←back to thread

Switching Pip to Uv in a Dockerized Flask / Django App

(nickjanetakis.com)
264 points tosh | 1 comments | 24 Jun 25 09:46 UTC | HN request time: 0.206s | source
Show context
bsenftner ◴[24 Jun 25 10:58 UTC] No.44364791[source]
I'd like to see a security breakdown of uv versus pip versus conda versus whatever fashionable package manager I've not heard of yet.

Speed is okay, but security of a package manager is far more important.

replies(2): >>44364830 #>>44365134 #
Bengalilol ◴[24 Jun 25 11:05 UTC] No.44364830[source]
uv is generally more secure than pip. It resolves dependencies without executing arbitrary code, verifies package hashes by default, and avoids common risks like typosquatting and code execution during install. It's also faster and more reproducible.

https://chaitalks.tech/uv-a-modern-python-package-manager-in...

https://docs.astral.sh/uv/pip/compatibility/

replies(1): >>44365004 #
glaucon ◴[24 Jun 25 11:30 UTC] No.44365004[source]
I'd be interested to know under what circumstances pip executes arbitrary code while resolving dependencies ... how does that work ?

And while I'm here ... how does uv go about mitigating typosquatting risks ? I could imagine how it might issue warnings if you perhaps it notices you requesting "dlango", which would work OK for the top 10% but are you suggesting there's some more general solution built into uv ?

I did a quick search but 'typosquatting' is not an easy string to cut through.

replies(3): >>44365031 #>>44365092 #>>44365169 #
1. un_ess ◴[24 Jun 25 11:45 UTC] No.44365092[source]
a)"Thanks to backwards compatibility, a package offered only as a source distribution and with the legacy setup.py file for configuration and metadata specification will run the code in setup.py as part of the installation." https://blog.phylum.io/python-package-installation-attacks/

b) pip now has an option _not_ to run arbitrary code by disallowing source distributions, by passing --only-binary :all:

"By default, pip does not perform any checks to protect against remote tampering and involves running arbitrary code from distributions. It is, however, possible to use pip in a manner that changes these behaviours, to provide a more secure installation mechanism." https://pip.pypa.io/en/stable/topics/secure-installs/