ExLisper@linux.community to Programmer Humor@lemmy.mlEnglish · 1 year agoPackage managers be likelinux.communityimagemessage-square162fedilinkarrow-up1395arrow-down188file-text
arrow-up1307arrow-down1imagePackage managers be likelinux.communityExLisper@linux.community to Programmer Humor@lemmy.mlEnglish · 1 year agomessage-square162fedilinkfile-text
minus-squareRedscare867@lemmy.mllinkfedilinkEnglisharrow-up21·1 year agoMaybe I’m misremembering, but didn’t pip have it’s own security concerns earlier this year?
minus-square_stranger_@lemmy.worldlinkfedilinkarrow-up5arrow-down1·1 year agoI believe that was just name squatting.
minus-squarefragment@lemmy.worldlinkfedilinkarrow-up5·1 year agoIt’s less the name squatting and more pip not supporting a certain PyPI resolution order: https://github.com/pypa/pip/issues/8606 For example, I have A, B and C in my requirements.txt but I want to install C from my own private PyPI. Everything works fine until someone uploads a package name C to the public PyPI then suddenly I’m not installing my private package anymore.
Maybe I’m misremembering, but didn’t pip have it’s own security concerns earlier this year?
I believe that was just name squatting.
It’s less the name squatting and more pip not supporting a certain PyPI resolution order: https://github.com/pypa/pip/issues/8606
For example, I have A, B and C in my requirements.txt but I want to install C from my own private PyPI. Everything works fine until someone uploads a package name C to the public PyPI then suddenly I’m not installing my private package anymore.