Most active commenters

    ←back to thread

    Switching Pip to Uv in a Dockerized Flask / Django App

    (nickjanetakis.com)
    264 points tosh | 14 comments | 24 Jun 25 09:46 UTC | HN request time: 0.819s | source | bottom
    1. bsenftner ◴[24 Jun 25 10:58 UTC] No.44364791[source]
    I'd like to see a security breakdown of uv versus pip versus conda versus whatever fashionable package manager I've not heard of yet.

    Speed is okay, but security of a package manager is far more important.

    replies(2): >>44364830 #>>44365134 #
    2. Bengalilol ◴[24 Jun 25 11:05 UTC] No.44364830[source]
    uv is generally more secure than pip. It resolves dependencies without executing arbitrary code, verifies package hashes by default, and avoids common risks like typosquatting and code execution during install. It's also faster and more reproducible.

    https://chaitalks.tech/uv-a-modern-python-package-manager-in...

    https://docs.astral.sh/uv/pip/compatibility/

    replies(1): >>44365004 #
    3. glaucon ◴[24 Jun 25 11:30 UTC] No.44365004[source]
    I'd be interested to know under what circumstances pip executes arbitrary code while resolving dependencies ... how does that work ?

    And while I'm here ... how does uv go about mitigating typosquatting risks ? I could imagine how it might issue warnings if you perhaps it notices you requesting "dlango", which would work OK for the top 10% but are you suggesting there's some more general solution built into uv ?

    I did a quick search but 'typosquatting' is not an easy string to cut through.

    replies(3): >>44365031 #>>44365092 #>>44365169 #
    4. alexchamberlain ◴[24 Jun 25 11:34 UTC] No.44365031{3}[source]
    For a source package based on setup tools, setup.py is executed with a minimal environment and can run arbitrary code.
    replies(1): >>44365073 #
    5. ericvsmith ◴[24 Jun 25 11:41 UTC] No.44365073{4}[source]
    You can (and should!) tell pip not to do this with '--only-binary=:all:'. Building from source is a lousy default.
    replies(1): >>44365721 #
    6. un_ess ◴[24 Jun 25 11:45 UTC] No.44365092{3}[source]
    a)"Thanks to backwards compatibility, a package offered only as a source distribution and with the legacy setup.py file for configuration and metadata specification will run the code in setup.py as part of the installation." https://blog.phylum.io/python-package-installation-attacks/

    b) pip now has an option _not_ to run arbitrary code by disallowing source distributions, by passing --only-binary :all:

    "By default, pip does not perform any checks to protect against remote tampering and involves running arbitrary code from distributions. It is, however, possible to use pip in a manner that changes these behaviours, to provide a more secure installation mechanism." https://pip.pypa.io/en/stable/topics/secure-installs/

    7. diggan ◴[24 Jun 25 11:49 UTC] No.44365134[source]
    > security breakdown of uv versus pip versus conda versus whatever fashionable package manager

    In the end, every package manager (so far at least) download and runs untrusted (unless you've verified it manually) 3rd party code. Whatever the security difference is between uv and pip implementation-wise is dwarfed compared to if you haven't found a way of handling untrusted 3rd party code yet.

    8. db48x ◴[24 Jun 25 11:54 UTC] No.44365169{3}[source]
    To install a package and its dependencies, you need the list of dependencies. This metadata is not always statically available!

    Python packages are often just a zip file full of py files, with one of them called 'setup.py'. Running this file installs the package (originally using [distutils](https://docs.python.org/3.9/install/index.html#install-index)). This installation may fail if dependencies are not present, but there’s no method provided for installing those dependencies. You’re supposed to read the error message, go download the source for the missing dependencies, then run their setup.py scripts to install them.

    replies(1): >>44366526 #
    9. soulofmischief ◴[24 Jun 25 12:58 UTC] No.44365721{5}[source]
    Requiring increasingly long arcane incantations in the name of backwards compatibility is a terrible design philosophy and introduces security fatigue. Most users will not use aliases, and it's poor security posture to ask them to.

    Given how often the python community already deals with breaking changes, it shouldn't be much different for pip to adopt saner defaults in a new major version.

    replies(1): >>44369880 #
    10. badmintonbaseba ◴[24 Jun 25 14:16 UTC] No.44366526{4}[source]
    How does uv get around this?
    replies(3): >>44367015 #>>44367034 #>>44367091 #
    11. bckr ◴[24 Jun 25 15:02 UTC] No.44367015{5}[source]
    Don’t think it does. You see the import errors when you run your code and you add the requirements to your project.
    12. nonethewiser ◴[24 Jun 25 15:04 UTC] No.44367034{5}[source]
    because instead of running setup.py it directly fetches the specified dependencies
    13. db48x ◴[24 Jun 25 15:10 UTC] No.44367091{5}[source]
    I don’t know; I’ve only just heard of uv. I know about the packaging problem because I’ve had to deal with that nonsense a few times.
    14. ericvsmith ◴[24 Jun 25 19:17 UTC] No.44369880{6}[source]
    While I agree, pip has very strong backward compatibility requirements. I'm not sure why, maybe because people tend to upgrade it without considering the consequences.