HyperWiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
en:philosophy:python_problems [2025/04/21 03:31]
throgh 		en:philosophy:python_problems [2025/07/01 01:38] (current)
throgh [Conclusions for Hyperbola]
Line 10: Line 10:
  
 But that is clearly not all alone: Many packages for **Python** also depend on [[https://web.archive.org/web/20250418230406/https://github.com/pypa/pip|pip]], which is in fact an own implemented package-manager for **Python**. We have therefore again the already marked problem: To preserve the autonomy of the system we can't and won't include such package(s) into the system as it is neither not known what kind of dependencies are further installed when a user is executing commands for such installation processes nor we have no control about further malicious code being downloaded, installed and executed later on. It is already known and reported that [[https://web.archive.org/web/20250420232014/https://cybersrcc.com/2025/03/17/the-pypi-attack-malicious-packages-target-cloud-tokens-over-14100-downloads-before-removal/|several malicious packages were distributed and also downloaded]]. But that is clearly not all alone: Many packages for **Python** also depend on [[https://web.archive.org/web/20250418230406/https://github.com/pypa/pip|pip]], which is in fact an own implemented package-manager for **Python**. We have therefore again the already marked problem: To preserve the autonomy of the system we can't and won't include such package(s) into the system as it is neither not known what kind of dependencies are further installed when a user is executing commands for such installation processes nor we have no control about further malicious code being downloaded, installed and executed later on. It is already known and reported that [[https://web.archive.org/web/20250420232014/https://cybersrcc.com/2025/03/17/the-pypi-attack-malicious-packages-target-cloud-tokens-over-14100-downloads-before-removal/|several malicious packages were distributed and also downloaded]].
 +
 +And combining mentioned points as even though it would be possible to build **python-build**
 +and **python-installer** at a given point with the needed amount of time and work: The mentioned package-manager is from that point on-going mandatory part of the build-process and is invoked also with every newly called out build-process. So the whole point of a FSDG-compliance is broken up with the implementation of those packages.
  
 ===== Social issues ===== ===== Social issues =====
Line 25: Line 28:
   * Until there are no severe security-issues reported there will be no further updates on the provided version of **Python**.   * Until there are no severe security-issues reported there will be no further updates on the provided version of **Python**.
   * We do not provide **build**, **installer** and **pip** as we do not recognize circular dependencies, a complete independent package-management and further possible execution of malicious code as helpful or in any way supporting for the users and their technical emancipation.   * We do not provide **build**, **installer** and **pip** as we do not recognize circular dependencies, a complete independent package-management and further possible execution of malicious code as helpful or in any way supporting for the users and their technical emancipation.
-  * We do and will not react on any further demands to include further packages for **Python** as we see our task not in filling up the system with more packages as to understand that every newly added software-project as package could be also the next possible security-issue and attack-vector.+  * We do and will not react on any demands to include further packages for **Python** as we see our task not in filling up the system with more packages as to understand that every newly added software-project as package could be also the next possible security-issue and attack-vector
 +  * Hyperbola as project has its focus on [[https://wiki.hyperbola.info/doku.php?id=en:philosophy:community_software|community-oriented and rooted projects]], not on projects with a later build community around.