Describe dependency confusion mitigations in "Secure installs" docs #11722
Labels
good first issue
A good item for first time contributors to work on
type: docs
Documentation related
Comments
di
added
type: feature request
uranusjr
added
type: docs
|
Can I try to work on this issue? |
|
Sure, please feel welcome to! |
|
Thanks! Maybe I will need some help :) |
|
Please feel free to ask questions here! |
|
Do I need to create a news entry after made the pull request? |
|
No, you can create it manually prior to filing a PR. |
|
Ok, and the PR will go after the news or with the news? |
|
With the news |
fabiobarkoski
added a commit
to fabiobarkoski/pip
that referenced
this issue
Feb 20, 2023
added to secure-installs topic how to avoid dependency confusion, where is better use --index-url or --find-links with --no-index instead --extra-index-url. resolve: pypa#11722
|
alright, thanks for the help :) |
fabiobarkoski
added a commit
to fabiobarkoski/pip
that referenced
this issue
Oct 6, 2023
added to secure-installs topic how to avoid dependency confusion, where is better use --index-url or --find-links with --no-index instead --extra-index-url. resolve: pypa#11722
fabiobarkoski
added a commit
to fabiobarkoski/pip
that referenced
this issue
Oct 11, 2023
added to secure-installs topic how to avoid dependency confusion, where is better use --index-url or --find-links with --no-index instead --extra-index-url. resolve: pypa#11722 Co-authored-by: chrysle <fritzihab@posteo.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What's the problem this feature will solve?
The docs at https://pip.pypa.io/en/stable/topics/secure-installs/ do not describe how to avoid dependency confusion attacks that can arise when using
--extra-index-url(as described in #8606).Describe the solution you'd like
The docs at https://pip.pypa.io/en/stable/topics/secure-installs/ should describe how to avoid dependency confusion attacks (e.g., don't use
--extra-index-url, use--index-urlinstead, or--find-linkscombined with--no-index)Alternative Solutions
One alternative is to resolve #8606 or deprecate/remove
--extra-index-urlinstead. Without stating an opinion on whether either of those should happen, I think we should document this in the short term regardless.Additional context
#11694 is related, but is about adding this to the
--extra-index-urldocs instead. IMO, we should do both (likely link to one from the other).Happy to work on this if it's agreed this is worthwhile!
Code of Conduct
The text was updated successfully, but these errors were encountered: