324

Package managers be like (linux.community)

submitted 11 months ago by ExLisper@linux.community to c/programmerhumor@lemmy.ml

161 comments fedilink hide all child comments

Sorry Python but it is what it is.

you are viewing a single comment's thread
view the rest of the comments

[-] SpaceNoodle@lemmy.world 56 points 11 months ago

npm is objectively worse. Base pip packages aren't getting hijacked.

[-] Redscare867@lemmy.ml 23 points 11 months ago

Maybe I’m misremembering, but didn’t pip have it’s own security concerns earlier this year?

[-] _stranger_@lemmy.world 6 points 11 months ago

I believe that was just name squatting.

[-] fragment@lemmy.world 6 points 11 months ago

It’s less the name squatting and more pip not supporting a certain PyPI resolution order: https://github.com/pypa/pip/issues/8606

For example, I have A, B and C in my requirements.txt but I want to install C from my own private PyPI. Everything works fine until someone uploads a package name C to the public PyPI then suddenly I’m not installing my private package anymore.

[-] _stranger_@lemmy.world 2 points 11 months ago

Yeah, I remember now. the name squatting was from people putting malicious packages under misspelled names of well known packages, like "requets" instead of requests.

this post was submitted on 13 Oct 2023

324 points (81.4% liked)

Programmer Humor

32041 readers

1257 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

Posts must be relevant to programming, programmers, or computer science.
No NSFW content.
Jokes must be in good taste. No hate speech, bigotry, etc.

founded 5 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

cat_programmer@lemmy.ml