Skip to content
Snippets Groups Projects

Update --extra-index-url usage in repository webpages

All threads resolved!

What does this MR do and why?

A fix for Issue #384253 (closed).

This MR changes --extra-index-url to --index-url in order to prevent users from using the first command without understanding its security implications. Since using -extra-index-url can lead to dependency confusion (for further details see: https://hackerone.com/reports/1681275), this change increases users' security while using GitLab.

Furthermore, forwarding of requests for unknown packages to pypi.org should be disabled by default. This setting can have dangerous side effects and should not be enabled by default. Administrators that understand the consequences could still enable the feature for their instance. Even though the option to disable "PyPi Forwarding" is described in the documentation, it is a feature that can only be configured with a "Premium" subscription. Users with a "Free" subscription cannot disable "PyPi Forwarding". Therefore to strengthen security, the GitLab Team might consider adding this option to the "Free" tier of GitLab.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
Please register or sign in to reply
Loading