Contributors mailing list archives
contributors@odoo-community.org
Browse archives
Aletrnative to mrp_workorder (MRP II) Shop Floor application?
Request for Guidance on Migrating from POS UI API v15 to v16
OCA pip module loaded by external organization on pypi.org
by
Sergio Corato
Hi all,
I am writing this mail even if I've already written it in OCA Discord, because I think this is a security issue, I apologize whether it's not.
I found installed in an instance a pip from pypi.org of an OCA module upgraded there from a company outside OCA: https://pypi.org/project/odoo14-addon-stock-move-backdating/14.0.1.2.0/
They pushed the module changed and with a different logo (almost this change made me notice it) and a link to their website. It's a bad thing that someone can put a pip there with a random code.
I'll stop taking this pip from pypi.org or I'll take the OCA version, but what about other instances installed in this way? Or is it a deprecated way of deployment?
In tests done on github is used the "non-OCA" version too:
Requirement already satisfied: odoo14-addon-stock-move-backdating in /opt/odoo-venv/src/odoo14-addon-stock-move-backdating/setup/stock_move_backdating (from -r test-requirements.txt (line 6)) (14.0.1.0.2.dev2)
while the current OCA version is "version": "14.0.1.0.1",
Sergio Corato
Follow-Ups
-
Re: OCA pip module loaded by external organization on pypi.org
bySergio Corato- 25/01/2025 15:47:04 - 0 -
Re: OCA pip module loaded by external organization on pypi.org
byAcsone SA/NV, Stéphane Bidoul- 25/01/2025 11:55:52 - 0 -
Re: OCA pip module loaded by external organization on pypi.org
byPierre Verkest- 24/01/2025 18:32:18 - 0
