Skip to Content
  2. Mailing Lists
  3. Contributors
  4. OCA pip module loaded by external organization on pypi.org

Archives

Contributors

Request for Guidance on Migrating from POS UI API v15 to v16

Aletrnative to mrp_workorder (MRP II) Shop Floor application?

OCA pip module loaded by external organization on pypi.org

Hi all,
I am writing this mail even if I've already written it in OCA Discord, because I think this is a security issue, I apologize whether it's not.

I found installed in an instance a pip from pypi.org of an OCA module upgraded there from a company outside OCA: https://pypi.org/project/odoo14-addon-stock-move-backdating/14.0.1.2.0/

They pushed the module changed and with a different logo (almost this change made me notice it) and a link to their website. It's a bad thing that someone can put a pip there with a random code.

I'll stop taking this pip from pypi.org or I'll take the OCA version, but what about other instances installed in this way? Or is it a deprecated way of deployment?

In tests done on github is used the "non-OCA" version too:

Requirement already satisfied: odoo14-addon-stock-move-backdating in /opt/odoo-venv/src/odoo14-addon-stock-move-backdating/setup/stock_move_backdating (from -r test-requirements.txt (line 6)) (14.0.1.0.2.dev2)

while the current OCA version is  "version": "14.0.1.0.1",

Sergio Corato
by Sergio Corato - 05:36 - 24 Jan 2025

Follow-Ups

  • Re: OCA pip module loaded by external organization on pypi.org
    Hi Stéphane,
    thanks very much for the clarification.
    I've managed to install the OCA module version as we use a private distributor of pip packages: this is used by forcing the 14.0.1.0.1 version.
    Warmest regards,
    Sergio Corato


    Il giorno sab 25 gen 2025 alle ore 12:06 Stéphane Bidoul <notifications@odoo-community.org> ha scritto:
    Hi Sergio,

    Thanks for reporting this.

    In this case, what happened is that odoo12-addon-stock_move_backdating is owned by OCA, but another company published odoo14-addon-stock_move_backdating before it was migrated in OCA.
    When later merged in OCA, the publishing to PyPI failed because OCA did not own the package.
    We were alerted by the monitoring and attempted to contact that company to resolve the issue, without success so far.

    From PyPI perspective, there is nothing wrong with that because odoo12-addon-stock_move_backdating and odoo14-addon-stock_move_backdating are two different packages.
    Since Odoo 15, the Odoo version is not part of the package name, so this kind of confusion cannot happen anymore.

    It is nevertheless important to keep in mind that anyone can publish new packages to PyPI, including Odoo addons, and when installing from PyPI (as from anywhere on the internet) one must be careful to assert the trust one places in the package owners.

    We are currently aware of 2 situations where an addon is merged in OCA and not owned by OCA on PyPI: odoo14-addon-stock_move_backdating and odoo14-addon-pos_sale_order_load.

    Additionally, since Nov 2024, to avoid merging in OCA when the name is not available on PyPI, the bot checks that the name is available before accepting the merge.

    In OCA CI, there is a mechanism in place to test only with OCA addons.

    Best regards,

    -Stéphane


    On Fri, Jan 24, 2025 at 6:37 PM Pierre Verkest <notifications@odoo-community.org> wrote:
    Hi,

    I suppose the https://pypi.org/user/ssi-bot/ user own the pypi project before OCA bot try to create it so it's certainly a best practice to first get OCA package from the OCA wheelhouse https://wheelhouse.odoo-community.org/

    regards,

    Le ven. 24 janv. 2025 à 17:38, Sergio Corato <notifications@odoo-community.org> a écrit :
    Hi all,
    I am writing this mail even if I've already written it in OCA Discord, because I think this is a security issue, I apologize whether it's not.

    I found installed in an instance a pip from pypi.org of an OCA module upgraded there from a company outside OCA: https://pypi.org/project/odoo14-addon-stock-move-backdating/14.0.1.2.0/

    They pushed the module changed and with a different logo (almost this change made me notice it) and a link to their website. It's a bad thing that someone can put a pip there with a random code.

    I'll stop taking this pip from pypi.org or I'll take the OCA version, but what about other instances installed in this way? Or is it a deprecated way of deployment?

    In tests done on github is used the "non-OCA" version too:

    Requirement already satisfied: odoo14-addon-stock-move-backdating in /opt/odoo-venv/src/odoo14-addon-stock-move-backdating/setup/stock_move_backdating (from -r test-requirements.txt (line 6)) (14.0.1.0.2.dev2)

    while the current OCA version is  "version": "14.0.1.0.1",

    Sergio Corato

    _______________________________________________
    Mailing-List: https://odoo-community.org/groups/contributors-15
    Post to: mailto:contributors@odoo-community.org
    Unsubscribe: https://odoo-community.org/groups?unsubscribe



    --
    Pierre

    _______________________________________________
    Mailing-List: https://odoo-community.org/groups/contributors-15
    Post to: mailto:contributors@odoo-community.org
    Unsubscribe: https://odoo-community.org/groups?unsubscribe

    _______________________________________________
    Mailing-List: https://odoo-community.org/groups/contributors-15
    Post to: mailto:contributors@odoo-community.org
    Unsubscribe: https://odoo-community.org/groups?unsubscribe

    by Sergio Corato - 03:51 - 25 Jan 2025
  • Re: OCA pip module loaded by external organization on pypi.org
    Hi Sergio,

    Thanks for reporting this.

    In this case, what happened is that odoo12-addon-stock_move_backdating is owned by OCA, but another company published odoo14-addon-stock_move_backdating before it was migrated in OCA.
    When later merged in OCA, the publishing to PyPI failed because OCA did not own the package.
    We were alerted by the monitoring and attempted to contact that company to resolve the issue, without success so far.

    From PyPI perspective, there is nothing wrong with that because odoo12-addon-stock_move_backdating and odoo14-addon-stock_move_backdating are two different packages.
    Since Odoo 15, the Odoo version is not part of the package name, so this kind of confusion cannot happen anymore.

    It is nevertheless important to keep in mind that anyone can publish new packages to PyPI, including Odoo addons, and when installing from PyPI (as from anywhere on the internet) one must be careful to assert the trust one places in the package owners.

    We are currently aware of 2 situations where an addon is merged in OCA and not owned by OCA on PyPI: odoo14-addon-stock_move_backdating and odoo14-addon-pos_sale_order_load.

    Additionally, since Nov 2024, to avoid merging in OCA when the name is not available on PyPI, the bot checks that the name is available before accepting the merge.

    In OCA CI, there is a mechanism in place to test only with OCA addons.

    Best regards,

    -Stéphane


    On Fri, Jan 24, 2025 at 6:37 PM Pierre Verkest <notifications@odoo-community.org> wrote:
    Hi,

    I suppose the https://pypi.org/user/ssi-bot/ user own the pypi project before OCA bot try to create it so it's certainly a best practice to first get OCA package from the OCA wheelhouse https://wheelhouse.odoo-community.org/

    regards,

    Le ven. 24 janv. 2025 à 17:38, Sergio Corato <notifications@odoo-community.org> a écrit :
    Hi all,
    I am writing this mail even if I've already written it in OCA Discord, because I think this is a security issue, I apologize whether it's not.

    I found installed in an instance a pip from pypi.org of an OCA module upgraded there from a company outside OCA: https://pypi.org/project/odoo14-addon-stock-move-backdating/14.0.1.2.0/

    They pushed the module changed and with a different logo (almost this change made me notice it) and a link to their website. It's a bad thing that someone can put a pip there with a random code.

    I'll stop taking this pip from pypi.org or I'll take the OCA version, but what about other instances installed in this way? Or is it a deprecated way of deployment?

    In tests done on github is used the "non-OCA" version too:

    Requirement already satisfied: odoo14-addon-stock-move-backdating in /opt/odoo-venv/src/odoo14-addon-stock-move-backdating/setup/stock_move_backdating (from -r test-requirements.txt (line 6)) (14.0.1.0.2.dev2)

    while the current OCA version is  "version": "14.0.1.0.1",

    Sergio Corato

    _______________________________________________
    Mailing-List: https://odoo-community.org/groups/contributors-15
    Post to: mailto:contributors@odoo-community.org
    Unsubscribe: https://odoo-community.org/groups?unsubscribe



    --
    Pierre

    _______________________________________________
    Mailing-List: https://odoo-community.org/groups/contributors-15
    Post to: mailto:contributors@odoo-community.org
    Unsubscribe: https://odoo-community.org/groups?unsubscribe

    by Stéphane Bidoul - 11:57 - 25 Jan 2025
  • Re: OCA pip module loaded by external organization on pypi.org
    Hi,

    I suppose the https://pypi.org/user/ssi-bot/ user own the pypi project before OCA bot try to create it so it's certainly a best practice to first get OCA package from the OCA wheelhouse https://wheelhouse.odoo-community.org/

    regards,

    Le ven. 24 janv. 2025 à 17:38, Sergio Corato <notifications@odoo-community.org> a écrit :
    Hi all,
    I am writing this mail even if I've already written it in OCA Discord, because I think this is a security issue, I apologize whether it's not.

    I found installed in an instance a pip from pypi.org of an OCA module upgraded there from a company outside OCA: https://pypi.org/project/odoo14-addon-stock-move-backdating/14.0.1.2.0/

    They pushed the module changed and with a different logo (almost this change made me notice it) and a link to their website. It's a bad thing that someone can put a pip there with a random code.

    I'll stop taking this pip from pypi.org or I'll take the OCA version, but what about other instances installed in this way? Or is it a deprecated way of deployment?

    In tests done on github is used the "non-OCA" version too:

    Requirement already satisfied: odoo14-addon-stock-move-backdating in /opt/odoo-venv/src/odoo14-addon-stock-move-backdating/setup/stock_move_backdating (from -r test-requirements.txt (line 6)) (14.0.1.0.2.dev2)

    while the current OCA version is  "version": "14.0.1.0.1",

    Sergio Corato

    _______________________________________________
    Mailing-List: https://odoo-community.org/groups/contributors-15
    Post to: mailto:contributors@odoo-community.org
    Unsubscribe: https://odoo-community.org/groups?unsubscribe



    --
    Pierre
    by Pierre Verkest - 06:36 - 24 Jan 2025