问题描述

使用pip的--allow-external或--allow-all-externals选项的安全注意事项是什么?

What are the security considerations of using --allow-external or --allow-all-externals options of pip?

描述这些选项的文档部分( pip安装， pip wheel )非常简洁，不解释使用它们的危险.我也找不到在互联网上可以找到的任何资源.

The documentation sections where these options are described (pip install, pip wheel) are very terse and do not explain the dangers of using them. I couldn't also find any resource on the Internet that would do so either.

推荐答案

我已经在FreeNode #pip频道上问了这个问题.以下是我对收到的答复的解释.感谢#pip中的agronholm和dstufft回答了我的问题.

I have asked this question on the FreeNode #pip channel. The following is my interpretation of the replies I've got there. Thanks go to agronholm and dstufft from #pip for answering my question.

可以通过三种不同的方式在PyPI上维护软件包:

Packages can be maintained on PyPI in three different ways:

1. 直接在PyPI上.如果软件包托管在PyPI上，则无需其他开关即可安装它.通过HTTPS保护与PyPI的连接，因此下载被认为是受信任的.

1. Directly on PyPI. If a package is hosted on PyPI, no additional switch is required to install it. Connection to PyPI is secured by HTTPS, therefore the downloads are considered as trusted.

在外部站点上，PyPI存储相关文件的安全校验和.在这种情况下，pip需要--allow-external开关才能继续.虽然下载可能来自不安全的服务器，但是将根据存储在PyPI上的安全校验和检查下载的文件.因此，这种情况也被认为是安全的.

On an external site, with PyPI storing a secure checksum of the relevant files. In this case pip requires the --allow-external switch to proceed. While the download might potentially come from an unsecured server, downloaded files are checked against the secure checksum stored on PyPI. Because of that, this case is also considered secure.

在外部站点上，PyPI不会存储任何校验和.在这种情况下，无法确保下载是安全的.在这种情况下，--allow-external不足以启用安装，pip需要--allow-unverified.

On an external site, without PyPI storing any checksum. In this case there is no way to ensure that the download is safe. --allow-external is not enough to enable installation in this case, pip requires --allow-unverified.

因此，仅--allow-external被认为是安全的开关，仅使用--allow-unverified是潜在的安全问题.这也是pip具有--allow-all-external选项但没有--allow-all-unverified的原因.

Therefore, --allow-external alone is considered a safe switch, and only using --allow-unverified is a potential security issue. This is also why pip has an --allow-all-external option, but no --allow-all-unverified.

作为附带说明，--allow-external并不是作为安全功能引入的，而是由于在与第三方网站打交道时可能存在的速度，正常运行时间和便利性问题.

As a side note, --allow-external was introduced not as a security feature, but due to the potential speed, uptime and convenience issues while dealing with third party websites.

这篇关于pip --allow-external的安全性考虑的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！