10

Why python can't into proper dependency management?

I Node.js we use npm. Modules are downloaded per project and packaging is easy.

In Java we use maven/gradle. Never been so easy to build and download libraries and package your project.

But in Python? No, it's not easy. You have to use virtualenv first so pip/anaconda won't download globally, then you must write setyp.py in a million different ways. Packaging and distribution to clients? Good luck with that.

Comments
  • 0
    Ye this really threw me off when I tried to learn python. I'm a node guy myself btw
  • 1
    Hahahha don't be funny, Node's package management is just a pile of shit. It's as bad as Python's. The comparison is ridiculous.
  • 0
    @kpenc Why is it shit? Because the modules take disk space? Is disk space really the first thing you should be worried about?
  • 0
    I am a novice in python but I suggest using anaconda for python, if you have not yet.

    I, somehow, feel more at home with conda than with pip.
  • 2
    Npm is a curse. Easy to use? Sure. Easy to depend on a pile of crap? Definitely.

    Best thing about 'hard' managers and more difficult languages is you tend to get libraries that people spent a bit more effort on.
  • 0
    @Froot well, the tree structure is a mess, multiple versions of the same dependency at the same time. And I don't know how can someone say that virtualenv is different than a js project with local dependencies. My main point was that you are opposing two package managements which are both bad and are very similar. :D Js fanboyism or any other is not good. BTW I'm a FE dev.
  • 2
    How about the godd old requirements.txt ?
  • 0
    See what you'll find for C++...
  • 0
    @thepra
    No thanks, I don't want to kill myself.
    I tried C++ with WinAPI once. I nearly puked. That language is horrible.
  • 1
    @thepra There are a few C++ package managers. We use Hunter based on CMake, which is really awesome. Yes it pulls in dependencies too.

    @clovisIrex no reason to use WINAPI. Use cross-platform code as it looks cleaner too.
  • 0
    @xsacha
    I actually did it as part of a malware reverse engineering course, along with x86 assembly
  • 0
    @kpenc Yea but isn't that a problem only from disk size perspective? Disk space is the last thing I worry about in my projects (apart from DB) since it's cheap. I'm more concerned if the packages work and are easy to set up. If I can take a project, run "npm install" followed by "node main" and it works right away then I call that good package management. Setting up a project is a breeze and I couldn't care less if it took 100mb more of my HDD, it's not like disk space is expensive these days
  • 0
    @xsacha are there alternatives for QT for multiplatform? I tried it a few years back when I was still making games with C++ but it was so strange for some reason.
  • 0
    @Codex404
    Electron and java(swing, javaFX) comes to my mind
  • 0
    @clovisIrex thats isnt C++ though
  • 1
    @Froot npm (and its packaging model in general) has quite a few issues:

    * it can download, compile and run any source/binary with user permissions
    * by default it requires internet access to run
    * no package signing
    * run by private for profit company
    * a few other minor issues that were already mentioned here (ie. hdd space usage)

    While it is usable and some of its deficiencies can be hotfixed by the user, I'd say that it is better suited for smaller deployments than for a large, secure systems. For those bigger projects, it can be a pain to hotfix all of its problems.
  • 0
    @tnnn no package signing seems like the only real downside here. It needs internet? It's a package manager, you use it to download packages, ofcourse it needs internet. Ran by a private company? That's a world view thing, doesn't bother me one bit. Can download compile and run stuff? Again, it's a package manager that's what they do. I like my package manager to handle that stuff for me. I'm not going to compile my packages manually, why would I?

    As for the signing, what do you mean by that? Like a certificate? Could be a silly question but isn't SSL with proper certs enough? I mean you must implicitly trust the package manager site anyway so what's there to vertify?
  • 0
    What's wrong with:
    Autoenv
    Pip install X
    Pip freeze > requirements.txt

    Then
    Pip install -r requirements.txt on the server?

    With Flask, you install what you need, and forget what you don't.
  • 0
    @Froot Nope, you use package manager to manage packages ;) Source of those packages can vary - they can be downloaded from the internet, from local mirror, provided directly as files, etc. Larger projects often employ build environments that are severely restricted and granting outbound internet access is not an option.

    Depending on a single company providing free service? OK for a personal project, not so much for an enterprise. Company can be bought out by a competitor, go bankrupt, decide that some module is against their TOS, etc.

    What I meant by 'compile and run' was downloading an arbitrary tarball from an internet location, compiling and then running it. While I'm OK with downloading brebuilt packages from a secure location, running something downloaded from location that is beyond my and my service provider (npm) control is a potential security risk.

    Compiling my sources is responsibility of my build system, which may or may not include package manager. (...)
  • 0
    @Froot Using SSL is important but it's not enough. By signing I mean package signatures - that is a digital signature that confirms that specific package was prepared/built by its author/build server. Many linux distros use GPG to sign their packages. Even if package download location is compromised, your system should not be affected as it will simply refuse to use modified package. By no means must I trust any single package manager site (there may even be no site) - I must only trust the package author and build system that built the package. We can even go further and discuss the need of reproducible builds - this way you can check if the prebuilt package was really created from the source you can see.

    As I've said - npm has its uses but I wouldn't call its use 'simple' in large projects. If you can sacrifice some security and stability (left-pad I'm looking at you ;D) for simplicity then be it.
  • 0
    @tnnn Interesting stuff. I'll go read up about npm signing and the such a bit
Add Comment