On 12/4/19 10:59 AM, David Lowry-Duda wrote: > I notice that "python3-dateutil" is in over 4000 github repositories > [1]. That sounds like a disaster. > > [1]: https://github.com/search?q=python3-dateutil&type=Code
It's clearly not, as Christian has already said. In fact it would be very difficult to determine from a github search whether this bad package was actually deployed anywhere. Since it presents a fake "dateutil" module, imports would look the same and proper as using the correct one. The only way this package comes into play is if someone pip installed it, or had an install script that installed it, or if it were bundled in the source tree. So this is very bad indeed, but not as bad as you suggest. We're not nearly as much at risk as node.js npm users are yet. -- https://mail.python.org/mailman/listinfo/python-list
