Linepipe manages pipx packages through a GTK interface. It can install, upgrade, uninstall, inject dependencies into, and run Python applications managed by pipx. Treat these actions as package-management operations with user-level system impact.

For non-technical users, prefer signed release packages such as .deb or .rpm when they become available. Source installation is intended for experienced users who understand that installing from a checkout runs local Python packaging code from that checkout.

Do not run installer scripts from an untrusted clone. Verify the source or release artifact first; see VERIFYING.md.

Please report security issues privately before opening a public issue.

Preferred report contents:

• Affected version or commit.
• Operating system and install method.
• Reproduction steps.
• Expected and actual impact.
• Any relevant logs, screenshots, or terminal output.

If a private security advisory channel is available on the project host, use it. Otherwise, contact the maintainer through the project repository profile and keep details private until a fix is available.

Linepipe should:

• Avoid shell execution for user-controlled inputs.
• Validate package names, URLs, and executable names before use.
• Open only safe external web URLs.
• Keep privileged system package installation out of the default path.
• Prefer signed native packages for beginner installation.
• Preserve user configuration unless removal is explicitly requested.

Linepipe cannot guarantee the safety of third-party packages installed through pipx or PyPI. Users are responsible for trusting the packages they choose to install, upgrade, run, or inject.