Steve Holden wrote: > Seems to me that while all this is fine for developers and Python users > it's completely unsatisfactory for people who just want to use Python > applications. For them it's much easier if each application comes with > all dependencies including the interpreter. > > This may seem wasteful, but it removes many of the version compatibility > issues that otherwise bog things down. > The upfront cost of bundling is lower but the maintenance cost is higher. For instance, OS vendors have developed many ways of being notified of and dealing with security issues. If there's a security issue with gtkmozdev and the python bindings to it have to be recompiled, OS vendors will be alerted to it and have the opportunity to release updates on zero day, the day that the security announcement goes out.
Bundled applications suffer in two ways here: 1) the developers of the applications are unlikely to be on vendor-sec and so the opportunity for zero day fixes is lower. 2) the developer becomes responsible for fixing problems with the libraries, something that they often do not. This is especially true when developers start depending, not only on newer features of some libraries, but older versions of others (for API changes). It's not clear to many developers that requiring a newer version of a library is at least supported by upstream whereas requiring an older version leaves them as the sole responsible party. 3) Over time, bundled libraries tend to become forked versions. And worse, privately forked versions. If three python apps all use slightly different older versions of libfoo-python and have backported fixes, added new features, etc it is a nightmare for a system administrator or packager to get them running with a single version from the system library or forward port them. And because they're private forks the developers lose out on collaborating on security, bugfixes, etc because they are doing their work in isolation from the other forks. -Toshio
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
