pip
pip copied to clipboard
pypa
Describe how to avoid dependency confusion in "secure installs" topic
added to secure-installs topic how to avoid dependency confusion, where is better use --index-url or --find-links with --no-index instead --extra-index-url.
resolve: #11722
FYI the link in the PR just seems to redirect to https://azure.microsoft.com/en-us/resources/ which I assume is not intended?
FYI the link in the PR just seems to redirect to https://azure.microsoft.com/en-us/resources/ which I assume is not intended?
Is there something that I need to change, maybe? Or just keep up the PR up to date and wait?
Is there something that I need to change, maybe? Or just keep up the PR up to date and wait?
I can't answer that as I have no control over what gets merged into Pip. But if I was merging documentation for my own projects I would want links to actually go somewhere useful.
It seems on September 15th Microsoft removed this Blog post from their site: https://web.archive.org/web/20230915000000*/https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/
I don't know why, the underlying PDF is still available: https://azure.microsoft.com/mediahandler/files/resourcefiles/3-ways-to-mitigate-risk-using-private-package-feeds/3%20Ways%20to%20Mitigate%20Risk%20When%20Using%20Private%20Package%20Feeds%20-%20v1.0.pdf
Is there something that I need to change, maybe? Or just keep up the PR up to date and wait?
I can't answer that as I have no control over what gets merged into Pip. But if I was merging documentation for my own projects I would want links to actually go somewhere useful.
It seems on September 15th Microsoft removed this Blog post from their site: https://web.archive.org/web/20230915000000*/https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/
I don't know why, the underlying PDF is still available: https://azure.microsoft.com/mediahandler/files/resourcefiles/3-ways-to-mitigate-risk-using-private-package-feeds/3%20Ways%20to%20Mitigate%20Risk%20When%20Using%20Private%20Package%20Feeds%20-%20v1.0.pdf
Didn't notice that the link was broken, thank you for the help :)
Also, I'm not particularly happy about linking to a PDF file on a random Azure media URL which isn't linked from, or available in, a stable, public location. It seems particularly ironic to do this when discussing reducing the risk of getting data from untrusted locations 🙁
I'd much rather that we linked to a more high-profile public document discussing dependency confusion.
Also, I'm not particularly happy about linking to a PDF file on a random Azure media URL
Yes. It's frustrating. Microsoft at some point removed the HTML version of their whitepaper. It is a really good white paper though... I think it may have been Nathaniel who tried to reach out to Azure/Microsoft to restore the original, but I think somehow their research docs site has been moved or taken down and I can no longer find the HTML original. They do still link out to the PDF in a few places like this though: https://devblogs.microsoft.com/nuget/introducing-package-source-mapping/ But it's a nuget link, which also might be confusing?
It's a bit of a shame there isn't a high-quality and public source of what "Dependency Confusion" is. Here are some alternatives: https://www.activestate.com/resources/quick-reads/dependency-confusion/ https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 https://www.microsoft.com/en-us/security/blog/2023/04/06/devops-threat-matrix/
Also, I imagine people will be left with questions about how they depend on public packages like
requestsin their private package with this approach. I think the discussion needs to address this.
Like how they can have public dependencies and how to handle it?