Skip to content

PEP 810: Clarify security implications #4660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pablogsal merged 3 commits into from
Oct 15, 2025
Merged

PEP 810: Clarify security implications #4660

pablogsal merged 3 commits into from
Oct 15, 2025

Conversation

@notatallshaw
Copy link
Contributor

@notatallshaw notatallshaw commented Oct 15, 2025
edited by github-actions bot
Loading

This clarifies the security implications as discussed in:

In particular, using pip as an example, as I am one of the maintainers:

  1. Pip installs packages into the same environment it runs from.
  2. With lazy imports enabled, either globally or via some vendored package explicitly, some pip modules are not reified until later in the run.
  3. During installation, pip writes files from a wheel into site-packages.
  4. A wheel can include a module name that matches one which will be reified later.
  5. When that reification occurs, Python loads the newly installed file instead of pip’s original module, executing its code.

This is problematic because a user does not expect installing a wheel will allow arbitrary code execution. While there are no specific guarantees from pip, the design and philosophy of the wheel format is that it does not have code execution hooks such as pre and post install scripts, and so many would consider this a security issue.

Let me know if you need any more information or changes.

  • Change is either:
    • To a Draft PEP
    • To an Accepted or Final PEP, with Steering Council approval
    • To fix an editorial issue (markup, typo, link, header, etc)
  • PR title prefixed with PEP number (e.g. PEP 123: Summary of changes)

CC: @pablogsal

📚 Documentation preview 📚: https://pep-previews--4660.org.readthedocs.build/

@python-cla-bot
Copy link

python-cla-bot bot commented Oct 15, 2025
edited
Loading

All commit authors signed the Contributor License Agreement.

CLA signed

hugovk
hugovk reviewed Oct 15, 2025
View reviewed changes
@notatallshaw @hugovk
Update peps/pep-0810.rst
94c289e 
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
AA-Turner
AA-Turner reviewed Oct 15, 2025
View reviewed changes
@notatallshaw @AA-Turner
Update peps/pep-0810.rst
4643188 
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
@pablogsal pablogsal merged commit 5ebca14 into python:main Oct 15, 2025
5 checks passed
@pablogsal
Copy link
Member

pablogsal commented Oct 15, 2025

Amazing! Thank you a lot @notatallshaw and congrats on your first PR in the PEPs repo 👌

zklaus pushed a commit to zklaus/peps that referenced this pull request Nov 3, 2025
@notatallshaw @zklaus
PEP 810: Clarify security implications (python#4660)
985cd7d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hugovk hugovk hugovk left review comments

@AA-Turner AA-Turner AA-Turner left review comments

@pablogsal pablogsal pablogsal approved these changes

@DinoV DinoV Awaiting requested review from DinoV DinoV is a code owner

@Yhg1s Yhg1s Awaiting requested review from Yhg1s Yhg1s is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@notatallshaw @pablogsal @hugovk @AA-Turner