Apologies, I didn't mean to imply PyPI was inherently untrustworthy, unusable, or irrelevant. Clearly, it has a place and I use it for packages that I am familiar with and trust. The frame I'm trying to convey is that: 1. Developers are not the only consumers. e.g. If you're in an organization with a security team then adding new PyPI packages without review may not even be an option. 2. The scope of the standard library is debatable, however, I'm trying to focus on functionality that I think should be standard or can reasonably argue such, and in this case, I'm talking about basic functional language features. 3. There is a difference between being included in the standard library and not. Trust, visibility, availability, and keeping people from `re-inventing the wheel`. 4. The provided example is hardly an isolated case, but a fish in the sea of security threats. 5. Reducing external dependencies is generally beneficial. The toolz Heritage — Toolz 0.10.0 documentation <https://toolz.readthedocs.io/en/latest/heritage.html> seems to even reflect my point that these are core operations. On Wed, May 17, 2023 at 1:36 PM David Mertz, Ph.D. <david.mertz@gmail.com> wrote:
On Wed, May 17, 2023 at 2:22 PM Daniel Guffey <daniel.guffey@gmail.com> wrote:
I'm a bit dubious about the pypi suggestion as packages are being regularly poisoned with malware ( e.g. New KEKW malware infects open-source Python Wheel files via a PyPI distribution | SC Media (scmagazine.com) <https://www.scmagazine.com/news/devops/kekw-malware-infects-open-source-pyth...> ) and support issues keep happening with package management tools.
This is an absurd complaint. For one, the PyPA dealt with that very quickly. But more relevantly, Toolz is a package with many years of development by well-trusted people. Yes, getting a brand new malware onto PyPI is a danger, but that's a completely unrelated issue than using well-established and signed packages from known people.
If you weirdly distrust PyPI, you can equally get the same thing via GitHub... I guess unless you also distrust those repos.
It's not absurd to suggest a new decorator for the standard library. But "I don't trust PyPI" isn't going to win you any support for the idea.
-- The dead increasingly dominate and strangle both the living and the not-yet born. Vampiric capital and undead corporate persons abuse the lives and control the thoughts of homo faber. Ideas, once born, become abortifacients against new conceptions.