|
|
|
|
|
|
by benrutter
445 days ago
|
|
|
I'm not sure that's fair. It downloads standalone builds which astral themselves maintain. I'd say they're pretty trust-worthy. If you're worried about installing code from internet sources, which I think is valid, then pip/uv/package-managers-in-general open cans of worms anyway. |
|
|
That's not how trust works. Trust exists as a relationship between two entities. From a security perspective, an entity being "trust-worthy" is meaningless. What matters is whether I trust it or not.
If I install, for example, Debian GNU/Linux, then I'm trusting Debian. I wouldn't expect it to come with a tool that will automatically go and download and run binaries from some other place that I have no knowledge of.
To be clear, it's not a jab at uv as a developer tool. If you're doing dev work then you have to accept the risk. It's about uv being bundled as a system tool such that you can send a script to grandma.