1. Mailing Lists
  2. Contributors
  3. Re: OCA pip module loaded by external organization on pypi.org

Contributors mailing list archives

contributors@odoo-community.org

Browse archives

Re: OCA pip module loaded by external organization on pypi.org

Avatar

Re: OCA pip module loaded by external organization on pypi.org

by
Pierre Verkest
- 24/01/2025 18:32:18
Hi,

I suppose the https://pypi.org/user/ssi-bot/ user own the pypi project before OCA bot try to create it so it's certainly a best practice to first get OCA package from the OCA wheelhouse https://wheelhouse.odoo-community.org/

regards,

Le ven. 24 janv. 2025 à 17:38, Sergio Corato <notifications@odoo-community.org> a écrit :
Hi all,
I am writing this mail even if I've already written it in OCA Discord, because I think this is a security issue, I apologize whether it's not.

I found installed in an instance a pip from pypi.org of an OCA module upgraded there from a company outside OCA: https://pypi.org/project/odoo14-addon-stock-move-backdating/14.0.1.2.0/

They pushed the module changed and with a different logo (almost this change made me notice it) and a link to their website. It's a bad thing that someone can put a pip there with a random code.

I'll stop taking this pip from pypi.org or I'll take the OCA version, but what about other instances installed in this way? Or is it a deprecated way of deployment?

In tests done on github is used the "non-OCA" version too:

Requirement already satisfied: odoo14-addon-stock-move-backdating in /opt/odoo-venv/src/odoo14-addon-stock-move-backdating/setup/stock_move_backdating (from -r test-requirements.txt (line 6)) (14.0.1.0.2.dev2)

while the current OCA version is  "version": "14.0.1.0.1",

Sergio Corato

_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe



--
Pierre

Reference