On 2020-03-05 20:49:14 -0800, Mr. Lee Chiffre wrote: > > 2. he does not trust binaries from pip. > > What is the point of open source if you cannot compile from source code?
You can get the source code from pypi. I don't see any option for pip to
do that, but you can easily do it manually.
If you don't trust the binaries from pypi, don't trust the source code
either! Malware has been found on npm, for example. So to be sure there
are no backdoors you have to (carefully) read the source of each module
you use (which makes the time for downloading them manually trivial).
Oh, and you have read "Reflections on Trusting Trust", I presume?
> Not unusual. People use open source because they dont trust closed source.
> Binaries that someone else compiled is not open source.
It's still open source if the source is available (under the usual
conditions). Whether you trust somebody else to compile the software is
a question of trust, not of openness. Do you trust the person who
compiled your compiler?
hp
--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | h...@hjp.at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"
signature.asc
Description: PGP signature
-- https://mail.python.org/mailman/listinfo/python-list
