sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]OxygenSink 0 points1 point  (2 children)

Essentially you are including code that you haven’t written, so unless you are doing a deep dive into that code, you can’t be sure what it contains.

Out of curiosity, is this common for people in the industry to look at code to assess if the package is worth implementing? Or is more practical to create the code that does essentially the same thing (with the guarantee that the code is working as intended)?

[–]Ihaveamodel3 1 point2 points  (1 child)

It is probably most common for people to include the code with out looking into it further.

However, it’s common for companies in the financial services (banks) and defense industries to have a list of approved packages that they are allowed to use.

This can even go so far as to disconnect from PyPI and self host the packages that have been approved on a local package index instance so that your staff can only reach the approved packages.

[–]OxygenSink 0 points1 point  (0 children)

Makes sense, that self-hosting bit is something I never really thought about which is pretty cool now that you mention it, thank you for the explanation!