Mailing List Archive: Python: Dev

Re: [Distutils] PEP 376 - from PyPM's point of view

Index | Next | Previous | View Threaded

p.f.moore at gmail

Jul 15, 2009, 3:10 AM

Post #1 of 24 (1768 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view

2009/7/15 Tarek Ziadé <ziade.tarek [at] gmail>:
> On Tue, Jul 14, 2009 at 2:12 AM, Sridhar
> Ratnakumar<sridharr [at] activestate> wrote:
>> Here are my comments regarding PEP 376 with respect to PyPM (the Python
>> package manager being developd at ActiveState)
>>
>>
>> Multiple versions: I understand that the PEP does not support
>> installation (thus uninstallation) of multiple versions of the same
>> package. Should this be explicitly mentioned in the PEP -- as
>> `get_distribution` API accepts only `name` argument, and not a `version`
>> argument?
>
> That's another can of worms ;)

:-)

> Before I answer here's a bit of background, i's a bit long but required, sorry
>
> For people that don't want to read the rest, here's the idea :
> multiple version support imho should
> be introduced later, if they are to be introduced, by extending PEP
> 302 protocol.

Disclaimer: I've only read the short version, so if some of this is
covered in the longer explanation, I apologise now.

-1.

In my view, multiple version support is not at all related to PEP 302
- or to core Python in general. The import statement has no concept of
versions, any version handling is done by explicit user manipulation
of sys.path.

PEP 302 is currently purely an import protocol. As such, it only cares
about locating the correct code to run to populate sys.modules['foo'].
Once the code has been located, there are a number of other details
that might be useful, hence the extensions like get_data,
get_filename, etc. But note that these are all *loader* extensions -
their starting point is an imported module.

The PEP 376 support I've just added is a *finder* extension, which is
working alongside the scanning of the container - but rather than
looking for modules, it's looking for distributions. Disappointingly
(for me) it turned out not to give much opportunity to share code -
the finder extensions could just as easily have been a completely
independent protocol.

PEP 376 support has added a requirement for 3 additional methods to
the existing 1 finder method in PEP 302. That's already a 300%
increase in complexity. I'm against adding any further complexity to
PEP 302 - in all honesty, I'd rather move towards PEP 376 defining its
*own* locator protocol and avoid any extra burden on PEP 302. I'm not
sure implementers of PEP 302 importers will even provide the current
PEP 376 extensions.

I propose that before the current prototype is turned into a final
(spec and) implementation, the PEP 302 extensions are extracted and
documented as an independent protocol, purely part of PEP 376. (This
*helps* implementers, as they can write support for, for example,
eggs, without needing to modify the existing egg importer). I'll
volunteer to do that work - but I won't start until the latest
iteration of questions and discussions has settled down and PEP 376
has achieved a stable form with the known issues addressed.

Of course, this is moving more and more towards saying that the design
of setuptools, with its generic means for locating distributions, etc
etc, is the right approach. We're reinventing the wheel here. But the
problem is that too many people dislike setuptools as it stands for it
to gain support. My understanding is that the current set of PEPs were
intended to be a stripped down, more generally acceptable subset of
setuptools. Let's keep them that way (and omit the complexities of
multi-version support).

If you want setuptools, you know where to get it...

Paul.
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

fuzzyman at voidspace

Jul 15, 2009, 3:17 AM

Post #2 of 24 (1726 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

Paul Moore wrote:
> 2009/7/15 Tarek Ziadé <ziade.tarek [at] gmail>:
>
>> On Tue, Jul 14, 2009 at 2:12 AM, Sridhar
>> Ratnakumar<sridharr [at] activestate> wrote:
>>
>>> Here are my comments regarding PEP 376 with respect to PyPM (the Python
>>> package manager being developd at ActiveState)
>>>
>>>
>>> Multiple versions: I understand that the PEP does not support
>>> installation (thus uninstallation) of multiple versions of the same
>>> package. Should this be explicitly mentioned in the PEP -- as
>>> `get_distribution` API accepts only `name` argument, and not a `version`
>>> argument?
>>>
>> That's another can of worms ;)
>>
>
> :-)
>
>
>> Before I answer here's a bit of background, i's a bit long but required, sorry
>>
>> For people that don't want to read the rest, here's the idea :
>> multiple version support imho should
>> be introduced later, if they are to be introduced, by extending PEP
>> 302 protocol.
>>
>
> Disclaimer: I've only read the short version, so if some of this is
> covered in the longer explanation, I apologise now.
>
> -1.
>

I agree. People with versioning issues *should* be using virtualenv.

Michael Foord

> In my view, multiple version support is not at all related to PEP 302
> - or to core Python in general. The import statement has no concept of
> versions, any version handling is done by explicit user manipulation
> of sys.path.
>
> PEP 302 is currently purely an import protocol. As such, it only cares
> about locating the correct code to run to populate sys.modules['foo'].
> Once the code has been located, there are a number of other details
> that might be useful, hence the extensions like get_data,
> get_filename, etc. But note that these are all *loader* extensions -
> their starting point is an imported module.
>
> The PEP 376 support I've just added is a *finder* extension, which is
> working alongside the scanning of the container - but rather than
> looking for modules, it's looking for distributions. Disappointingly
> (for me) it turned out not to give much opportunity to share code -
> the finder extensions could just as easily have been a completely
> independent protocol.
>
> PEP 376 support has added a requirement for 3 additional methods to
> the existing 1 finder method in PEP 302. That's already a 300%
> increase in complexity. I'm against adding any further complexity to
> PEP 302 - in all honesty, I'd rather move towards PEP 376 defining its
> *own* locator protocol and avoid any extra burden on PEP 302. I'm not
> sure implementers of PEP 302 importers will even provide the current
> PEP 376 extensions.
>
> I propose that before the current prototype is turned into a final
> (spec and) implementation, the PEP 302 extensions are extracted and
> documented as an independent protocol, purely part of PEP 376. (This
> *helps* implementers, as they can write support for, for example,
> eggs, without needing to modify the existing egg importer). I'll
> volunteer to do that work - but I won't start until the latest
> iteration of questions and discussions has settled down and PEP 376
> has achieved a stable form with the known issues addressed.
>
> Of course, this is moving more and more towards saying that the design
> of setuptools, with its generic means for locating distributions, etc
> etc, is the right approach. We're reinventing the wheel here. But the
> problem is that too many people dislike setuptools as it stands for it
> to gain support. My understanding is that the current set of PEPs were
> intended to be a stripped down, more generally acceptable subset of
> setuptools. Let's keep them that way (and omit the complexities of
> multi-version support).
>
> If you want setuptools, you know where to get it...
>
> Paul.
> _______________________________________________
> Python-Dev mailing list
> Python-Dev [at] python
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/fuzzyman%40voidspace.org.uk
>

--
http://www.ironpythoninaction.com/

_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

ziade.tarek at gmail

Jul 15, 2009, 7:00 AM

Post #3 of 24 (1726 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

On Wed, Jul 15, 2009 at 12:10 PM, Paul Moore<p.f.moore [at] gmail> wrote:
>
> Disclaimer: I've only read the short version, so if some of this is
> covered in the longer explanation, I apologise now.

Next time I won't put a short version ;)

>
> PEP 376 support has added a requirement for 3 additional methods to
> the existing 1 finder method in PEP 302. That's already a 300%
> increase in complexity. I'm against adding any further complexity to
> PEP 302 - in all honesty, I'd rather move towards PEP 376 defining its
> *own* locator protocol and avoid any extra burden on PEP 302. I'm not
> sure implementers of PEP 302 importers will even provide the current
> PEP 376 extensions.
>
> I propose that before the current prototype is turned into a final
> (spec and) implementation, the PEP 302 extensions are extracted and
> documented as an independent protocol, purely part of PEP 376. (This
> *helps* implementers, as they can write support for, for example,
> eggs, without needing to modify the existing egg importer). I'll
> volunteer to do that work - but I won't start until the latest
> iteration of questions and discussions has settled down and PEP 376
> has achieved a stable form with the known issues addressed.

Sure that makes sense. I am all for having these 302 extensions
flipped on PEP 376
side, then think about the "locator" protocol.

I am lagging a bit in the discussions, I have 10 messages left to read or so,
but the known issues I've listed so far are about the RECORD file and
absolute paths,
I am waiting for PJE example on the syntax he proposed for prefixes,
on the docutils example.

> Of course, this is moving more and more towards saying that the design
> of setuptools, with its generic means for locating distributions, etc
> etc, is the right approach.
> We're reinventing the wheel here. But the
> problem is that too many people dislike setuptools as it stands for it
> to gain support.

I don't think it's about setuptools design. I think it's more likely
to be about the fact
that there's no way in Python to install two different versions of the
same distribution
without "hiding" one from each other, using setuptools, virtualenv or
zc.buildout.

"installing" a distribution in Python means that its activated
globally, whereas people
need it locally at the application level.

> My understanding is that the current set of PEPs were
> intended to be a stripped down, more generally acceptable subset of
> setuptools. Let's keep them that way (and omit the complexities of
> multi-version support).
>
> If you want setuptools, you know where to get it...

Sure, but let's not forget that the multiple-version issue is a global
issue OS packagers
also meet. (setuptools is not the problem) :

- application Foo uses docutils 0.4 and doesn't work with docutils 0.5
- application Bar uses docutils 0.5

if docutils 0.5 is installed, Foo is broken, unless docutils 0.4 is
shipped with it.

So right now application developers must use tools to isolate their
dependencies from
the rest of the system, using virtualenv or zc.buildout, and ship the
dependencies with them.
So they are sure that their applications are not broken by the system.

This is not optimal of course, because you end up with several
occurences of the same
versions sometimes. And can be a nightmare for os packagers and maintainers.

And virtualenv and such tools are now required when you develop
applications (mid-size and large ones)
and the "good practice" is to avoid any installation of any
distributions in Python itself.

So basically "site-packages" is a distribution location that is
avoided by everyone because it doesn't
know how to handle multiple versions. If we had a multi-versions
support protocol, that would
help os packagers and application developers to be friends again imho ;)

Regards
Tarek

--
Tarek Ziadé | http://ziade.org
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

ziade.tarek at gmail

Jul 15, 2009, 7:03 AM

Post #4 of 24 (1733 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

On Wed, Jul 15, 2009 at 12:17 PM, Michael
Foord<fuzzyman [at] voidspace> wrote:
>> Disclaimer: I've only read the short version, so if some of this is
>> covered in the longer explanation, I apologise now.
>>
>> -1.
>>
>
> I agree. People with versioning issues *should* be using virtualenv.
>

Let's remove site-packages from Python then.
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

p.f.moore at gmail

Jul 15, 2009, 8:14 AM

Post #5 of 24 (1734 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

2009/7/15 Tarek Ziadé <ziade.tarek [at] gmail>:
> On Wed, Jul 15, 2009 at 12:17 PM, Michael
> Foord<fuzzyman [at] voidspace> wrote:
>>> Disclaimer: I've only read the short version, so if some of this is
>>> covered in the longer explanation, I apologise now.
>>>
>>> -1.
>>>
>>
>> I agree. People with versioning issues *should* be using virtualenv.
>>
>
> Let's remove site-packages from Python then.

If virtualenv/py2exe/cx_Freeze/py2app don't offer a solution, then
maybe you're right.

For me, py2exe (and a clean virtual machine if I require an absolutely
pristine environment, I guess virtualenv would help here too) does
what I need for application packaging. But I'll freely admit that my
needs are minimal.

Bluntly, as Python stands, import and sys.path do not offer any core
support for multiple versions. Custom solutions can be built on top of
that - that's what setuptools does. But they are precisely that -
custom solutions, and should be supported as such, outside the core
(and stdlib).

If standard Python support for multi-version imports is required (it's
not by me, but I accept that some people want it), then it should be
designed in thoughout:

- how do I import version 0.7.1 of package foo, rather than 0.7.2?
- how do I use foo 0.8 at my interactive prompt, and import bar 0.2
which relies on foo 0.7.1?
- what happens if I import foo 2.0 (which requires baz 0.1) and bar
1.5 (which requires baz 0.2)?
- what does "import foo" (without a version number) mean? Is it
different if it's at the command line or in bar 0.5 (which explicitly
declares a dependency on foo 0.7 in its setup.py)? Does the answer to
that mean that imports always need to read dependency information?
- does your head hurt yet? I could go on...

Any PEP dealing with multi versions should address these issues. It's
a big area, and I have no interest in it myself, but I do have an
interest in avoiding partial solutions which only look at some of the
questions that might arise.

Look - I really, really don't mind if people use setuptools. Honest.
But I do mind if core python gets changed to support little bits of
what setuptools does, adding complexity to deal with issues that
setuptools handles, but without making it possible to avoid using
setuptools. Where's the benefit to anyone then?

Paul.
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

him at online

Jul 15, 2009, 8:16 AM

Post #6 of 24 (1720 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

Tarek Ziadé wrote:
> So basically "site-packages" is a distribution location that is
> avoided by everyone because it doesn't
> know how to handle multiple versions.
I think you overrate the importance of having multiple versions of a
package available
for the same python interpreter. If you have m different versions of n
packages then
you could have n**m different combinations for an application so you need a
possiblilty to select one combination from n**m possible ones at application
startup time. Is this really worth it?

> If we had a multi-versions
> support protocol, that would
> help os packagers and application developers to be friends again imho ;)
>
> Let's remove site-packages from Python then.
The _one_ site-packages folder stands for _one_ python interpreter. All
the clever
efforts to provide a set of package versions at runtime to an
application (that uses
the singleton python interpreter) do logically create a new python
interpreter with
a site-packages folder that contains just the versions of the packages
the application
needs, unfortunately by mucking with PYTHONPATH and <package>.pth,
site.py etc
making it very difficult to understand what is happening for the joe
average python developer.

_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

cournape at gmail

Jul 15, 2009, 8:22 AM

Post #7 of 24 (1724 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

On Wed, Jul 15, 2009 at 11:00 PM, Tarek ZiadÃ©<ziade.tarek [at] gmail> wrote:
> On Wed, Jul 15, 2009 at 12:10 PM, Paul Moore<p.f.moore [at] gmail> wrote:
>>
>> Disclaimer: I've only read the short version, so if some of this is
>> covered in the longer explanation, I apologise now.
>
> Next time I won't put a short version ;)
>
>
>>
>> PEP 376 support has added a requirement for 3 additional methods to
>> the existing 1 finder method in PEP 302. That's already a 300%
>> increase in complexity. I'm against adding any further complexity to
>> PEP 302 - in all honesty, I'd rather move towards PEP 376 defining its
>> *own* locator protocol and avoid any extra burden on PEP 302. I'm not
>> sure implementers of PEP 302 importers will even provide the current
>> PEP 376 extensions.
>>
>> I propose that before the current prototype is turned into a final
>> (spec and) implementation, the PEP 302 extensions are extracted and
>> documented as an independent protocol, purely part of PEP 376. (This
>> *helps* implementers, as they can write support for, for example,
>> eggs, without needing to modify the existing egg importer). I'll
>> volunteer to do that work - but I won't start until the latest
>> iteration of questions and discussions has settled down and PEP 376
>> has achieved a stable form with the known issues addressed.
>
> Sure that makes sense. I am all for having these 302 extensions
> flipped on PEP 376
> side, then think about the "locator" protocol.
>
> I am lagging a bit in the discussions, I have 10 messages left to read or so,
> but the known issues I've listed so far are about the RECORD file and
> absolute paths,
> I am waiting for PJE example on the syntax he proposed for prefixes,
> on the docutils example.
>
>> Of course, this is moving more and more towards saying that the design
>> of setuptools, with its generic means for locating distributions, etc
>> etc, is the right approach.
>> We're reinventing the wheel here. But the
>> problem is that too many people dislike setuptools as it stands for it
>> to gain support.
>
> I don't think it's about setuptools design. I think it's more likely
> to be about the fact
> that there's no way in Python to install two different versions of the
> same distribution
> without "hiding" one from each other, using setuptools, virtualenv or
> zc.buildout.
>
> "installing" a distribution in Python means that its activated
> globally, whereas people
> need it locally at the application level.
>
>> My understanding is that the current set of PEPs were
>> intended to be a stripped down, more generally acceptable subset of
>> setuptools. Let's keep them that way (and omit the complexities of
>> multi-version support).
>>
>> If you want setuptools, you know where to get it...
>
> Sure, but let's not forget that the multiple-version issue is a global
> issue OS packagers
> also meet. (setuptools is not the problem) :
>
> - application Foo uses docutils 0.4 and doesn't work with docutils 0.5
> - application Bar uses docutils 0.5
>
> if docutils 0.5 is installed, Foo is broken, unless docutils 0.4 is
> shipped with it.

As was stated by Debian packagers on the distutils ML, the problem is
that docutils 0.5 breaks packages which work with docutils 0.4 in the
first place.

http://www.mail-archive.com/distutils-sig [at] python/msg05775.html

And current hacks to work around lack of explicit version handling for
module import is a maintenance burden:

http://www.mail-archive.com/distutils-sig [at] python/msg05742.html

setuptools has given the incentive to use versioning as a workaround
for API/ABI compatibility. That's the core problem, and most problems
brought by setuptools (sys.path and .pth hacks with the unreliability
which ensued) are consequences of this. I don't see how virtualenv
solves anything in that regard for deployment issues. I doubt using
things like virtualenv will make OS packagers happy.

David
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

ziade.tarek at gmail

Jul 15, 2009, 8:51 AM

Post #8 of 24 (1713 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

On Wed, Jul 15, 2009 at 5:14 PM, Paul Moore<p.f.moore [at] gmail> wrote:
> 2009/7/15 Tarek Ziadé <ziade.tarek [at] gmail>:
>> On Wed, Jul 15, 2009 at 12:17 PM, Michael
>> Foord<fuzzyman [at] voidspace> wrote:
>>>> Disclaimer: I've only read the short version, so if some of this is
>>>> covered in the longer explanation, I apologise now.
>>>>
>>>> -1.
>>>>
>>>
>>> I agree. People with versioning issues *should* be using virtualenv.
>>>
>>
>> Let's remove site-packages from Python then.
>
> If virtualenv/py2exe/cx_Freeze/py2app don't offer a solution, then
> maybe you're right.

They do offer a solution, but these solution are hard to maintain from
a OS packager point of view.

In any case I don't see any use case to have a "site-packages"
remaining in Python itself.

> If standard Python support for multi-version imports is required (it's
> not by me, but I accept that some people want it), then it should be
> designed in thoughout:
> [..]
>
> Any PEP dealing with multi versions should address these issues. It's
> a big area, and I have no interest in it myself, but I do have an
> interest in avoiding partial solutions which only look at some of the
> questions that might arise.
>
> Look - I really, really don't mind if people use setuptools. Honest.
> But I do mind if core python gets changed to support little bits of
> what setuptools does, adding complexity to deal with issues that
> setuptools handles, but without making it possible to avoid using
> setuptools. Where's the benefit to anyone then?

I totally agree. But I think that the boundary between what Python+stdlib
should provide feature-wise and what third party packages provides is
still fuzzy and should
be made clearer.

At some point, third party projects are trying hard to isolate dependencies
because they can't do it with the execution environment Python sets by
default when
you launch a script or an interpreter.

site.py loads site-packages and user site-packages at startup
basically, and you can
use PYTHONPATH / sys.path to add more, but that's partially shared by all apps.

To address this issued, a project like zc.buildout will create a local
repository of distributions, and will
change sys.path on the fly so the local repository is used.

virtualenv on its side creates an isolated Python installation for
your application,

So If the stdlib doesn't provide a standard protocol that goes further
than that,
people that have this need will continue to use zc.buildout or
virtualenv and install many times
the same libs on a system.

It's perfectly fine from an application developer PoV, but it make
site-packages obsoletes and
every application installed that way looks like a black box for os
packagers. They don't want that.

At the end, application developers have to care about the way their applications
dependencies are installed, were they should just give the list of
those dependencies,
and let any package manager project install them.

If these matters are not adressed by Python sdtlib, then we should
remove the loading of
site-packages at Python startup completely, and make it cristal clear
that it's not the core/stdlib
problem.

Otherwise we should think hard about how to let os packagers manage a
single repository
of Python distributions (and multiple versions) and how application
developers could use them from within
their applications. This protocol imho could be in the sdtlib even if
the implementation
is outside, but that's just me.

In any case, these issues can be postponed after PEP 376, because
that's a another (bigger) part of the puzzle.

Regards
Tarek
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

p.f.moore at gmail

Jul 15, 2009, 8:59 AM

Post #9 of 24 (1721 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

2009/7/15 David Cournapeau <cournape [at] gmail>:
> As was stated by Debian packagers on the distutils ML, the problem is
> that docutils 0.5 breaks packages which work with docutils 0.4 in the
> first place.
>
> http://www.mail-archive.com/distutils-sig [at] python/msg05775.html
>
> And current hacks to work around lack of explicit version handling for
> module import is a maintenance burden:
>
> http://www.mail-archive.com/distutils-sig [at] python/msg05742.html
>
> setuptools has given the incentive to use versioning as a workaround
> for API/ABI compatibility. That's the core problem, and most problems
> brought by setuptools (sys.path and .pth hacks with the unreliability
> which ensued) are consequences of this. I don't see how virtualenv
> solves anything in that regard for deployment issues. I doubt using
> things like virtualenv will make OS packagers happy.

So, I think what you're saying is:

- The real issues is packages not maintaining backward compatibility (I agree)
- Setuptools is a workaround (I agree, at least it's *one* workaround)
- Virtualenv isn't a workaround (I don't know virtualenv, I'll take
your word for it)

Three points:

- When building *applications*, bundling everything (py2exe-style) is
an alternative workaround - universal on Windows, apparently uncommon
on Unix/Linux.
- When managing multiple packages in a "toolkit" style interactive
Python installation, I'm not aware of a good solution (other than
avoiding core that hits this issue in the first place).
- I do not believe that it's clear that sanctioning the setuptools
workaround as the "right" approach by building it into the Python
core/stdlib is the right thing to do.

Paul.
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

ziade.tarek at gmail

Jul 15, 2009, 9:00 AM

Post #10 of 24 (1728 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

On Wed, Jul 15, 2009 at 5:16 PM, Joachim König<him [at] online> wrote:
> Tarek Ziadé wrote:
>>
>> So basically "site-packages" is a distribution location that is
>> avoided by everyone because it doesn't
>> know how to handle multiple versions.
>
> I think you overrate the importance of having multiple versions of a package
> available
> for the same python interpreter. If you have m different versions of n
> packages then
> you could have n**m different combinations for an application so you need a
> possiblilty to select one combination from n**m possible ones at application
> startup time. Is this really worth it?

When you create an application that uses several libs, and when you
create your distribution,
you end up pinning a version for each one of your dependency to avoid
any problems.

While it's workable in a small application to list the dependencies in
a text file, and let your users
install them manually, it's impossible in bigger applications.

Applications based on Zope for example have **hundreds** of dependencies
you need to have installed, in very specific versions.

If you install a Zope 2 app on your system, and a Zope 3 one, you have
good chances of
breaking them because the "zope.schema" distribution is incompatible.

So either each application ships its own collection of dependencies
and ignore site-packages (that's what zope-based
applications does with zc.buildout), either they have a way to pick
the right version of each package.

>
>> If we had a multi-versions
>> support protocol, that would
>> help os packagers and application developers to be friends again imho ;)
>> Let's remove site-packages from Python then.
>
> The _one_ site-packages folder stands for _one_ python interpreter. All the
> clever
> efforts to provide a set of package versions at runtime to an application
> (that uses
> the singleton python interpreter) do logically create a new python
> interpreter with
> a site-packages folder that contains just the versions of the packages the
> application
> needs, unfortunately by mucking with PYTHONPATH and <package>.pth, site.py
> etc
> making it very difficult to understand what is happening for the joe average
> python developer.

That's what we have nowadays. python packages installed in different places,
and scripts tweaking the path to launch an application with them.
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

pje at telecommunity

Jul 15, 2009, 9:21 AM

Post #11 of 24 (1724 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

At 11:10 AM 7/15/2009 +0100, Paul Moore wrote:
>I propose that before the current prototype is turned into a final
>(spec and) implementation, the PEP 302 extensions are extracted and
>documented as an independent protocol, purely part of PEP 376. (This
>*helps* implementers, as they can write support for, for example,
>eggs, without needing to modify the existing egg importer).

Btw, this is why setuptools chose to implement these things as
adapters or generic functions in pkg_resources (and in the vestigial
bits that were added to python 2.5's pkgutil).

So as you can see, trying to solve these particular problems tends to
lead to reinventing setuptools or at least portions thereof. ;-)

>But the
>problem is that too many people dislike setuptools as it stands for it
>to gain support. My understanding is that the current set of PEPs were
>intended to be a stripped down, more generally acceptable subset of
>setuptools. Let's keep them that way (and omit the complexities of
>multi-version support).

Even without multi-version support, the parts of PEP 376 that aren't
about uninstallation are still reinventing chunks of
pkg_resources. Had pkg_resources been in the stdlib a couple years
back (note that bugs and changes in it are still quite rare), the PEP
376 bits for pkgutil could have been focused strictly on
uninstallation, and just reused pkg_resources API for finding
distributions, reading metadata, getting version info, etc. etc.

All that stuff is extremely stable code, very widely used for a very
long time. If politics is the only thing keeping it from being used,
then that's a pretty sad statement about the community, given that
pkg_resources is not to blame for 99% of what people complain about
in relation to setuptools. All pkg_resources does is find stuff (on
request) and maybe add it to sys.path (on request), pull out data and
metadata from distributions (on request), or set up namespace
packages (on request).

So if politics demands that it be rejected by association with
"setuptools", then just search-and-replace the API, PEP 8-ify it,
call it something different, and lie to everyone about where it came
from. I won't tell if you won't. ;-)

_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

pje at telecommunity

Jul 15, 2009, 9:27 AM

Post #12 of 24 (1725 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

At 04:14 PM 7/15/2009 +0100, Paul Moore wrote:
>Look - I really, really don't mind if people use setuptools. Honest.
>But I do mind if core python gets changed to support little bits of
>what setuptools does, adding complexity to deal with issues that
>setuptools handles, but without making it possible to avoid using
>setuptools.

I don't see how that's being proposed. Nothing in PEP 376 requires
setuptools or any portion thereof, AFAICT.

_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

pje at telecommunity

Jul 15, 2009, 9:30 AM

Post #13 of 24 (1715 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

At 05:16 PM 7/15/2009 +0200, Joachim König wrote:
>f you have m different versions of n packages then
>you could have n**m different combinations for an application so you need a
>possiblilty to select one combination from n**m possible ones at application
>startup time. Is this really worth it?

Obviously yes, as neither buildout nor setuptools would exist otherwise. ;-)
Nor would Fedora be packaging certain library versions as eggs
specifically to get certain multi-version scenarios to work.

The specific solutions for handling n*m problems aren't fantastic,
but they are clearly needed.

(Buildout, btw, actually hardwires the n*m choice at install time,
which is probably better for production situations than setuptools'
dynamic approach.)

_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

pje at telecommunity

Jul 15, 2009, 9:34 AM

Post #14 of 24 (1727 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

At 04:59 PM 7/15/2009 +0100, Paul Moore wrote:
>- Virtualenv isn't a workaround (I don't know virtualenv, I'll take
>your word for it)

It's not one for system package maintainers because it would
effectively be managing multiple instances of 'python'. Really not a
suitable solution.

>- I do not believe that it's clear that sanctioning the setuptools
>workaround as the "right" approach by building it into the Python
>core/stdlib is the right thing to do.

I still don't understand how we're doing that.

_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

rdmurray at bitdance

Jul 15, 2009, 9:49 AM

Post #15 of 24 (1729 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

On Wed, 15 Jul 2009 at 16:14, Paul Moore wrote:
> Bluntly, as Python stands, import and sys.path do not offer any core
> support for multiple versions. Custom solutions can be built on top of
> that - that's what setuptools does. But they are precisely that -
> custom solutions, and should be supported as such, outside the core
> (and stdlib).
>
> If standard Python support for multi-version imports is required (it's
> not by me, but I accept that some people want it), then it should be
> designed in thoughout:

Isn't this problem directly analogous to the '.so version' (*) problem?
Can we learn anything from the solution to that problem? Does not the
fact that a (standard) solution to that problem was required indicate
that a similar solution needs to be provided by core Python? (And yes,
it's out of scope for PEP 376).

--David

(*) or, for our Windows users, DLL Hell and the Side By Side Component
Sharing solution...
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

ziade.tarek at gmail

Jul 15, 2009, 10:07 AM

Post #16 of 24 (1730 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

2009/7/15 P.J. Eby <pje [at] telecommunity>:
[...]
> So if politics demands that it be rejected by association with "setuptools",
> then just search-and-replace the API, PEP 8-ify it, call it something
> different, and lie to everyone about where it came from. I won't tell if
> you won't. ;-)

While setuptools did address some issues, we are now adressing in PEP 376,
it does a *lot* of other things and it's impossible to extract the
features we would
want to re-use. e.g. what I would call the good bits.

The prototype code we are building on bitbucket is clear, easy to
understand, read and adopt and already PEP8-fied (which is required
for sdtlib inclusion)

Reading and understanding pkg_resources requires a lot of time.

A side note on setuptools, I don't mean to be rude here or to tell you
what you should do,
really, but:

While I am very glad that you are part of PEP 376 discussions, and
that you helped
on almost every section of it, I really don't understand why you
keep on pushing setuptools
*code* here and at distutils-SIG since you don't maintain it anymore
(the last commit is > 9 months)

Part of the rejection of setuptools is because of that and because you don't
bless anyone to maintain the project code base, or do releases,
neither to communicate clearly
on what's its roadmap.

Regards
Tarek
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

p.f.moore at gmail

Jul 15, 2009, 10:40 AM

Post #17 of 24 (1731 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

2009/7/15 P.J. Eby <pje [at] telecommunity>:
> At 11:10 AM 7/15/2009 +0100, Paul Moore wrote:
>>
>> I propose that before the current prototype is turned into a final
>> (spec and) implementation, the PEP 302 extensions are extracted and
>> documented as an independent protocol, purely part of PEP 376. (This
>> *helps* implementers, as they can write support for, for example,
>> eggs, without needing to modify the existing egg importer).
>
> Btw, this is why setuptools chose to implement these things as adapters or
> generic functions in pkg_resources (and in the vestigial bits that were
> added to python 2.5's pkgutil).
>
> So as you can see, trying to solve these particular problems tends to lead
> to reinventing setuptools or at least portions thereof. ;-)

Yes, that's the impression I'm getting :-)

And yet you seem resistant to reading any message into the fact that
people find it easier to solve the problems from scratch than to
extract the relevant parts of the existing code. To be explicit - it's
too flipping hard to identify, extract and tidy up the appropriate
bits of the setuptools code! (Disclaimer: I haven't looked at the code
for some time - if the style has changed utterly in the last 2 years
or so, so that it no longer resembles the style of the pkgutil code
you contributed to the stdlib, I'll retract that criticism of the
setuptools codebase).

>> But the
>> problem is that too many people dislike setuptools as it stands for it
>> to gain support. My understanding is that the current set of PEPs were
>> intended to be a stripped down, more generally acceptable subset of
>> setuptools. Let's keep them that way (and omit the complexities of
>> multi-version support).
>
> Even without multi-version support, the parts of PEP 376 that aren't about
> uninstallation are still reinventing chunks of pkg_resources. Had
> pkg_resources been in the stdlib a couple years back (note that bugs and
> changes in it are still quite rare), the PEP 376 bits for pkgutil could have
> been focused strictly on uninstallation, and just reused pkg_resources API
> for finding distributions, reading metadata, getting version info, etc. etc.
>
> All that stuff is extremely stable code, very widely used for a very long
> time. If politics is the only thing keeping it from being used, then that's
> a pretty sad statement about the community, given that pkg_resources is not
> to blame for 99% of what people complain about in relation to setuptools.
> All pkg_resources does is find stuff (on request) and maybe add it to
> sys.path (on request), pull out data and metadata from distributions (on
> request), or set up namespace packages (on request).

I don't think it's quite "politics" as you describe it. Maybe
"marketing", if you want a simple tag for it.

The problem is that the setuptools "brand name" is associated with a
lot of baggage, that maybe it doesn't deserve, but equally no-one
seems interested in addressing. It's certainly not a technical
argument at this point. And yet you counter criticisms with technical
responses. But if I recall the history correctly, one of the initial
goals of setuptools was to become a de-facto standard precisely by
marketing and filling the ecological niche - a goal it has achieved
fantastically well. The fact that in doing so it alienated certain
groups is a more or less inevitable consequence.

My argument - which you may well disagree with - is that the
"setuptools ecosystem" (by which I mean
setuptools/easy_install/pkg_resources/eggs and the various subsystems
around these) is documented in a way which is:

- confusing to the casual user
- not at all modular (ie, it's impossible to easily pick out individual "bits")
- full of new concepts, so it's hard to find an easy place to start from

There's not much technically at issue here, it's all about presentation.

> So if politics demands that it be rejected by association with "setuptools",
> then just search-and-replace the API, PEP 8-ify it, call it something
> different, and lie to everyone about where it came from. I won't tell if
> you won't. ;-)

Unless the documentation and code is cleaned up, it'll still be
obvious from the style where it came from - that's the problem. Who's
going to maintain the code within the standard library, and are they
happy with the style of the existing code - even with the serial
numbers filed off?

And of course, someone has to do the clean-up. It seems to me that the
fact that people are more inclined to reinvent the code than to try to
understand the existing codebase and pick out the relevant bits, says
something important about how easy it would be to maintain the
existing code within the Python core...

Paul.
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

chrism at plope

Jul 15, 2009, 10:47 AM

Post #18 of 24 (1719 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

I've been trying to follow this discussion now for weeks. The signal to noise
ratio is pretty low.

I'd love to have an stdlib solution for distribution packaging and installation.
But I think we might as well pack it up and go home if the folks whom are
contributing to the discussion "recreationally" (whom are not themselves
implementers and potential implementers or spec writers or potential spec
writers of packaging systems) continue to chime in on *every single issue*,
contributing only stop energy. It's just completely pointless.

- C

On 7/15/09 12:34 PM, P.J. Eby wrote:
> At 04:59 PM 7/15/2009 +0100, Paul Moore wrote:
>> - Virtualenv isn't a workaround (I don't know virtualenv, I'll take
>> your word for it)
>
> It's not one for system package maintainers because it would effectively
> be managing multiple instances of 'python'. Really not a suitable solution.
>
>
>> - I do not believe that it's clear that sanctioning the setuptools
>> workaround as the "right" approach by building it into the Python
>> core/stdlib is the right thing to do.
>
> I still don't understand how we're doing that.
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev [at] python
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> http://mail.python.org/mailman/options/python-dev/lists%40plope.com
>

_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

SridharR at activestate

Jul 15, 2009, 10:52 AM

Post #19 of 24 (1722 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

On Wed, 15 Jul 2009 08:22:03 -0700, David Cournapeau <cournape [at] gmail>
wrote:

>> if docutils 0.5 is installed, Foo is broken, unless docutils 0.4 is
>> shipped with it.
> As was stated by Debian packagers on the distutils ML, the problem is
> that docutils 0.5 breaks packages which work with docutils 0.4 in the
> first place.

Thus I am -1 on multi-version support .. and would rather have the python
developers make their packages backward compatible just like what Armin
did with Jinja and Jinja2. Debian at the moment has only one package
"python-docutils" which is 0.5. How is a debian application supposed to
depend upon 0.4? With Jinja, there is no problem .. there are
'python-jinja' and 'python-jinja2'. Similarly, CherryPy should have gone
with renaming their package names to CherryPy2 and CherryPy3.

-srid

PS: Quoting from a fellow developer:

> > [...] it sounds like CherryPy 3.x is really an incompatible
> > module that just kept the old name. That is rather unfortunate, but can
> > sometimes happen.
> I have never seen a Python package changing its name (when significantly
> changing API, design, etc..). The only exception that comes to my mind
> is Jinja2 (renamed from 'Jinja'):
> [Armin] (...) Because we love backwards compatibility these changes will
> go into a package called "jinja2"
> <http://lucumr.pocoo.org/2008/4/13/jinja2-making-things-awesome>

Well, congrats to the Jinja team then! The others will eventually learn...
Mixing incompatible APIs in a single namespace and using a non-standardized
version numbering system to keep things apart creates a world of pain!

> The challenge however is in compartmentalizing versions according to
> their major release numbers. Versioning in the Python world is already a
> mess which we are beginning to sort out:
> http://wiki.python.org/moin/Distutils/VersionComparison (PyPM relies on
> this standard and the ongoing implementation - verlib.py)

How embarrassing for a cult that prides itself on having only one way for
everything they do... CPAN versions numbers are just as much if not
more of a mess, but at least you can argue that it is the price for there
being "more than one way to do it".
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

pje at telecommunity

Jul 15, 2009, 11:12 AM

Post #20 of 24 (1719 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

At 07:07 PM 7/15/2009 +0200, Tarek Ziadé wrote:
> Part of the rejection of setuptools is because of that and
> because you don't
> bless anyone to maintain the project code base, or do releases,
>neither to communicate clearly
> on what's its roadmap.

Jim Fulton and Ian Bicking have been officially blessed for *years*,
and I've posted plenty about what's on its roadmap.

>I really don't understand why you keep on pushing setuptools *code*

pkg_resources is not setuptools; its stability and revision history
are very different, as it addresses different problems.

_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

pje at telecommunity

Jul 15, 2009, 11:20 AM

Post #21 of 24 (1719 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

At 06:40 PM 7/15/2009 +0100, Paul Moore wrote:
>And of course, someone has to do the clean-up. It seems to me that the
>fact that people are more inclined to reinvent the code than to try to
>understand the existing codebase and pick out the relevant bits, says
>something important about how easy it would be to maintain the
>existing code within the Python core...

That's normal for any code that contains "legacy" issues, which is
why people always prefer rewriting code they don't understand: it's
more fun to write than to read. However, as Joel Spolsky has well
explained, rewriting such code inevitably means that you must
re-learn the lessons that were learned by the original author.

It seems like a waste, but then, I suppose those lessons must be
relearned *some* way. I just think it'd be better if, having
re-learned most of the lessons by trying to rewrite, one could then
go back and learn the rest from the code. ;-)

That having been said, it's obviously a dead parrot... one which I
will now cease attempting to revive.

_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

p.f.moore at gmail

Jul 15, 2009, 3:27 PM

Post #22 of 24 (1685 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

2009/7/15 Chris McDonough <chrism [at] plope>:
> I've been trying to follow this discussion now for weeks. The signal to
> noise ratio is pretty low.

I agree :-(

> I'd love to have an stdlib solution for distribution packaging and
> installation. But I think we might as well pack it up and go home if the
> folks whom are contributing to the discussion "recreationally" (whom are not
> themselves implementers and potential implementers or spec writers or
> potential spec writers of packaging systems) continue to chime in on *every
> single issue*, contributing only stop energy. It's just completely
> pointless.

I thought that as someone who is writing code for Tarek's PEP 376
prototype implementation, I counted as offering useful input. Thinking
further on what I've said, I'm no longer sure that's true.

I do think that at *some* point, the feedback from the non-packagers,
negative or irrelevant though it might be, needs to be requested and
considered. Maybe now isn't the right time, but it needs to be done at
some point.

Until then, I'll try to avoid adding to the noise.

Paul.
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

him at online

Jul 16, 2009, 5:26 AM

Post #23 of 24 (1658 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

P.J. Eby wrote:
> At 05:16 PM 7/15/2009 +0200, Joachim König wrote:
>> f you have m different versions of n packages then
>> you could have n**m different combinations for an application so you
>> need a
>> possiblilty to select one combination from n**m possible ones at
>> application
>> startup time. Is this really worth it?
>
> Obviously yes, as neither buildout nor setuptools would exist
> otherwise. ;-)
> Nor would Fedora be packaging certain library versions as eggs
> specifically to get certain multi-version scenarios to work.
>
> The specific solutions for handling n*m problems aren't fantastic, but
> they are clearly needed.
I still do not see the need.

IMO the whole obfuscation comes from fact that all versions of all
packages are installed into
one location where python automaticallly looks for packages and then
with a lot of magic the
packages are hidden from the interpreter and only specific requested
versions are made "visible"
to the interpreter at runtime.

Why do the package have to be installed there at the first place?

For an application it would be enough to have an additional directory on
its PYTHONPATH where
the packages required for this application would be installed. So a
package could be installed either
to the common directory ("site-packages") or an application specific
directory (e.g. something like
"app-packages/<appname>/"). This approach has been used by Zope2 with
its "private" lib/python
directory for years.

So one would have to set up the application specific packages before
running the application, but the
whole clutter of uncounted versions of the same package in one directory
could go away. The
"drawback" of this approach would be, that the same version of a package
would have to be installed
multiple times if needed by different applications.

_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

ncoghlan at gmail

Jul 16, 2009, 2:20 PM

Post #24 of 24 (1646 views)
Permalink

Re: [Distutils] PEP 376 - from PyPM's point of view [In reply to]

Joachim König wrote:
> So one would have to set up the application specific packages before
> running the application, but the
> whole clutter of uncounted versions of the same package in one directory
> could go away. The
> "drawback" of this approach would be, that the same version of a package
> would have to be installed
> multiple times if needed by different applications.

While this is a very common practice in the Windows world, it is far
less common in the *nix world of vendor managed packaging systems.

As for why it can be a problem, it (bundling libraries with
applications) makes security vulnerability management a *lot* more
difficult for system administrators. If a bug is found in a key library
(e.g. openssl) a dependency based system just needs to update the single
shared copy of that library. In a bundling system, you first have to
work out which of your applications contain an instance of that library
and then see if the application vendors have provided a security patch.
If any one of them hasn't released a patch and you can't patch it
yourself, then you either have to stop using that application or else
accept remaining exposed to the vulnerability.

The bundling approach also leads to applications being much bigger than
they need to be. That isn't much of a problem for desktop or server
systems these days, but can still be an issue in the embedded world.

As far as the idea of making bundling easier goes, we already
implemented that in 2.6 and 3.0. It's the whole reason that zip files
and directories are directly executable now: the named zip file or
directory itself is automatically added to sys.path, so the top level
"__main__.py" in that location can freely import any other co-located
modules and packages.

Cheers,
Nick.

--
Nick Coghlan | ncoghlan [at] gmail | Brisbane, Australia
---------------------------------------------------------------
_______________________________________________
Python-Dev mailing list
Python-Dev [at] python
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads