What are the security considerations of using --allow-external or --allow-all-externals options of pip?
The documentation sections where these options are described (pip install, pip wheel) are very terse and do not explain the dangers of using them. I couldn't also find any resource on the Internet that would do so either.
I have asked this question on the FreeNode #pip channel. The following is my interpretation of the replies I've got there. Thanks go to agronholm and dstufft from #pip for answering my question.
Packages can be maintained on PyPI in three different ways:
Directly on PyPI. If a package is hosted on PyPI, no additional switch is required to install it. Connection to PyPI is secured by HTTPS, therefore the downloads are considered as trusted.
On an external site, with PyPI storing a secure checksum of the relevant files. In this case pip requires the --allow-external switch to proceed. While the download might potentially come from an unsecured server, downloaded files are checked against the secure checksum stored on PyPI. Because of that, this case is also considered secure.
On an external site, without PyPI storing any checksum. In this case there is no way to ensure that the download is safe. --allow-external is not enough to enable installation in this case, pip requires --allow-unverified.
Therefore, --allow-external alone is considered a safe switch, and only using --allow-unverified is a potential security issue. This is also why pip has an --allow-all-external option, but no --allow-all-unverified.
As a side note, --allow-external was introduced not as a security feature, but due to the potential speed, uptime and convenience issues while dealing with third party websites.
