pip should warn on git:// protocol #1983
Comments
|
Makes sense, we should do the same for other vcs backends using unencrypted protocols |
pradyunsg
added
state: awaiting PR
|
I wanted to take a shot at this PR. But before that, I wanted to understand what kind of URL does |
|
@deveshks It’s the Git protocol, which is an ancient (OK this is an exaggeration) standard before “smart HTTP” came about, and was the prevelant choice for read-only remotes (because fetching through HTTP and HTTPS was very slow at the time). To install from it, you’d write something like Honestly I feel this is no longer necessary. Nobody really mentions git:// anywhere anymore, and anyone still using the Git protocol at this point probably knows what they’re doing and don’t need the warning anyway. |
|
I think one thing we should do is to change or remove those |
|
Hi @uranusjr , I did try BTW, I also tried I also tried We can remove both URL's from the documentation, but I think we should also raise an exception if the users are still using said URL. What do you think? |
I don’t think it’s a good idea to raise an exception. It is a perfectly valid URL, and pip should keep it working. The most pip should do is to emit a warning message, althought that is still unnecessary IMO. |
|
Sure @uranusjr , I think that makes more sense. So do I create a PR to just remove the URL's from the documentation, or do I also emit a warning message as well? |
|
@deveshks Let’s do them in two PRs. The documentation one should be straightforward, and discussion on the warning’s wording could delay it unnecessarily. |
|
Thanks @uranusjr , have create the first PR for the doc. As for the warning, I think it can be something like |
lock
bot
added
the
auto-locked
This is un-authenticated, the same as HTTP, and is thus a MITM vector.
The text was updated successfully, but these errors were encountered: