror is helpful is that this intercepts the chain of events that leads to corporate machines having malicious code installed on them. It does this either by forbidding a package that is deemed unsafe, or by giving maintainers of the local mirror a chance to review new changes to a package before approving them. – zmccord Mar 23 '22 at 00:52
  • @zmccord Yes, our corporate IT folks have requested assistance in vetting PyPI packages ( [Is there a service that checks PYPI packages?](https://security.stackexchange.com/questions/219514/is-there-a-service-that-checks-pypi-packages) ) and blocking packages and package versions with known issues. The goal here would be to do that in the least disruptive way possible. We _can_ do that by just outright blocking PyPI at the firewall, but that seems like a good way to have angry users. – Compholio Mar 23 '22 at 16:42

0 Answers0