1. Mailing Lists
  2. Contributors
  3. Re: OCA pip module loaded by external organization on pypi.org

Contributors mailing list archives

contributors@odoo-community.org

Browse archives

Re: OCA pip module loaded by external organization on pypi.org

Re: OCA pip module loaded by external organization on pypi.org

Avatar

Re: OCA pip module loaded by external organization on pypi.org

by
Acsone SA/NV, Stéphane Bidoul
- 25/01/2025 11:55:52
Hi Sergio,

Thanks for reporting this.

In this case, what happened is that odoo12-addon-stock_move_backdating is owned by OCA, but another company published odoo14-addon-stock_move_backdating before it was migrated in OCA.
When later merged in OCA, the publishing to PyPI failed because OCA did not own the package.
We were alerted by the monitoring and attempted to contact that company to resolve the issue, without success so far.

From PyPI perspective, there is nothing wrong with that because odoo12-addon-stock_move_backdating and odoo14-addon-stock_move_backdating are two different packages.
Since Odoo 15, the Odoo version is not part of the package name, so this kind of confusion cannot happen anymore.

It is nevertheless important to keep in mind that anyone can publish new packages to PyPI, including Odoo addons, and when installing from PyPI (as from anywhere on the internet) one must be careful to assert the trust one places in the package owners.

We are currently aware of 2 situations where an addon is merged in OCA and not owned by OCA on PyPI: odoo14-addon-stock_move_backdating and odoo14-addon-pos_sale_order_load.

Additionally, since Nov 2024, to avoid merging in OCA when the name is not available on PyPI, the bot checks that the name is available before accepting the merge.

In OCA CI, there is a mechanism in place to test only with OCA addons.

Best regards,

-Stéphane


On Fri, Jan 24, 2025 at 6:37 PM Pierre Verkest <notifications@odoo-community.org> wrote:
Hi,

I suppose the https://pypi.org/user/ssi-bot/ user own the pypi project before OCA bot try to create it so it's certainly a best practice to first get OCA package from the OCA wheelhouse https://wheelhouse.odoo-community.org/

regards,

Le ven. 24 janv. 2025 à 17:38, Sergio Corato <notifications@odoo-community.org> a écrit :
Hi all,
I am writing this mail even if I've already written it in OCA Discord, because I think this is a security issue, I apologize whether it's not.

I found installed in an instance a pip from pypi.org of an OCA module upgraded there from a company outside OCA: https://pypi.org/project/odoo14-addon-stock-move-backdating/14.0.1.2.0/

They pushed the module changed and with a different logo (almost this change made me notice it) and a link to their website. It's a bad thing that someone can put a pip there with a random code.

I'll stop taking this pip from pypi.org or I'll take the OCA version, but what about other instances installed in this way? Or is it a deprecated way of deployment?

In tests done on github is used the "non-OCA" version too:

Requirement already satisfied: odoo14-addon-stock-move-backdating in /opt/odoo-venv/src/odoo14-addon-stock-move-backdating/setup/stock_move_backdating (from -r test-requirements.txt (line 6)) (14.0.1.0.2.dev2)

while the current OCA version is  "version": "14.0.1.0.1",

Sergio Corato

_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe



--
Pierre

_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe

Reference