Skip to Content
  2. Mailing Lists
  3. Contributors
  4. Re: OCA pip module loaded by external organization on pypi.org

Archives

Contributors

Re: OCA pip module loaded by external organization on pypi.org

Re: OCA pip module loaded by external organization on pypi.org

Hi,

I suppose the https://pypi.org/user/ssi-bot/ user own the pypi project before OCA bot try to create it so it's certainly a best practice to first get OCA package from the OCA wheelhouse https://wheelhouse.odoo-community.org/

regards,

Le ven. 24 janv. 2025 à 17:38, Sergio Corato <notifications@odoo-community.org> a écrit :
Hi all,
I am writing this mail even if I've already written it in OCA Discord, because I think this is a security issue, I apologize whether it's not.

I found installed in an instance a pip from pypi.org of an OCA module upgraded there from a company outside OCA: https://pypi.org/project/odoo14-addon-stock-move-backdating/14.0.1.2.0/

They pushed the module changed and with a different logo (almost this change made me notice it) and a link to their website. It's a bad thing that someone can put a pip there with a random code.

I'll stop taking this pip from pypi.org or I'll take the OCA version, but what about other instances installed in this way? Or is it a deprecated way of deployment?

In tests done on github is used the "non-OCA" version too:

Requirement already satisfied: odoo14-addon-stock-move-backdating in /opt/odoo-venv/src/odoo14-addon-stock-move-backdating/setup/stock_move_backdating (from -r test-requirements.txt (line 6)) (14.0.1.0.2.dev2)

while the current OCA version is  "version": "14.0.1.0.1",

Sergio Corato

_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe



--
Pierre
by Pierre Verkest - 06:36 - 24 Jan 2025

Reference

  • OCA pip module loaded by external organization on pypi.org
    Hi all,
    I am writing this mail even if I've already written it in OCA Discord, because I think this is a security issue, I apologize whether it's not.

    I found installed in an instance a pip from pypi.org of an OCA module upgraded there from a company outside OCA: https://pypi.org/project/odoo14-addon-stock-move-backdating/14.0.1.2.0/

    They pushed the module changed and with a different logo (almost this change made me notice it) and a link to their website. It's a bad thing that someone can put a pip there with a random code.

    I'll stop taking this pip from pypi.org or I'll take the OCA version, but what about other instances installed in this way? Or is it a deprecated way of deployment?

    In tests done on github is used the "non-OCA" version too:

    Requirement already satisfied: odoo14-addon-stock-move-backdating in /opt/odoo-venv/src/odoo14-addon-stock-move-backdating/setup/stock_move_backdating (from -r test-requirements.txt (line 6)) (14.0.1.0.2.dev2)

    while the current OCA version is  "version": "14.0.1.0.1",

    Sergio Corato
    by Sergio Corato - 05:36 - 24 Jan 2025