Hacker News new | ask | show | jobs
by themusicgod1 570 days ago
> With those modifications, it then builds Python from source across a wide matrix of Python versions, platforms, and build variants (e.g., optimized vs. debug builds), and publishes the built distributions to GitHub Releases.

This should be illegal.
2 comments
mistrial9 569 days ago
How to handle this situation is literally defined in the LICENSE for any modern software project
link
JackYoustra 569 days ago
Why?
link
themusicgod1 568 days ago
Publishing to Github should be considered a crime.
link
cdchn 569 days ago
Supply chain risk.
link
the_mitsuhiko 569 days ago
Please explain your reasoning.
link
cdchn 569 days ago
Somebody else is building your binaries. You've added another link in your software supply chain. How do you know they haven't inserted malware?
link
the_mitsuhiko 569 days ago
> Somebody else is building your binaries.

That happens all the time. Who builds the docker images you are using?

> You've added another link in your software supply chain. How do you know they haven't inserted malware?

You're installing untrusted random packages from PyPI. There are many much weaker points than Astral giving you malware for fun.

link
cdchn 569 days ago
Sure it happens, but that doesn't mean you shouldn't think about reducing it.
link
maxloh 568 days ago
> Somebody else is building your binaries.

FYI there are two parties you are talking about: Astral, and GitHub too (if you don't trust Microsoft).

link