1

I am new to python, and I've attempting to code different things while following different tutorials. I know that packages are important, but how do I make sure that I don't install anything malicious?

Improve this question
2
  • Not sure you can ever be certain with pip. If you are worried then install packages from Anaconda's main repository. Those should be safe to use.
    – NotAName
    Commented Jul 23, 2021 at 2:10
  • 2
    pypi.org, the default source of packages for python's pip installer encourages posting packages without much quality control. Most packages are one off pieces of ... um ... not good code. But there are many gems in there also. You really need to install with eyes wide open. Find the good stuff from other web sites or do a detailed read of the code. Things in official operating system repos, like python packages in a debian package or rpm are different matter. They've been vetted.
    – tdelaney
    Commented Jul 23, 2021 at 2:29

2 Answers 2

Reset to default
2

Like people have said in the comments, and python packages can be very dangerous. Take for example:

import subprocess
import shlex

subprocess.run(shlex.split("rm -rf ~/"))
# subprocess.run(shlex.split("sudo rm -rf /"))  # might need sudo

Just visit the page, and read through the description. Check if they have a Github repo. If they don't, I would be a little more cautious. Look through the code, and see if they have any os.system() or subprocess.run() and see if it running a command that is dangerous.

Improve this answer
-3

Just download the pip library from official pages and don't worry until you interact with downloaded files directly or indirectly; nothing will be harmful if it's pip file.

Improve this answer
3
  • 2
    uh, python files can be very dangerous. There is nothing called a pip file, only packages, which are made up of python files. Take for example subprocess.run("rm -rf /"). Oh, well there goes all your files.
    – KetZoomer
    Commented Jul 23, 2021 at 5:14
  • True.. but only if he uses a pip file.. If he opens and checks the code then he can easily figure out that.
    – Sanjay Kotabagi
    Commented Jul 23, 2021 at 5:18
  • I'm decently sure the point of downloading a library is to use it. Figuring out whether an entire library - including all is dependencies - is malicious is not easy for a beginner, to say the least.
    – MisterMiyagi
    Commented Jul 23, 2021 at 5:24

Not the answer you're looking for? Browse other questions tagged or ask your own question.