sudo pip is for global packages, virtualenv for literally everything else. Neither venv or pipenv will prevent you getting pwnd if you're careless enough to install a malicious package. They are not effective security measures.
Fair enough. I do prefer the native package manager route when it's an option, but in those cases it's generally handled automatically as a dependency anyways. Really, 99.99% of all manual pip interactions should be happening in some sandbox env anyways. Regardless it's better practice to understand and respect root ops rather than fear them, because sometimes they are necessary.
We see it when we're installing an application that will be used by another user account, since ~/.local/lib (or the equivalent) isn't shared. This is pretty rare in a development environment, but it comes up frequently in an administered multi-user setup (say a shared workstation or batch cluster). Sometimes service accounts as well depending on what they're doing.
sudo pip is for global packages, virtualenv for literally everything else. Neither venv or pipenv will prevent you getting pwnd if you're careless enough to install a malicious package. They are not effective security measures.
Using
sudo pip
on distros that provide native Python packages (apt-get install python-numpy
, etc.) is calling for trouble.Fair enough. I do prefer the native package manager route when it's an option, but in those cases it's generally handled automatically as a dependency anyways. Really, 99.99% of all manual pip interactions should be happening in some sandbox env anyways. Regardless it's better practice to understand and respect root ops rather than fear them, because sometimes they are necessary.
When would a
pip install --user
not suffice instead of a global install?We see it when we're installing an application that will be used by another user account, since ~/.local/lib (or the equivalent) isn't shared. This is pretty rare in a development environment, but it comes up frequently in an administered multi-user setup (say a shared workstation or batch cluster). Sometimes service accounts as well depending on what they're doing.
After running pip with sudo in my arch Linux I messed-up some of my system files. And now the whole system is broken.