149
PySimpleGUI is now closed-source
(github.com)
Welcome to the Python community on the programming.dev Lemmy instance!
Past
November 2023
October 2023
July 2023
August 2023
September 2023
Does pip really allow binary blobs? That effectively makes it zero security.
To be fair it has some valid use cases, take ruff for example.
But pip/pypi does not have any proper security at all, and just blocking binary blobs wouldn't make a difference when you can freely execute any python code during installation - Much like downloading an executable from any site online, you are expected to make sure you can trust whoever uploaded what you are downloading. You could say the same about other sites like GitHub too.
There is a fair difference still between source available and binary blob. The blob has essentially no chance of ever being audited.
Take a look at the Source Distribution files: https://pypi.org/project/PySimpleGUI/#files
As far as I can see, it's still all just Python.
binary blobs aren't really a security hole , since AFAIK the pypi team don't check every package for malicious code before they get shown publicly . it just shifts the trust from pypi to the library authors
Sure, and it's really nice for big compiled projects to not have to compile that on every update.