It automatically downloads interpreters from some internet source. It's a security nightmare. It can be configured not to do that but it's not the default.
I'm not sure that's fair. It downloads standalone builds which astral themselves maintain. I'd say they're pretty trust-worthy.
If you're worried about installing code from internet sources, which I think is valid, then pip/uv/package-managers-in-general open cans of worms anyway.
> I'm not sure that's fair. It downloads standalone builds which astral themselves maintain. I'd say they're pretty trust-worthy.
That's not how trust works. Trust exists as a relationship between two entities. From a security perspective, an entity being "trust-worthy" is meaningless. What matters is whether I trust it or not.
If I install, for example, Debian GNU/Linux, then I'm trusting Debian. I wouldn't expect it to come with a tool that will automatically go and download and run binaries from some other place that I have no knowledge of.
To be clear, it's not a jab at uv as a developer tool. If you're doing dev work then you have to accept the risk. It's about uv being bundled as a system tool such that you can send a script to grandma.
It's a package manager. The job of package managers is to download code that you then run. That certainly has security implications, but that doesn't differentiate uv from pip, Poetry, Cargo, CPAN, npm, RubyGems, ...
If you're worried about installing code from internet sources, which I think is valid, then pip/uv/package-managers-in-general open cans of worms anyway.