Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I thought to have seen some negative comments about its security, anyone knowing more about it?



They installed a root certificate on windows computers that could have been used to MITM all traffic.

I personally had issues with the project years before that when I tried to install their Linux .deb and they ran `pip install` as root in the pre install script inside the .deb. That caused so much havoc to clean up I was pissed at them for years. Now that idiocy is blocked by default in current versions of pip.


Yeah it just seemed like a slightly suss project to me. I did use it initially but uninstalled it after the Chinese root certificate incident.

I wonder if anyone has forked it...


I haven't heard anything negative about it, and I can only find one CVE:

https://www.cvedetails.com/cve/CVE-2024-25140/

Personally, I'm not exposing my installations to the Internet, so I feel relatively secure regardless.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: