This also seems like a good time to reiterate an old comment of mine:
https://groups.google.com/g/sage-devel/c/Dq83PiiCAsU/m/RKSpD9_rDQAJ
...pasted below for your convenience.
On Tue, 21 Dec 2021 04:04:31 +0100, Lorenz Panny <
l.s....@tue.nl> wrote:
> On Mon, 20 Dec 2021 14:41:27 +0100, Michael Orlitzky <
mic...@orlitzky.com>
> wrote:
> > We already have 214 standard packages. That's 214 pieces of software
> > copy & pasted into the sage releases... and 214 SPKGs that the sage
> > developers need to keep updating, and 214 distro packages that every
> > distro maintainer needs to keep track of as dependencies of the sage
> > package.
>
> It's also 214 software packages which might, for all we know, at any
> time be hijacked by The Bad Guys to run arbitrarily malicious code on
> every Sage user's machine.
>
> This is terrifying.
>
> (For examples where the modern "import * from internet" mentality has
> led to security disasters, just search for terms like "malicious npm".
> Luckily it seems less bad with pip packages for now, but not for any
> real reason. Every single piece of code we import adds huge security
> questions, because updates to the dependency may be published at any
> time totally invisible to Sage developers and the review process used
> in Sage development. The build scripts will simply pull and run it.)
>
> We should reduce dependencies, not add more. _Especially_ when it's
> about non-essential convenience libraries.
> --
> You received this message because you are subscribed to the Google Groups
> "sage-devel" group. To unsubscribe from this group and stop receiving emails
> from it, send an email to
sage-devel+...@googlegroups.com. To view
> this discussion on the web visit
>
https://groups.google.com/d/msgid/sage-devel/CAGUWgD82%3DoROFFxZwrKZG6eB0Kd5GEKW8wrPw_Q4gm8WJjioCA%40mail.gmail.com.