On Thu, Sep 5, 2024 at 12:13 PM Patrick O'Callaghan <pocallag...@gmail.com> wrote: > > On Thu, 2024-09-05 at 14:48 +0100, Barry wrote: > > > > > On 5 Sep 2024, at 12:15, Patrick O'Callaghan <pocallag...@gmail.com> > > > wrote: > > > > > > I believe there is an ongoing discussion about how pip should be more > > > integrated with packaging systems to avoid this kind of confusion. > > > > Not sure what you are referring to, all discussion are long over. > > > https://lwn.net/Articles/924104/ > > Admittedly this is from last year. I don't follow Python news very > closely.
This made my radar today: <https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/>. It's like Peter Gutmann said: "A great many of today’s security technologies are “secure” only because no-one has ever bothered attacking them." > > The current state is that you MUST use a venv for all pip installed > > packages. > > That is the accepted solution. > > > > Also pip was changed to prevent you installing outside a venv without > > explicit command option to override. > > That doesn't seem to correspond with the man page, which has: > > --require-virtualenv Allow pip to only run in a virtual environment; > exit with an error otherwise. > > However there is no indication that this is the default, and when I run > pip install I get no warning about it. Jeff -- _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
