Python wheels don't run arbitrary code on install, but source distributions do. ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		magnetometer 14 days ago \| parent \| context \| favorite \| on: GitLab discovers widespread NPM supply chain attac... Python wheels don't run arbitrary code on install, but source distributions do. And you can upload both to pypy. So you would have to run pip install <package> --only-binary :all: to only install wheels and fail otherwise.

Balinares 11 days ago [–]

Fair point -- I was only thinking wheels, but you are right.

Would source distributions work as a vector for automated propagation, though? If I'm not mistaken, there's no universal standard for building from source distributions.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact