I run Python in Jupyter Lab. In the past, I’ve installed Jupyter using conda, but conda’s large footprint annoys me. For example, I hate the way it changes my command-line prompt to “(base)” (though I gather there is a way around that particular problem.
I am tempted to install Jupyter with pip, but I’ve seen reports that it is insecure. Is pip more dangerous than conda, or does conda suffer similar vulnerability?
conda is a whole different software packaging system that is not limited to Python software.
If this is the warning you are referring to, it’s rather badly written:
The Proton VPN Linux app uses Python and relies on other Python software tools (dependencies) installed from official Linux distribution sources.
Python allows you to install software from unofficial sources like PyPI(new window) using pip(new window). But pip is a powerful tool that you should use very carefully.
When you install unofficial Python packages using pip, the newly-installed packages may override official Linux distribution packages. This can break other Python software that relies on them, including the Proton VPN app. It can also install malware(new window).
You should exercise extreme caution using pip. We recommend you only use pip if you’re a tech-savvy user.
PyPi is the official python package registry. Proton VPN could publish their app there if they wanted. pip simply installs what you ask it to—it’s not “insecure”. If you ask it to install a malicious package, it will.
What the warning is trying to say is that one should not mix “system packages”, for example packages installed with dnf and packages from software forges—like PyPi or Rust crates.io registry and so on because system packages are built with other system packages. So, dnf is built with a particular set of dependencies, and if you replace these with other versions (from PyPi or another source), you will most likely break dnf. Similarly, if you replace a Python library with another nearly identical one, but with some malicious code in it, you then end up running the malicious code.
This is why, for Python packages, one should use a virtual environment—as they have also noted. How you create and manage the virtual environment is up to you. You can use pip, or conda, or uv, or another tool. They’re all just package managers that support particular registries. (We must still have some idea of what packages to install and what to avoid, as is sort of always expected of us.)
There are more lightweight tools that are compatible with conda, and install conda packages - I use Micromamba (available in Fedora repos).
Edit: as of Fedora 43, Micromamba is no longer in the repos, but mamba is (functionally it’s basically the same, but a slightly larger package)