You're paranoid. What's the big deal?
Running sudo pip install package-x is insanely dangerous. It is equivalent to giving a complete stranger root access on your machine.
You run pip as sudo, and pip runs setup.py as sudo, and setup.py can run system commands.
...in case you're wondering, that's bad.
What could possibly go wrong?
A couple of things.
First, typosquatting. You could make a typo or spelling mistake when installing a package,
and a malicious typosquatting package could be installed instead. Imagine running
sudo pip install uincode and installing a malicious package uincode,
instead of sudo pip install unicode like you wanted.
Second, unintentional vulnerabilities. Developers of a package may unintentionally expose a security hole that, when run as root, turns a minor security risk into a major one. Say hello to bad dudes cruising the internet.
Third, you could squash your system python. Many modern operating systems come with a system python that should be updated infrequently. Tacking on a sudo command could install packages that break your system.
Last, malicious packages. People do evil shit, especially when money's involved.
What should I do instead?
Use pyenv to maintain separate, side-by-side versions of Python.
Use virtualenv to install software into an isolated Python environment.
Add the --user flag to install to your home directory, obviating the need for sudo: pip install --user package-x
(At the very least, set up your Python so it doesn't require sudo access each time it installs things.)
How do I adjust my mindset?
So just remind yourself of this, each time you type pip:
setup.py can run system commands.
setup.py can run system commands.
setup.py can run system commands.
Never forget. Don't be a sheep. Trust no one.
@charlesreid1 is a full-time data engineer and part-time bot-wrangler working on bioinformatics problems at UC Davis.
Get in touch:
