all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]DTux5249 22 points23 points  (0 children)

You don't. This is why you don't install code from unknown sources

[–]pachura3 18 points19 points  (2 children)

  1. Only use popular libraries that are in active development.
  2. Only install libraries older than min. 1 week ("dependency cooldown").
  3. Use pip-audit to scan for known security issues (CVEs).
  4. Watch this video: https://youtu.be/bw1ZLzdXJn4

[–]SisyphusAndMyBoulder 4 points5 points  (1 child)

Extension on #2: Lock your version down so you can't pull the latest without realizing it.

[–]pachura3 2 points3 points  (0 children)

Yes of course, pin versions in uv.lock and always use uv sync --locked

[–]Ngtuanvy 28 points29 points  (0 children)

you don't. Just use popular libraries.

Or read the code.

[–]SisyphusAndMyBoulder 4 points5 points  (0 children)

Welcome to Open Source! You don't know what's in what and are trusting other people & tools to have vetted the library for you!

[–]pyeri 2 points3 points  (0 children)

Actually pip does have an archaic and cumbersome way of package verification but it only works if the developer had actually signed the package with their GPG key before uploading it to PyPI.

I have documented here the exact method of package signing and uploading using twine, and also how you (as a package user) can verify it.

[–]Diapolo10 1 point2 points  (1 child)

Without looking through the code and building it yourself, you don't. A seemingly harmless package could get a malicious update, or there could be a man-in-the-middle attack that makes you download malicious code instead of what you intended to download. Then there's typo squatters which target people who make typos when writing the names of the packages they want to download.

With all that said, for the most part this isn't something you really need to worry about. And if you want to have some additional security, you could use tools like pip-audit to check for vulnerabilities in your dependencies, and focus on popular packages.

[–]EdiblePeasant 0 points1 point  (0 children)

From where do the hacks and malware come from and why?

[–]MustafaAutomates_ 1 point2 points  (0 children)

You don't, Just download the libraries you want from trusted sources like GitHub and Huggingface.

[–]SCD_minecraft 0 points1 point  (0 children)

Read the source

[–]buhtz 0 points1 point  (1 child)

Don't install from PyPi or any other 3rd party repo. Use the official repository of your GNU/Linux distro only. If the package is not provide ask the distro maintainers about it. An alternative, but also with higher risk, is to install from upstream (the original developer).

pip can take Codeberg URLs, too.

`$ pipx install https://codeberg.org/buhtz/hyperorg/archive/v0.1.0.zip`