HackerTrans
TopNewTrendsCommentsPastAskShowJobs

oblvious-earth

no profile record

comments

oblvious-earth
·4 เดือนที่ผ่านมา·discuss
OpenAI just acquired Astral who have an index service called pyx, so they would have a step up.

My understanding though is most corporations that take security seriously either build everything themselves in a sandbox, or use something like JFrog's Artifactory with various security checks, and don't let users directly connect to public indexes. So I'm not sure what the market is.
oblvious-earth
·ปีที่แล้ว·discuss
It does not work EXACTLY how pip works, big differences are covered here: https://docs.astral.sh/uv/pip/compatibility/

Some of these are uv following the standards while pip is still migrating away from legacy behavior, some of these are design choices that uv has made, because the standard is underdefined, it's a tool specific choice, or uv decided not to follow the standards for whatever reason.
oblvious-earth
·ปีที่แล้ว·discuss
PDM has plugins, such as being able to invoke conda commands: https://github.com/pdm-project/awesome-pdm

Otherwise I don't know what they're talking about, it is indeed a Python package manager.
oblvious-earth
·2 ปีที่แล้ว·discuss
If you're concerned about dependency confusion attacks you should host your own index and vet what goes on to it.

But there is a better solution coming, PEP 708 was developed for this and is in prototype on pypi.org, so it's an overstatement to say "don't even have a way to avoid dependency confusion attacks ".

It is, however, a non-trivial problem, and more solutions will likely come over the years, many Python packaging tools like uv and poetry (and likely others) have way to name indexes and pin specific packages to indexes, which appears to be a promising UX.