Secure installs - pip documentation v26.1.2
(pip.pypa.io)
from HaraldvonBlauzahn@feddit.org to programming@programming.dev on 14 Jun 06:20
https://feddit.org/post/31227123
from HaraldvonBlauzahn@feddit.org to programming@programming.dev on 14 Jun 06:20
https://feddit.org/post/31227123
This is for making “pip install” safer, so that dependencies of your packages cannot change under your feet.
However, keep in mind that third-party PyPi packages are not vetted or reviewed for security before they become available. So, they are subject to the same risks for compromise as Arch Linux AUR packages.
A safer alternatve would be to use GNU Guix, which has vetted packages, builds everything transparently from source, and has great support for cross-language projects.
#programming
threaded - newest
(sorry for OT)
Guix does not appear to be in Debian repositories, nor does it want to be installed by adding a repository. Is there an explanation for that?
Here is an explanation for that - I think it is valid for Debian, too:
wiki.archlinux.org/title/Guix
Where exactly in there?
You mean this? That would explain it.
Well, it has only 31,000 packages for now, and quite limited npm support ;-)
But more serious, the user interface is still being polished. The documentation is top notch though, including the parts how to define own packages!
What’s also worth mentioning is that Guix packages are also an excellent way to distribute new FLOSS software for Linux/POSIX - your packages do not need to be part of the Guix distribution.
You can just put your package definition on your Codeberg or github page and users can pull that. Pretty much like Ubuntu PPAs or flatpaks but since everything is defined from source, people can inspect what they get, which fosters trust.
And it works for any distro that works with Guix, without modification, because the Guix dependencies give a 100% reproducible base.
Who is still using pip though? They should just retire it.