d@nny disc@ mc²
pypi is not serious about security
Mar 24 at 9:01pmWeb
Show threadBen StokmanMar 24

@hipsterelectron any package manager serious about security has hard versioning and checksums covering all possible constructs of the system. Pip is happy to install whatever malware as long as some site says its at or above the correct version.

As far as I've seen, Go is the only language to get this right although cargo provably does too

Show threadd@nny disc@ mc²Mar 24
@benjistokman i spent years working to fix this https://pip.pypa.io/en/latest/reference/installation-report/ all the pip maintainers have been swapped out in preparation for the fascist. cargo is not remotely serious about of this
Installation Report - pip documentation v26.1.dev0

Show threadd@nny disc@ mc²Mar 24
@benjistokman build scripts are a remote code injection avenue it's really basic and important to understand this
Show threadBen StokmanMar 24

@hipsterelectron ah yes the old "executing code executes code" thing nobody seems to get.

One time I read most of an article presenting the eval command as a security hole because it executes arbitrary code

Show threadDavid5d ago
@hipsterelectron I disagree and i think @dstufft would have more to say on the topic.