All, I'm not sure how openSUSE looks at packages or libraries obtained from PyPi, but I've followed a couple of fairly shocking stories in the past two weeks alone related to python malware distributed via packages obtained from PyPi. The Register summarizes in: https://www.theregister.com/2023/01/09/pypi_aws_malware_key/?utm_source=daily&utm_medium=newsletter&utm_content=article with PyTorch story on Jan 5: https://www.theregister.com/2023/01/04/pypi_pytorch_dependency_attack/?utm_source=daily&utm_medium=newsletter&utm_content=top-article I don't do a lot with python, other than keep up with it and marvel at how the includes and libraries have grown like weeds in a vacant lot for Python3. I know enough to know that pulling libraries via PyPi is an often used and convenient way to handle dependencies. That raises the question - is there anything specific, or any tool openSUSE has looked at that may help prevent pulling in bad dependencies that are infected? (other than discourage this manner of obtaining python code?) -- David C. Rankin, J.D.,P.E.