316
Package managers be like (linux.community)

Sorry Python but it is what it is.

you are viewing a single comment's thread
view the rest of the comments
[-] SpaceNoodle@lemmy.world 56 points 1 year ago

npm is objectively worse. Base pip packages aren't getting hijacked.

[-] Redscare867@lemmy.ml 23 points 1 year ago

Maybe I’m misremembering, but didn’t pip have it’s own security concerns earlier this year?

[-] _stranger_@lemmy.world 6 points 1 year ago

I believe that was just name squatting.

[-] fragment@lemmy.world 6 points 1 year ago

It’s less the name squatting and more pip not supporting a certain PyPI resolution order: https://github.com/pypa/pip/issues/8606

For example, I have A, B and C in my requirements.txt but I want to install C from my own private PyPI. Everything works fine until someone uploads a package name C to the public PyPI then suddenly I’m not installing my private package anymore.

[-] _stranger_@lemmy.world 2 points 1 year ago

Yeah, I remember now. the name squatting was from people putting malicious packages under misspelled names of well known packages, like "requets" instead of requests.

this post was submitted on 13 Oct 2023
316 points (81.0% liked)

Programmer Humor

32464 readers
418 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS