Hacker News new | ask | show | jobs
by oreilles 695 days ago
How is it any different than installing the package via pip ? Not only most people won't check the source before running the code, but there is also no way to be sure that the code shipped by pip is the one you read on GitHub...
1 comments
__MatrixMan__ 694 days ago
gp has a leg to stand on only if they regularly audit the contents of their site packages. Otherwise you're totally right.
link