On Monday, September 18, 2017 at 3:40:33 PM UTC-7, Volker Braun wrote: > > On Monday, September 18, 2017 at 9:38:30 PM UTC+2, Nils Bruin wrote: >> >> In reality this is increasingly not the case anymore: sage pulls in >> packages from "Pypi" when installing >> > > A normal install (i.e. running "make") does not pull packages from pypi. > Obviously we don't have the resources to security audit every dependency, > but at least you can be assured that you are installing the same packages > as when the release was made. >
Thank you for correcting me on this! Clearly I was wrong (the fact that we package pip so that people can use it explicitly themselves is of course not a "trust" concern here). Indeed, scanning the build logs suggests that the downloads triggered by "make build" are all from sagemath.org mirrors. So a concerned sysadmin would "just" have to inspect the files there. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.