Tom Keffer <[email protected]> writes: > One of the reasons why I have come to prefer using pip and virtual > environments over the package installers. It's super easy to maintain > "known-good" versions of the Python run environment.
Yes, but this leads to having multiple copies of everything and no way to audit that any of them are out of date. And when they are, you can't update them without breaking the property you want, that they are the known-working ones. Once a library is no longer maintained, there's no reason to expect any vulnerabilities to be noticed or reported, so I consider no-longer-maintained versions as basically unsafe (in a mild perhaps kind of way, but still). The real issue is that projects maintaining libraries break backwards compatibility, and on the other hand LTS distributions have egregiously old code. Thus projects like weewx have to support the current as well as very old releases, or users have trouble. If that ends up being too hard, I lean to supporting the current release and as far back as isn't painful, not worrying too much about LTS. That's what I've done maintaining unison, where we've desupported quite old ocaml versions still in LTS distributions. In this case, it seems the source adaptation wasn't that hard, which was fortunate. If this is hard for some library, that's a clue that the library is too unstable to use, which I realize is easier said than actually switching away from. -- You received this message because you are subscribed to the Google Groups "weewx-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/rmi7cn4maul.fsf%40s1.lexort.com.
