Issue 43796: "install" package on PyPI

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/87962

classification

Title:	"install" package on PyPI
Type:	security	Stage:	resolved
Components:		Versions:

process

Status:	closed	Resolution:	not a bug
Dependencies:		Superseder:
Assigned To:		Nosy List:	christian.heimes, flamableconcrete, terry.reedy, xtreak
Priority:	normal	Keywords:

Created on 2021-04-09 16:50 by flamableconcrete, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (4)
msg390647 - (view)	Author: Jared Ondricek (flamableconcrete)	Date: 2021-04-09 16:50
I recently accidentally typed "pip install pip install <package-i-really wanted>" and it installed a package called "install" that has 1 star on GitHub. It is also in use by 2.3k repositories according to the GitHub dependency graph view. I don't think it's malicious, but it does seem a bit sketchy. I just know this sort of thing has been in the news lately, and maybe this is that sort of thing that ought to be looked at by someone smarter than me about security stuff. The way Perl deals with this specific issue is by using a specific dummy module so no one can do this on accident. Is this worth the time to discuss? Or am I just being paranoid about a third party library called install? PyPI entry: https://pypi.org/project/install/ GitHub page: https://github.com/eugenekolo/pip-install GitHub projects that depend on it: https://github.com/eugenekolo/pip-install/network/dependents?package_id=UGFja2FnZS0xMjU0NTI3MDI5 Perl dummy install module: https://metacpan.org/pod/install
msg390652 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2021-04-09 17:27
BPO is just for CPython bugs. Packaging and PyPI are handled by different teams and trackers. Please use https://github.com/pypa/pypi-support
msg390654 - (view)	Author: Karthikeyan Singaravelan (xtreak) *	Date: 2021-04-09 17:51
This seems to have been discussed : https://github.com/pypa/pypi-support/issues/451
msg390688 - (view)	Author: Terry J. Reedy (terry.reedy) *	Date: 2021-04-10 03:06
And maybe discuss with pip people why 'pip install pip install zyx' is not caught as an error.

History
Date	User	Action	Args
2022-04-11 14:59:44	admin	set	github: 87962
2021-04-10 03:06:46	terry.reedy	set	status: open -> closed nosy: + terry.reedy messages: + msg390688 resolution: not a bug stage: resolved
2021-04-09 17:51:33	xtreak	set	nosy: + xtreak messages: + msg390654
2021-04-09 17:27:17	christian.heimes	set	nosy: + christian.heimes messages: + msg390652
2021-04-09 16:50:34	flamableconcrete	create