<div><span style="color: rgb(160, 160, 168); ">On Friday, June 22, 2012 at 4:55 PM, Terry Reedy wrote:</span></div><blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
<span><div><div><div><br></div><div>Every time windows users download and install a binary, they are taking </div><div>a chance. I try to use a bit more sense than some people, but I know it </div><div>is not risk free. There *is* a third party site that builds installers, </div><div>but should I trust it? I would prefer that (except perhaps for known and </div><div>trusted authors) PyPI compile binaries, perhaps after running code </div><div>through a security checker, followed by running it through one or more </div><div>virus checkers.</div><div><br></div></div></div></span></blockquote><div>I think you overestimate the abilities of "security checkers" and antivirus. Installing</div><div>from PyPI is a risk, wether you use source or binaries. There is currently not</div><div>a very good security story for installing python packages from PyPI (not all of this</div><div>falls on PyPI), but even if we get to a point there is, PyPI can never be as</div><div>safe as installing from RPM's or DEB and somewhat mores in the case of binaries. You</div><div>_have_ to make a case by case choice if you trust the authors/maintainers of a </div><div>particular package. </div><div><br>
</div>