Skip to content
This repository was archived by the owner on Jan 28, 2026. It is now read-only.

Bug Fix - Dependency Confusion in oneccl_bind_pt package#13305

Merged
liu-shaojun merged 2 commits into
intel:mainfrom
liu-shaojun:fix
Sep 12, 2025
Merged

Bug Fix - Dependency Confusion in oneccl_bind_pt package#13305
liu-shaojun merged 2 commits into
intel:mainfrom
liu-shaojun:fix

Conversation

@liu-shaojun

@liu-shaojun liu-shaojun commented Sep 11, 2025

Copy link
Copy Markdown
Contributor

Description

This PR addresses BUG - Dependency Confusion in oneccl_bind_pt package (see AO8-417).

The issue arises because we currently use --extra-index-url in multiple places together with the oneccl_bind_pt dependency. Since oneccl_bind_pt is not published on pypi.org, pip will first attempt to fetch from PyPI, and if a malicious actor publishes a fake oneccl_bind_pt package there, our scripts would install it.

Fix:

  • Replace all occurrences of --extra-index-url with --index-url.
  • This ensures that pip only pulls from the trusted internal index and does not fallback to pypi.org.

@xiangyuT xiangyuT left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@glorysdj glorysdj left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@liu-shaojun liu-shaojun merged commit 6d89c82 into intel:main Sep 12, 2025
1 check passed
@liu-shaojun liu-shaojun deleted the fix branch September 12, 2025 02:22
@liu-shaojun liu-shaojun changed the title Fix PSIRT Vulnerability - Dependency Confusion in oneccl_bind_pt package Bug Fix - Dependency Confusion in oneccl_bind_pt package Nov 10, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants