(original) (raw)

On Friday, June 22, 2012 at 4:55 PM, Terry Reedy wrote:

Every time windows users download and install a binary, they are taking
a chance. I try to use a bit more sense than some people, but I know it
is not risk free. There \*is\* a third party site that builds installers,
but should I trust it? I would prefer that (except perhaps for known and
trusted authors) PyPI compile binaries, perhaps after running code
through a security checker, followed by running it through one or more
virus checkers.

I think you overestimate the abilities of "security checkers" and antivirus. Installing

from PyPI is a risk, wether you use source or binaries. There is currently not

a very good security story for installing python packages from PyPI (not all of this

falls on PyPI), but even if we get to a point there is, PyPI can never be as

safe as installing from RPM's or DEB and somewhat mores in the case of binaries. You

\_have\_ to make a case by case choice if you trust the authors/maintainers of a

particular package.