Why?

themusicgod1 · 2024-12-05T02:21:45 1733365305

Publishing to Github should be considered a crime.

cdchn · 2024-12-04T03:29:31 1733282971

Supply chain risk.

the_mitsuhiko · 2024-12-04T08:25:22 1733300722

Please explain your reasoning.

cdchn · 2024-12-04T15:12:12 1733325132

Somebody else is building your binaries. You've added another link in your software supply chain. How do you know they haven't inserted malware?

the_mitsuhiko · 2024-12-04T15:37:52 1733326672

> Somebody else is building your binaries.

That happens all the time. Who builds the docker images you are using?

> You've added another link in your software supply chain. How do you know they haven't inserted malware?

You're installing untrusted random packages from PyPI. There are many much weaker points than Astral giving you malware for fun.

cdchn · 2024-12-04T18:20:37 1733336437

Sure it happens, but that doesn't mean you shouldn't think about reducing it.

maxloh · 2024-12-05T04:00:45 1733371245

> Somebody else is building your binaries.

FYI there are two parties you are talking about: Astral, and GitHub too (if you don't trust Microsoft).