Largely depends on what kind of "frozen" setup is happening. If everything
is encased in a VM, and that VM is getting reset every time someone logs
off, it's probably fine. Anything else, probably not great for security if
you allow the patrons to install things themselves.

Best practice for python is to always use a virtual environment (so you
don't ruin your system level python with a bunch of packages). Anaconda
does things a little differently than default, but under the hood
everything is a virtual environment.

You could potentially use uv (https://docs.astral.sh/uv/) which is a python
library that both deals with package installation and virtual
environments (and installs things much faster due to it being written in
Rust).

Alternatively, google colab (https://colab.research.google.com/) or the
various alternatives offer a way for folks to do things in the cloud,
instead of locally, which might be a good option so you don't have to set
anything up on your own machines.

On Wed, Dec 3, 2025 at 8:51 AM parker, anson D (adp6j) <
[log in to unmask]> wrote:

> Hi Kayla,
>
> .0002 tldr = if things are frozen you're relatively safe.  no need to
> overthink things.  we used deepfreeze for ~10 years and never had a problem
> running r studio, various python apps etc...
>
> that said "it could be better"
>
> if you have some resources i can't say enough nice things about running
> jupyterhub - for pedagogy and general user onboarding it's just a huge time
> saver and lets you standardize deployments and environments easily.
>
> depending on the number of concurrent users the littlest jupyter hub is
> https://tljh.jupyter.org/ is a relatively simple deploy
>
> with great plugins for multiple language support
> https://vatlab.github.io/sos-docs/
>
> and other support features you can dial in a lot of processes and if you
> want to take it more seriously you can have containerized environments for
> your users or they can run compute locally and have a standardized hub to
> coordinate from
>
> https://cdsdashboards.readthedocs.io/en/stable/ = let's you set up
> private streamlit and gradio environments for sharing apps
>
> and if you've got some chops https://nebari.dev/ is a one-stop-shop data
> science hub in a box
>
> and yeah.  pip can definitely be used to install malware.  aside from
> relying on DNS there have exploits over the years that are serious
>
>
> https://www.fortinet.com/blog/threat-research/malicious-packages-hidden-in-pypl
>
> but i still think if you're doing this for training on frozen boxes you
> don't need to scaremonger folks.  it's probably going to be fine
>
> the guy who does the streamlit dashboard plugins is also available for
> deployment support i think?  anyhow - best of luck with all of it and glad
> to hear other ideas
>
> ________________________________________
> From: Code for Libraries <[log in to unmask]> on behalf of Abner,
> Kayla <[log in to unmask]>
> Sent: Wednesday, December 3, 2025 9:20 AM
> To: [log in to unmask]
> Subject: [CODE4LIB] Python Environments for a Lab Setup
>
> Hello all,
>
> I have been working on a Python installation for our new Data Analysis and
> Visualization Lab. The lab will contain some higher-powered computers for
> analysis and viz, somewhere between a personal PC and an HPC. While we will
> provide access to SPSS, Tableau, etc., many of our researchers are using
> Python and R.
>
> When I learned Python, we used Anaconda. We can't use Anaconda in this
> environment because of the licensing issues, so this is my first time
> setting up a Python computing environment "from scratch." Our IT strongly
> prefers that we don't allow patrons to install Python packages themselves.
> Setup basics:
>
>   *
> Install Python, Visual Studio Code, and Jupyter Lab
>   *
> Use requirements.txt file to preload expected packages (I'm still figuring
> this out)
>      *
> Pandas, plotly, etc.
>   *
> All machines will be "deep frozen," meaning they will revert back to their
> previous state upon restart when the patron is finished working.
>
> Questions:
>
>   *
> Should we encourage or require patrons to use a virtual environment for
> their projects? If so, how?
>      *
> My current understanding is that this isn't necessary or helpful since the
> computers will be frozen.
>   *
> Do we need to worry about security if patrons can install their own
> packages? I understood Python packages to be vetted by the community, and
> not really the same as installing other software. Is it possible for a
> package installed through pip to be malware?
>
> I greatly appreciate any guidance or ideas you all have!
>
> Stay well,
>
> ----
>
> Kayla Abner
>
> (she/her)
>
> Data Visualization and Analysis Librarian
>
> Research Data and Design Commons
>
> Library, Museums and Press
>
> University of Delaware
>
> [log in to unmask]<mailto:[log in to unmask]>
>
> Book time to meet with me<https://calendly.com/kabner-gx9j/consultation>
>
> Wellbeing Notice: My working hours may not be your working hours.  Please
> reply at a time that is convenient for you.
>
>
>
> **The University of Delaware, a land grant institution, is located on land
> that was and continues to be vital to the web of life of the Nanticoke and
> Lenni-Lenape people. We express gratitude and honor the people who have
> inhabited, cultivated, and nourished this land for thousands of years, even
> after their attempted forced removal during the colonial era and early
> federal period. The University of Delaware also financially benefitted from
> the expropriation of Indigenous territories in the region colonially known
> as Montana. View the full Living Land Acknowledgement<
> https://sites.udel.edu/antiracism-initiative/committees/american-indian-and-indigenous-relations/living-land-acknowledgement/#Living_Land_Acknowledgement
> >.**
>
> [cid:50eb4e4f-4c8d-4194-9167-7b2d0032f44e]
>


-- 
Brian Wu
Email: [log in to unmask]