Closed Wehzie closed 1 year ago
It's not really dangerous as long as you have checked that the project's setup code (well, and setuptools itself) does not do anything malicious. As you can see, unoserver's setup.py
solely calls setuptools.setup()
.
sudo pip install
can be useful to make a library or program available to all users (on a multi-user system), so it's not necessarily a no-go.
Anyway, that's just my personal opinion, and maybe you're right this shouldn't be the default installation instruction, to not encourage potentially unsafe behaviour.
I think if we can make a default safer then we should do so. For that reason I'd appreciate a move to merge the PR.
The reason we can safely sudo apt install is because packages are audited by OS maintainers. But users have no reason to generally trust software installed via pip; there are no audits, at all. You're right, it would be warranted to check setup.py, but it's to be anticipated that some users won't do so.
A multi-user install shouldn't be the default. As most users will want a single user install. Users who want a multi user install, are likely to know how to do this.
If you don't trust a package, you shouldn't install it at all.
Running sudo pip is potentially dangerous and generally bad practice.
For reference https://pages.charlesreid1.com/dont-sudo-pip/ https://askubuntu.com/questions/802544/is-sudo-pip-install-still-a-broken-practice