It’s nice that they’re committed to user privacy, and this post really gives me confidence that my privacy will be reasonably protected.
…but why is that a goal for PyPi? As a publisher of packages, it’s a nice-to-have, but as an end user it’s kind of scary. I don’t want to use software packages published by anonymous and potentially unaccountable people. That’s probably why they have so many malicious packages.
Maybe you live in an oppressive regime who will imprison/murder you for publishing some code; ok, but that’s an outlier, and there are a lot of ways to get around that situation.
I just don’t see the benefit of privacy in this situation? Is it just to reduce the administrative overhead of collecting/verifying identity info? I’m genuinely curious to learn about a realistic use case that justifies the risks to all users.
I know you can self host your own package index, but very few users have the resources to do that.
I think largely because the prerogative is on the code author to reveal as little or as much about themselves, and the prerogative of library users is to sufficiently vet a package. If folks want to publish code pseudonymously, and folks want to use that code, as long as it's not abusive, what's to stop them? You can achieve basically the same effect with github, gitlab, or even plain self-hosted HTTP packages (pip just uses a convention for listing packages in a dir, any HTTP file host can be a package server), without PyPI.
I actually think the larger problem is Python's reliance on imperative code that executes at install time. Yeah you can use pip --download and extract it yourself, but folks rarely do that.
…but why is that a goal for PyPi? As a publisher of packages, it’s a nice-to-have, but as an end user it’s kind of scary. I don’t want to use software packages published by anonymous and potentially unaccountable people. That’s probably why they have so many malicious packages.
Maybe you live in an oppressive regime who will imprison/murder you for publishing some code; ok, but that’s an outlier, and there are a lot of ways to get around that situation.
I just don’t see the benefit of privacy in this situation? Is it just to reduce the administrative overhead of collecting/verifying identity info? I’m genuinely curious to learn about a realistic use case that justifies the risks to all users.
I know you can self host your own package index, but very few users have the resources to do that.