Look! Paul D Smith published on pypi. (not really. Published by a Chinese...
Look! Paul D Smith published on pypi.
(not really. Published by a Chinese college student.)
Self-replies
I'm brainstorming how to work out if stuff like this is trust worthy.
Options
- just trust it
- run it a sandbox and if appears to work, then trust it (e.g. malicious code might not implement the useful stuff, why implement a build tool if you just need to write enough code to steal aws keys)
**- let some other fool install it and ask them how it went (security by relying on reckless fools)**
- decompile the native code & read the pure python.
- Always sandbox it in docker
- Never use it
When we rely only on *many people installed this code and it was okay*, then we late comers are exploiting the gullibility of the early adopters.
I just don't like systems that are founded on exploiting someone.