Re: Two malicious Python libraries caught stealing SSH and GPG keys
With such paranoia i have better idea for you: create code in default notebook and compile it outside of your computer.
For example here - https://repl.it/languages/python3
For example here - https://repl.it/languages/python3
you know the best way to do that? read the original source of what you're replicating, then write your "inspirational" version. You'd probably end up coming to the conclusion, in more than 90% of cases, that the original was betterAlso, i'm very doubt that you're check all dependencies and source code for applications, of course, if you're not using 2-3 python applications and don't have any offline life. (or if you not working in code audit company) Because it's impossible to do for one person, due to number of updates, number of source code etc.
right, I didn't say that though. It's a simple case of checking the history of other projects using that library. If you want, and do not trust to how pip download packeges, you can download wheels from https://pypi.org/simple/ and setup it by yourself with pip help (building with pip through local computer).
that gives you identical security as using pip, the SSL cerificate for https://pypi.org, so that makes zero differenceI don't get why doing basic 5-10 minutes research on Python libraries, then using the OS package manager to dl or compile them is paranoid. I do far more extreme things in the name of security, and it's on computers I'm, guess what, using Bitcoin with.
I hope you're lucky enough to avoid any malware with your "saner" approach. If I'm crazy, I'd prefer to stay that way if it means I can avoid malware theft of my BTC