Follow

rant, package management religion 

Ah yes, I see that all the religious "use less dependencies" takes have arrived in response to the PyPI/PyTorch incident, with apparently none of these people realizing that that literally wouldn't have made a difference here, and that the actual security issue is in pip itself.

· · Web · 1 · 1 · 2

re: rant, package management religion 

For those less familiar with dependency security: what happened here was that PyTorch depended on a package from *their own* package registry, and someone could inject malware by publishing a package of the same name on PyPI, which automatically got preferred by pip *even though it wasn't the correct repository*.

The problem here is that pip disregards origin repository, and instead has its own priority rules that always override private repositories. This means that literally *any* private repository entry could have been overridden, whether you have 1 or 100 entries.

Sign in to participate in the conversation
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.