[Python-modules-team] Bug#907726: virtualenv: automatically downloads untrusted code

Sat Sep 1 00:03:11 BST 2018

Package: virtualenv
Version: 15.1.0+ds-1
Severity: normal

Dear Maintainer,

The man page for virtualenv does not mention the --no-download option,
and does not indicate that the program's default behavior - i.e., upon
invoking 'virtualenv foo' - is to automatically download and install
code from the Internet.  (Whether or not virtualenv per se actually
executes any of that code, I'm not sure.)

This default behavior is a bad idea, to begin with...

 - there's no guarantee that the code downloaded is free software

 - there's no guarantee that the code downloaded won't change its
   behavior from one day to the next

 - there isn't even any authentication of the code's authorship,
   beyond verifying the TLS certificate of 'pypi.python.org'

...which of course are also problems with many typical uses of pip,
but in that case the user is at least arguably making a deliberate
choice.

This is a major change in behavior, compared to the behavior of
virtualenv in jessie; and it's one that violates (at least) my
expectations as a Debian user.

That said, I'm sure some people would say that this is exactly what
virtualenv is "supposed" to do.

At a minimum, this behavior should be documented, along with the
option needed to obtain the old sane behavior.

-- System Information:
Debian Release: 9.5
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'stable-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-8-amd64 (SMP w/40 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages virtualenv depends on:
ii  python3             3.5.3-1
ii  python3-virtualenv  15.1.0+ds-1

virtualenv recommends no packages.

virtualenv suggests no packages.

-- debconf-show failed