The 2024 Developer Survey results are live! See the results

1. Home
2. Questions
3. Tags
5. Users
6. Companies
7. Labs
8. Jobs
9. Discussions
10. Collectives
11. Communities for your favorite technologies. Explore all Collectives
Teams

Now available on Stack Overflow for Teams! AI features where you work: search, IDE, and chat.
Learn more Explore Teams
Teams
Ask questions, find answers and collaborate at work with Stack Overflow for Teams. Explore Teams

Timeline for Are PIP packages curated? Is it safe to install them?

Current License: CC BY-SA 3.0

7 events

when toggle format	what		by	license	comment
May 15, 2023 at 1:45	comment	added	David Z		(2/2) In general, it's considered the developer's responsibility to determine, to their satisfaction, that the code they're using is doing what they want it to do. If, for you, being satisfied that the code is doing what you want it to do means examining every single line of code, then yes, you're supposed to scan every single line of code. But if, like most developers, you're willing to put some trust in the community, then you can rely on that to avoid having to audit all the code if a package is very popular or has been reviewed and verified in some manner.
May 15, 2023 at 1:41	comment	added	David Z		@Andrew (1/2) The PyPI administrators will sometimes take down malicious packages when they find out about them, especially if the malicious package seems to be taking advantage of a name similarity. Other parts of the Python community may provide more stringent forms of verification, such as the Anaconda channel mentioned in MWB's comment, and there are also third-party security products that (claim to) scan packages and flag ones which seem suspicious. I'm not personally familiar with those measures, though.
May 12, 2023 at 18:59	comment	added	Andrew		Does the Python community not address this problem in any way? So every single thing you use `pip` for you're supposed to just scan every single line of code?
Dec 16, 2021 at 22:42	comment	added	TomTerrific		To summarize, yes, a few instances of malware being present in the library have been detected. More to the point, there is no protection against malware other than the user's own diligence. IMHO meaning that there is no way a user can be absolutely assured of the security of the software they are using. Murphy says, if it can be done, it has already been done a thousand times. Unfortunately, one of the greatest advantages of Python also turned out to be its Achilles heel.
Sep 18, 2017 at 18:28	history	edited	David Z	CC BY-SA 3.0	add notes from comments
Jul 11, 2016 at 4:50	vote	accept	MWB
Jul 7, 2016 at 6:04	history	answered	David Z	CC BY-SA 3.0