Message 390647 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	flamableconcrete
Recipients	flamableconcrete
Date	2021-04-09.16:50:34
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1617987034.78.0.497462487894.issue43796@roundup.psfhosted.org>
In-reply-to

Content
I recently accidentally typed "pip install pip install <package-i-really wanted>" and it installed a package called "install" that has 1 star on GitHub. It is also in use by 2.3k repositories according to the GitHub dependency graph view. I don't think it's malicious, but it does seem a bit sketchy. I just know this sort of thing has been in the news lately, and maybe this is that sort of thing that ought to be looked at by someone smarter than me about security stuff. The way Perl deals with this specific issue is by using a specific dummy module so no one can do this on accident. Is this worth the time to discuss? Or am I just being paranoid about a third party library called install? PyPI entry: https://pypi.org/project/install/ GitHub page: https://github.com/eugenekolo/pip-install GitHub projects that depend on it: https://github.com/eugenekolo/pip-install/network/dependents?package_id=UGFja2FnZS0xMjU0NTI3MDI5 Perl dummy install module: https://metacpan.org/pod/install

I recently accidentally typed "pip install pip install <package-i-really wanted>" and it installed a package called "install" that has 1 star on GitHub. It is also in use by 2.3k repositories according to the GitHub dependency graph view. I don't think it's malicious, but it does seem a bit sketchy. I just know this sort of thing has been in the news lately, and maybe this is that sort of thing that ought to be looked at by someone smarter than me about security stuff.

The way Perl deals with this specific issue is by using a specific dummy module so no one can do this on accident.

Is this worth the time to discuss? Or am I just being paranoid about a third party library called install?

PyPI entry: https://pypi.org/project/install/
GitHub page: https://github.com/eugenekolo/pip-install
GitHub projects that depend on it: https://github.com/eugenekolo/pip-install/network/dependents?package_id=UGFja2FnZS0xMjU0NTI3MDI5
Perl dummy install module: https://metacpan.org/pod/install

History
Date	User	Action	Args
2021-04-09 16:50:34	flamableconcrete	set	recipients: + flamableconcrete
2021-04-09 16:50:34	flamableconcrete	set	messageid: <1617987034.78.0.497462487894.issue43796@roundup.psfhosted.org>
2021-04-09 16:50:34	flamableconcrete	link	issue43796 messages
2021-04-09 16:50:34	flamableconcrete	create