Skip to main content
The 2024 Developer Survey results are live! See the results

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

4
  • To summarize, yes, a few instances of malware being present in the library have been detected. More to the point, there is no protection against malware other than the user's own diligence. IMHO meaning that there is no way a user can be absolutely assured of the security of the software they are using. Murphy says, if it can be done, it has already been done a thousand times. Unfortunately, one of the greatest advantages of Python also turned out to be its Achilles heel.
    – TomTerrific
    Commented Dec 16, 2021 at 22:42
  • Does the Python community not address this problem in any way? So every single thing you use pip for you're supposed to just scan every single line of code?
    – Andrew
    Commented May 12, 2023 at 18:59
  • 2
    @Andrew (1/2) The PyPI administrators will sometimes take down malicious packages when they find out about them, especially if the malicious package seems to be taking advantage of a name similarity. Other parts of the Python community may provide more stringent forms of verification, such as the Anaconda channel mentioned in MWB's comment, and there are also third-party security products that (claim to) scan packages and flag ones which seem suspicious. I'm not personally familiar with those measures, though.
    – David Z
    Commented May 15, 2023 at 1:41
  • 2
    (2/2) In general, it's considered the developer's responsibility to determine, to their satisfaction, that the code they're using is doing what they want it to do. If, for you, being satisfied that the code is doing what you want it to do means examining every single line of code, then yes, you're supposed to scan every single line of code. But if, like most developers, you're willing to put some trust in the community, then you can rely on that to avoid having to audit all the code if a package is very popular or has been reviewed and verified in some manner.
    – David Z
    Commented May 15, 2023 at 1:45