I have asked this question on the FreeNode #pip
channel. The following is my interpretation of the replies I've got there. Thanks go to agronholm
and dstufft
from #pip
for answering my question.
Packages can be maintained on PyPI in three different ways:
Directly on PyPI. If a package is hosted on PyPI, no additional switch is required to install it. Connection to PyPI is secured by HTTPS, therefore the downloads are considered as trusted.
On an external site, with PyPI storing a secure checksum of the relevant files. In this case pip
requires the --allow-external
switch to proceed. While the download might potentially come from an unsecured server, downloaded files are checked against the secure checksum stored on PyPI. Because of that, this case is also considered secure.
On an external site, without PyPI storing any checksum. In this case there is no way to ensure that the download is safe. --allow-external
is not enough to enable installation in this case, pip
requires --allow-unverified
.
Therefore, --allow-external
alone is considered a safe switch, and only using --allow-unverified
is a potential security issue. This is also why pip
has an --allow-all-external
option, but no --allow-all-unverified
.
As a side note, --allow-external
was introduced not as a security feature, but due to the potential speed, uptime and convenience issues while dealing with third party websites.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…