Hi Kayla,

.0002 tldr = if things are frozen you're relatively safe.  no need to overthink things.  we used deepfreeze for ~10 years and never had a problem running r studio, various python apps etc...

that said "it could be better"

if you have some resources i can't say enough nice things about running jupyterhub - for pedagogy and general user onboarding it's just a huge time saver and lets you standardize deployments and environments easily.

depending on the number of concurrent users the littlest jupyter hub is https://tljh.jupyter.org/ is a relatively simple deploy

with great plugins for multiple language support https://vatlab.github.io/sos-docs/

and other support features you can dial in a lot of processes and if you want to take it more seriously you can have containerized environments for your users or they can run compute locally and have a standardized hub to coordinate from

https://cdsdashboards.readthedocs.io/en/stable/ = let's you set up private streamlit and gradio environments for sharing apps

and if you've got some chops https://nebari.dev/ is a one-stop-shop data science hub in a box

and yeah.  pip can definitely be used to install malware.  aside from relying on DNS there have exploits over the years that are serious

https://www.fortinet.com/blog/threat-research/malicious-packages-hidden-in-pypl

but i still think if you're doing this for training on frozen boxes you don't need to scaremonger folks.  it's probably going to be fine

the guy who does the streamlit dashboard plugins is also available for deployment support i think?  anyhow - best of luck with all of it and glad to hear other ideas

________________________________________
From: Code for Libraries <[log in to unmask]> on behalf of Abner, Kayla <[log in to unmask]>
Sent: Wednesday, December 3, 2025 9:20 AM
To: [log in to unmask]
Subject: [CODE4LIB] Python Environments for a Lab Setup

Hello all,

I have been working on a Python installation for our new Data Analysis and Visualization Lab. The lab will contain some higher-powered computers for analysis and viz, somewhere between a personal PC and an HPC. While we will provide access to SPSS, Tableau, etc., many of our researchers are using Python and R.

When I learned Python, we used Anaconda. We can't use Anaconda in this environment because of the licensing issues, so this is my first time setting up a Python computing environment "from scratch." Our IT strongly prefers that we don't allow patrons to install Python packages themselves. Setup basics:

  *
Install Python, Visual Studio Code, and Jupyter Lab
  *
Use requirements.txt file to preload expected packages (I'm still figuring this out)
     *
Pandas, plotly, etc.
  *
All machines will be "deep frozen," meaning they will revert back to their previous state upon restart when the patron is finished working.

Questions:

  *
Should we encourage or require patrons to use a virtual environment for their projects? If so, how?
     *
My current understanding is that this isn't necessary or helpful since the computers will be frozen.
  *
Do we need to worry about security if patrons can install their own packages? I understood Python packages to be vetted by the community, and not really the same as installing other software. Is it possible for a package installed through pip to be malware?

I greatly appreciate any guidance or ideas you all have!

Stay well,

----

Kayla Abner

(she/her)

Data Visualization and Analysis Librarian

Research Data and Design Commons

Library, Museums and Press

University of Delaware

[log in to unmask]<mailto:[log in to unmask]>

Book time to meet with me<https://calendly.com/kabner-gx9j/consultation>

Wellbeing Notice: My working hours may not be your working hours.  Please reply at a time that is convenient for you.



**The University of Delaware, a land grant institution, is located on land that was and continues to be vital to the web of life of the Nanticoke and Lenni-Lenape people. We express gratitude and honor the people who have inhabited, cultivated, and nourished this land for thousands of years, even after their attempted forced removal during the colonial era and early federal period. The University of Delaware also financially benefitted from the expropriation of Indigenous territories in the region colonially known as Montana. View the full Living Land Acknowledgement<https://sites.udel.edu/antiracism-initiative/committees/american-indian-and-indigenous-relations/living-land-acknowledgement/#Living_Land_Acknowledgement>.**

[cid:50eb4e4f-4c8d-4194-9167-7b2d0032f44e]