I'm new to Ubuntu, so please bear with me. I installed pip
using this command: sudo apt-get -y install python-pip
. Then I installed NLTK using the command on their website, which was: sudo pip install -U nltk
. But then I stumbled on this question that says that everything I did was a "broken practice". The line that struck me the most was that using sudo pip
is inherently wrong and that giving pip
too much force could damage operating system files. Can anyone validate this claim?
Note – I only used sudo
because when I tried the command apt-get -y install python-pip
it gave me 2 errors:
E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?
Best Answer
Both
sudo pip install
and its other common variantsudo -H pip install
should not be encouraged because it is a security risk to use root privileges to usepip
to install Python packages from PyPI (Python Package Index).From https://stackoverflow.com/a/21056000/486919 (emphasis mine):
As mentioned at https://security.stackexchange.com/a/79327/8761, it is important to note that anyone can upload Python packages, including malicious ones, to PyPI.
In short, in accordance with the principle of least privilege, don't use
sudo
withpip
to install Python packages from PyPI unless you absolutely need to. Instead, consider usingpip install --user
(note thatpip install
with nosudo
nor additional flags/options defaults topip install --user
on Ubuntu currently) or virtual environments (such asvirtualenv
). If you see people recommendingsudo pip
orsudo -H pip
, please tell them not to.