[dumbo-octopus]

Yes, because you could in theory run `pip install`, then manually read through every file you've just downloaded, then run `python myapp.py`.

But every package manager seems to grant RCE to every installed package. I agree it's broken.

[orlp]

> Yes, because you could in theory run `pip install`, then manually read through every file you've just downloaded, then run `python myapp.py`.

This security model is utter nonsense because no one does this.

[arrakeenrevived]

Replace "manually read through every file" with "run your security code scanner against every file" and it becomes less nonsense, but just as applicable.

In reality this really isn't how code scans are done, so it's still a little silly, but I could theoretically see something like this being a desire.

[MiguelX413]

It becomes more applicable, not just as applicable.

[hughesjj]

Amazon asked me to and I actually did it for all the Brazil third party imports...

granted it wasn't the most thorough of reviews, as is the nature with huge PRs

[bvrmn]

> then manually read through every file you've just downloaded

pip download?

[OrderlyTiamat]

Which can also execute arbitrary code according to the slides above.