I agree with onpon4. In addition, pip does not require cryptographic package
signing using tools such as GPG so you could be downloading altered packages
if someone breaks into the PyPI website and replaces a package with a
malicious version.
PyPI did in fact contain malicious packages in the past - the issue was
reported online, e.g. here:
https://developers.slashdot.org/story/17/09/16/2030229/pythons-official-repository-included-10-malicious-typo-squatting-modules
Of course the package signing problem can also occur on code repositories
such as GitLab as well if those do not impose GPG signing of commits (which I
gather most do not). Of course the GNU/Linux package managers do not solve
the problem if they grab code from such code repositories without verifying
the cryptographic signatures of the original developers.
