Hi Philippe (2023.02.17_02:17:49_+0000) > Well in my case the main motivation was security (i.e. only using > code) that has security support by Debian.
There is probably some value there. You're safer from a variety of attacks that *could* theoretically happen on PyPI. But, let me deflate Debian's reputation a bit here. Debian security support doesn't mean you're completely protected. There is probably a human behind a Debian upload that has vetted the upload and thinks it is safe. They thought this thing was useful to package for Debian (so probably not malware), and did some review to see that it installed itself correctly. They may have reviewed the upstream code, they may not have. They may review new upstream version diffs, they may not. (Generally, small things are easy to review, big complex things are impossible to.) For the security support, it's largely reliant on security issues being reported as CVEs, which security researchers usually do, but upstreams often fail to do. And then it needs a volunteer to find/figure out the fix and apply it to the version in Debian. So, again, there is definitely value here. If you're just using software from Debian stable releases, you know that some people have reviewed some of it. And you can be reasonably confident that you're using the same stack as some other people. But, on balance, for many problems the gains here aren't worth the pain of restricting yourself to Python modules published in Debian stable releases. > But shouldn't that use case also be interesting for Debian > Maintainers? Whenever their pip would need to download something from > PyPI, it would mean that some dependency is likely not fulfilled in > Debian (unless of course that Debian package is simply not installed). Generally speaking when I'm working on code, I install libraries in virtualenvs. This is what the upstream tooling expects and so it makes everything more convenient. All the work may be done in a container, but I'm not restricting myself to Debian packages. If I am using Debian packages for something, I'll install them with apt. I don't need pip involved. This is where I don't find the pip plugin idea that useful. Some people try to write software specifically to run on Debian stable, without any third party packages. For simple projects, this can work well. But, there are downsides. You often find you have to couple code changes to Debian's release cycle, which can get problematic. And nobody will understand what you're trying to do :) SR -- Stefano Rivera http://tumbleweed.org.za/ +1 415 683 3272