undefined | Better HN

0 pointsDenvercoder92y ago0 comments

`pip install` does do exactly the same thing: it downloads and executes code from a tarball uploaded to PyPi by its maintainer. There's no verification process that ensures that tarball matches what's in the git repository.

0 comments

im3w1l2y ago

Yes I know, and that's what I meant when I said "their own can of worms".

Distro-provided python packages don't use pip however, at least afaik.

Denvercoder9OP2y ago

The distro-provided Python packages are usually still build from the source on PyPi as uploaded by the maintainer, not what's in git.

j / k navigate · click thread line to collapse

0 comments

im3w1l2y ago

Yes I know, and that's what I meant when I said "their own can of worms".

Distro-provided python packages don't use pip however, at least afaik.

Denvercoder9OP2y ago

The distro-provided Python packages are usually still build from the source on PyPi as uploaded by the maintainer, not what's in git.

j / k navigate · click thread line to collapse