This is for making “pip install” safer, so that dependencies of your packages cannot change under your feet.
However, keep in mind that third-party PyPi packages are not vetted or reviewed for security before they become available. So, they are subject to the same risks for compromise as Arch Linux AUR packages.
A safer alternatve would be to use GNU Guix, which has vetted packages, builds everything transparently from source, and has great support for cross-language projects.
(sorry for OT)
Guix does not appear to be in Debian repositories, nor does it want to be installed by adding a repository. Is there an explanation for that?
Here is an explanation for that - I think it is valid for Debian, too:
Where exactly in there?
It is also still under heavy development.
You mean this? That would explain it.
Well, it has only 31,000 packages for now, and quite limited npm support ;-)
But more serious, the user interface is still being polished. The documentation is top notch though, including the parts how to define own packages!
What’s also worth mentioning is that Guix packages are also an excellent way to distribute new FLOSS software for Linux/POSIX - your packages do not need to be part of the Guix distribution.
You can just put your package definition on your Codeberg or github page and users can pull that. Pretty much like Ubuntu PPAs or flatpaks but since everything is defined from source, people can inspect what they get, which fosters trust.
And it works for any distro that works with Guix, without modification, because the Guix dependencies give a 100% reproducible base.
No,I mean the first paragraph in section 1,“Installation”, which is explaining clearly why it has no advantage to install it as a distribution package. Arch supports both ways, but installing Guix separately is recommended.
Who is still using pip though? They should just retire it.
