Apologies, I didn't mean to imply PyPI was inherently
untrustworthy, unusable, or irrelevant. Clearly, it has a place and I use
it for packages that I am familiar with and trust.

The frame I'm trying to convey is that:

1. Developers are not the only consumers. e.g. If you're in an organization
with a security team then adding new PyPI packages without review may not
even be an option.
2. The scope of the standard library is debatable, however, I'm trying to
focus on functionality that I think should be standard or can reasonably
argue such, and in this case, I'm talking about basic functional language
features.
3. There is a difference between being included in the standard library and
not. Trust, visibility, availability, and keeping people from `re-inventing
the wheel`.
4. The provided example is hardly an isolated case, but a fish in the sea
of security threats.
5. Reducing external dependencies is generally beneficial.

The toolz Heritage — Toolz 0.10.0 documentation
<https://toolz.readthedocs.io/en/latest/heritage.html> seems to even
reflect my point that these are core operations.


On Wed, May 17, 2023 at 1:36 PM David Mertz, Ph.D. <david.me...@gmail.com>
wrote:

> On Wed, May 17, 2023 at 2:22 PM Daniel Guffey <daniel.guf...@gmail.com>
> wrote:
>
>> I'm a bit dubious about the pypi suggestion as packages are being
>> regularly poisoned with malware ( e.g. New KEKW malware infects
>> open-source Python Wheel files via a PyPI distribution | SC Media
>> (scmagazine.com)
>> <https://www.scmagazine.com/news/devops/kekw-malware-infects-open-source-python-wheel-files>
>>  )
>> and support issues keep happening with package management tools.
>>
>
> This is an absurd complaint.  For one, the PyPA dealt with that very
> quickly.  But more relevantly, Toolz is a package with many years of
> development by well-trusted people.  Yes, getting a brand new malware onto
> PyPI is a danger, but that's a completely unrelated issue than using
> well-established and signed packages from known people.
>
> If you weirdly distrust PyPI, you can equally get the same thing via
> GitHub... I guess unless you also distrust those repos.
>
> It's not absurd to suggest a new decorator for the standard library. But
> "I don't trust PyPI" isn't going to win you any support for the idea.
>
> --
> The dead increasingly dominate and strangle both the living and the
> not-yet born.  Vampiric capital and undead corporate persons abuse
> the lives and control the thoughts of homo faber. Ideas, once born,
> become abortifacients against new conceptions.
>
_______________________________________________
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at 
https://mail.python.org/archives/list/python-ideas@python.org/message/R4QQDLG7NW3GYVY3I7LBTVJOIADJVLFB/
Code of Conduct: http://python.org/psf/codeofconduct/

Reply via email to