To be fair it has some valid use cases, take ruff for example.
But pip/pypi does not have any proper security at all, and just blocking binary blobs wouldn’t make a difference when you can freely execute any python code during installation - Much like downloading an executable from any site online, you are expected to make sure you can trust whoever uploaded what you are downloading.
You could say the same about other sites like GitHub too.
To be fair it has some valid use cases, take ruff for example.
But pip/pypi does not have any proper security at all, and just blocking binary blobs wouldn’t make a difference when you can freely execute any python code during installation - Much like downloading an executable from any site online, you are expected to make sure you can trust whoever uploaded what you are downloading. You could say the same about other sites like GitHub too.