Description
- Pip version: 9+
- Python version: All
- Operating system: All
Description:
As reported on: Hacker Noon it is possible for people to maliciously or accidentally register packages on pypi or other locations that would overwrite the default packages installed with python. These could be downloaded directly or via requires in other packages.
Some installations on some OSs do provide a degree of protection via the user permissions on the packages.
While it is sometimes necessary to upgrade the packages shipped by default with python, (such as pip or ssl recently), it would be an enhancement for pip to refuse to work, with a nice clear error message on any package that overwrites the default packages unless the user specifies a specific override at invocation.
This could be achieved by having a list of the packages that are present by default for each current version of python and filtering processing based on the list for the version being run against.
Possibly --allow-core-overwrite
might be a suitable flag to disable this behaviour.