←back to thread

Fun with uv and PEP 723

(www.cottongeeks.com)
619 points deepakjois | 3 comments | 24 Jun 25 18:41 UTC | HN request time: 0s | source
Show context
gerdesj ◴[25 Jun 25 00:36 UTC] No.44372567[source]
I've recently updated a Python script that I originally wrote about 10 years ago. I'm not a programmer - I just have to get stuff done - think sysops.

For me there used to be a clear delineation between scripting languages and compiled languages. Python has always seemed to want to be both and I'm not too sure it can really. I can live with being mildly wrong about a concept.

When Python first came out, our processors were 80486 at best and RAM was measured in MB at roughly £30/MB in the UK.

"For the longest time, ..." - all distros have had scripts that find the relevant Python or Java or whatevs so that's simply daft. They all have shebang incantations too.

So we now have uv written in Rust for Python. Obviously you should install it via a shell script directly from curl!

I love all of the components involved here but please for the love of a nod to security at least suggest that the script is downloaded first, looked over and then run.

I recently came across a Github hosted repo with scripts that changed Debian repos to point somewhere else and install ... software. I'm sure that's all fine too.

curl | bash is cute and easy and very, very insecure.

replies(3): >>44372872 #>>44373479 #>>44375207 #
1. wiseowise ◴[25 Jun 25 03:47 UTC] No.44373479[source]
> Obviously you should install it via a shell script directly from curl!

No? You can install it via pip.

replies(2): >>44373633 #>>44382376 #
2. benrutter ◴[25 Jun 25 04:34 UTC] No.44373633[source]
You can do both but the official recomendation is shell + curl[0].

Not an expert but I think there's performance gains to calling the binary directly rather than through python.

[0]: https://docs.astral.sh/uv/

3. gerdesj ◴[25 Jun 25 22:33 UTC] No.44382376[source]
I was going off on a bit of a tangent but take a look at this horror, which is still up:

https://github.com/InboraStudio/Proxmox-VGPU

Note the quite professional looking README.md and think about the audience for this thing - kittens hitting the search bong and trying to get something very complicated working.

Read the scripts: they are pretty short and could put your hypervisor in the hands of someone else who may not be too friendly.

Now pip has the same problem except you don't normally go in with a web browser first.

I raised an issue to at least provide a hint to casual browsers and also raised it with the github AI bottie complaint thang which doesn't care about you, me or anything else for that matter.