I am new to python, and I've attempting to code different things while following different tutorials. I know that packages are important, but how do I make sure that I don't install anything malicious?
-
Not sure you can ever be certain with pip. If you are worried then install packages from Anaconda's main repository. Those should be safe to use.– NotANameCommented Jul 23, 2021 at 2:10
-
2pypi.org, the default source of packages for python's pip installer encourages posting packages without much quality control. Most packages are one off pieces of ... um ... not good code. But there are many gems in there also. You really need to install with eyes wide open. Find the good stuff from other web sites or do a detailed read of the code. Things in official operating system repos, like python packages in a debian package or rpm are different matter. They've been vetted.– tdelaneyCommented Jul 23, 2021 at 2:29
2 Answers
Like people have said in the comments, and python packages can be very dangerous. Take for example:
import subprocess
import shlex
subprocess.run(shlex.split("rm -rf ~/"))
# subprocess.run(shlex.split("sudo rm -rf /")) # might need sudo
Just visit the page, and read through the description. Check if they have a Github repo. If they don't, I would be a little more cautious. Look through the code, and see if they have any os.system()
or subprocess.run()
and see if it running a command that is dangerous.
Just download the pip library from official pages and don't worry until you interact with downloaded files directly or indirectly; nothing will be harmful if it's pip file.
-
2uh, python files can be very dangerous. There is nothing called a pip file, only packages, which are made up of python files. Take for example
subprocess.run("rm -rf /")
. Oh, well there goes all your files. Commented Jul 23, 2021 at 5:14 -
True.. but only if he uses a pip file.. If he opens and checks the code then he can easily figure out that. Commented Jul 23, 2021 at 5:18
-
I'm decently sure the point of downloading a library is to use it. Figuring out whether an entire library - including all is dependencies - is malicious is not easy for a beginner, to say the least. Commented Jul 23, 2021 at 5:24