| ▲ | auraham 4 hours ago | |||||||
This week I was wondering whether using uv for managing Python versions is a good idea. From their website [1] > Python does not publish official distributable binaries. As such, uv uses distributions from the Astral python-build-standalone project. See the Python distributions documentation for more details. It points to this GitHub repo https://github.com/astral-sh/python-build-standalone which mentions this other link https://gregoryszorc.com/docs/python-build-standalone/main/r... If I understand correctly, the source code for building Python is not fetched directly from python.org. Not so sure how secure is that. I have the same concern for asdf [2]. However, they use pyenv [3] which, I think, feels more official. Can someone clarify this? Which tool is better/more secure for installing python: uv or asdf? [1] https://docs.astral.sh/uv/guides/install-python/ [2] https://github.com/asdf-community/asdf-python [3] https://github.com/pyenv/pyenv/tree/master/plugins/python-bu... | ||||||||
| ▲ | woodruffw 4 hours ago | parent | next [-] | |||||||
> If I understand correctly, the source code for building Python is not fetched directly from python.org. Not so sure how secure is that. python-build-standalone fetches CPython sources directly from python.org[1]. I don't even know where else we would get them from! [1]: https://github.com/astral-sh/python-build-standalone/blob/a2... | ||||||||
| ||||||||
| ▲ | throawayonthe 4 hours ago | parent | prev [-] | |||||||
i mean... uv is already a binary you run on your computer to manage python binaries, packages (and any binaries with those), systemwide tools etc; how much does it change whether they build the python binaries or someone else? | ||||||||
| ||||||||