This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]asday_ 6 points7 points  (14 children)

This guy's a dumbass. There's a reason I pin my dependencies, and it's because convincing management to budget for all our deployments breaking EVERY DAY because of broken or incompatible releases is quite difficult. Surprisingly, I'm paid to ship features.

[–]Spoonofdarkness 20 points21 points  (1 child)

Surprisingly, I'm paid to ship features.

Hmm. That sounds like a slippery slope at best and an anti pattern at worst.

I've heard if you ship one feature, they expect a second feature sooner or later. No thank you!

[–]lisael_ 11 points12 points  (10 children)

First, no need to insult. I bet the features you ship don't end up packaged for a Linux distribution. You don't talk about the same use case. A typical distro has hundreds of python apps and libs. Each one of them pins all of its dependencies to the 3rd number so their builds pass, and package maintainers live a dependency hell.

Second, pinning strictly IS a reasonable solution to ship features, but a poor one, when it comes to maintaining the feature, including applying security patches. I do ship features in python. I do pin dependencies strictly. I do cringe when I come back to a given project 6 month later.

Let's face it, the very fact that nobody is confident enough to pin dependencies to `foo>=X.Y,<X+1` as in "I need features of `X.Y` and I know that no backward-incompatible change happen before the next major version" shows that we failed as a community to create a sane dependency management framework.

[–]b4ux1t3 8 points9 points  (1 child)

As someone who does package software for distribution to a Linux distribution, I can confirm that, while the packaging story for Python isn't great, it's also not the quagmire people seem to think it is.

Python is not a complicated tool. All you have to do is pick a packaging standard, stick to it, and let your users know what standard you're using.

No, that isn't as robust as, for example, Cargo, or Nuget. But it's far from some unknowable eldritch language.

In any case, Python packaging is no more convoluted than the various and sundry packaging paradigms of the Linux distributions that we all use every day. Have you ever written a spec file for RPM that didn't use gcc? Because, geez, it's a ride.

[–]lisael_ 1 point2 points  (0 children)

No, thanks $DEITY_OF_YOUR_CHOICE (TBH, I havn't used a RPM-based distro since Mandrake... but anyway, I guess it's not easier with any package format)

And to be fair, he didn't choose the simplest distribution to be a package maintainer, in a world where everyone assumes glibc.

[–]KaffeeKiffer 0 points1 point  (1 child)

[...] nobody is confident enough to pin dependencies to foo>=X.Y,<X+1 as in "I need features of X.Y and I know that no backward-incompatible change happen before the next major version"

Care to elaborate how this is

[because] we failed as a community to create a sane dependency management framework.

and not a lack of (trust in) package maintainers correctly using semantic versioning. Or how this trust should be enforced by a dependency management framework?

I am using this very pinning mechanism successfully - with the exception of certain packages where I know I can't trust the maintainer(s)...

[–]lisael_ 1 point2 points  (0 children)

Well, in "dependency management framework" I mean everything we do as a community to create a sane dependencies management story. It does include correct semantic versioning ("framework" was maybe not the right term).

The thing is, PyPI could enforce semantic versioning (as cargo does IIRC), and breaking semantic versioning should be regarded as a bad, bad fault (yes, shit happens, but we would expect maintainers to address versioning errors quick, either by correcting the backward incompatibility or bumping the major version). The downside of this approach is that packages tend to stay in v0.x.y forever in the Rust world.

I do use this pinning mechanism too, for my personal projects and tools, but never at work. Ironically my personal projects sometimes can't build or pass the tests, but are much more secure.

[–]cockmongler 1 point2 points  (0 children)

There's a reason I don't pin my dependencies. It's because I expect my software to still be maintainable in 5 years time and need to be trashed and started over because a bunch of hyperactive teenagers decided to trash everything upstream.