
On Wed, May 17, 2023 at 2:22 PM Daniel Guffey <daniel.guffey@gmail.com> wrote:
I'm a bit dubious about the pypi suggestion as packages are being regularly poisoned with malware ( e.g. New KEKW malware infects open-source Python Wheel files via a PyPI distribution | SC Media (scmagazine.com) <https://www.scmagazine.com/news/devops/kekw-malware-infects-open-source-pyth...> ) and support issues keep happening with package management tools.
This is an absurd complaint. For one, the PyPA dealt with that very quickly. But more relevantly, Toolz is a package with many years of development by well-trusted people. Yes, getting a brand new malware onto PyPI is a danger, but that's a completely unrelated issue than using well-established and signed packages from known people. If you weirdly distrust PyPI, you can equally get the same thing via GitHub... I guess unless you also distrust those repos. It's not absurd to suggest a new decorator for the standard library. But "I don't trust PyPI" isn't going to win you any support for the idea. -- The dead increasingly dominate and strangle both the living and the not-yet born. Vampiric capital and undead corporate persons abuse the lives and control the thoughts of homo faber. Ideas, once born, become abortifacients against new conceptions.