On Mon, 20 Dec 2021 14:41:27 +0100, Michael Orlitzky <
mic...@orlitzky.com> wrote:
> We already have 214 standard packages. That's 214 pieces of software
> copy & pasted into the sage releases... and 214 SPKGs that the sage
> developers need to keep updating, and 214 distro packages that every
> distro maintainer needs to keep track of as dependencies of the sage
> package.
It's also 214 software packages which might, for all we know, at any
time be hijacked by The Bad Guys to run arbitrarily malicious code on
every Sage user's machine.
This is terrifying.
(For examples where the modern "import * from internet" mentality has
led to security disasters, just search for terms like "malicious npm".
Luckily it seems less bad with pip packages for now, but not for any
real reason. Every single piece of code we import adds huge security
questions, because updates to the dependency may be published at any
time totally invisible to Sage developers and the review process used
in Sage development. The build scripts will simply pull and run it.)
We should reduce dependencies, not add more. _Especially_ when it's
about non-essential convenience libraries.
Best,
Lorenz