Hacker News new | past | comments | ask | show | jobs | submit login

Somebody else is building your binaries. You've added another link in your software supply chain. How do you know they haven't inserted malware?



> Somebody else is building your binaries.

That happens all the time. Who builds the docker images you are using?

> You've added another link in your software supply chain. How do you know they haven't inserted malware?

You're installing untrusted random packages from PyPI. There are many much weaker points than Astral giving you malware for fun.


Sure it happens, but that doesn't mean you shouldn't think about reducing it.


> Somebody else is building your binaries.

FYI there are two parties you are talking about: Astral, and GitHub too (if you don't trust Microsoft).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: