I am using virtualenv. I know that using pip install <package_name> inside a python virtual environment will isolate that package (the package is only to be found inside the virtual environment). What about installing a package inside a python virtual environment using these methods: sudo pip install, sudo apt-get install, or building the package from source? Will they isolate the package? is the package going to be installed on the whole system?
You only use
sudo
or elevated permissions when you want to install stuff for the global, system-wide Python installation.
A bonus is that virtualenv does not need elevated permissions.
It's best to always try to avoid
sudo pip install
,also for
pip
usage on OS without virtualenv.
Instead, consider using
pip install --user
,or
pyenv as i use.
With
pyenv OS installation so is Python always in user mode and never need for
sudo pip install
.
edwinksl Wrote:When you run pip with sudo, you run setup.py with sudo.
In other words, you run arbitrary Python code from the Internet as root.
If someone puts up a malicious project on PyPI and you install it, you give an attacker root access to your machine.
Prior to some recent fixes to pip and PyPI, n attacker could also run a man in the middle attack to inject their code when you download a trustworthy project.
I also use -n <env name> to make sure that it is only installed in that env.
Some will say you don't need to do that, but I feel why not be safe.