HackerTrans
TopNewTrendsCommentsPastAskShowJobs

oblvious-earth

no profile record

Submissions

A post by Guido van Rossum removed for violating Python community guidelines

discuss.python.org
247 points·by oblvious-earth·قبل سنتين·261 comments

comments

oblvious-earth
·قبل 4 أشهر·discuss
OpenAI just acquired Astral who have an index service called pyx, so they would have a step up.

My understanding though is most corporations that take security seriously either build everything themselves in a sandbox, or use something like JFrog's Artifactory with various security checks, and don't let users directly connect to public indexes. So I'm not sure what the market is.
oblvious-earth
·السنة الماضية·discuss
It does not work EXACTLY how pip works, big differences are covered here: https://docs.astral.sh/uv/pip/compatibility/

Some of these are uv following the standards while pip is still migrating away from legacy behavior, some of these are design choices that uv has made, because the standard is underdefined, it's a tool specific choice, or uv decided not to follow the standards for whatever reason.
oblvious-earth
·السنة الماضية·discuss
PDM has plugins, such as being able to invoke conda commands: https://github.com/pdm-project/awesome-pdm

Otherwise I don't know what they're talking about, it is indeed a Python package manager.
oblvious-earth
·قبل سنتين·discuss
If you're concerned about dependency confusion attacks you should host your own index and vet what goes on to it.

But there is a better solution coming, PEP 708 was developed for this and is in prototype on pypi.org, so it's an overstatement to say "don't even have a way to avoid dependency confusion attacks ".

It is, however, a non-trivial problem, and more solutions will likely come over the years, many Python packaging tools like uv and poetry (and likely others) have way to name indexes and pin specific packages to indexes, which appears to be a promising UX.
oblvious-earth
·قبل سنتين·discuss
No, it looks like it's been available on GitHub for a while, but development wasn't done there: https://star-history.com/#nginx/nginx&Date
oblvious-earth
·قبل سنتين·discuss
Thanks for the update, unfortunately I can no longer edit my top comment or title to reflect this.

Would be happy for admin to do so, if that's something that's done on this site.
oblvious-earth
·قبل سنتين·discuss
The original text stated:

> I don’t know much about voting systems, but I know someone who does. Unfortunately he’s currently banned. Maybe we can wait until his 3-month ban expires and ask him for advice?

Currently, the text reads:

> This post was flagged by the community and is temporarily hidden.

Since it has been hidden for more than 24 hours, this suggests that a moderator action has marked it as permanently hidden. Due to a recent decision, this means no one outside of the moderators or admins can view it: https://discuss.python.org/t/moderated-posts-are-no-longer-p...

Edit: I meant to post slightly more direct link in title: https://discuss.python.org/t/should-we-consider-ranked-choic...

Edit 2: Some comments suggest that Guido was banned from posting, but this is not accurate. I have edited the title from "Guido van Rossum's Post Removed for Violating Python Community Guidelines" to "A Post by Guido van Rossum Removed for Violating Python Community Guidelines" to clarify what actually happened.
oblvious-earth
·قبل سنتين·discuss
pip will not do that, it will attempt to use the latest version under the user requirements, only if there is a conflict between two packages will it backtrack on old versions of a package, uv does exactly the same.

Further, if a package index supports PEP 658 metadata, pip will use that to resolve and not download the entire wheel.

uv does the same but adds extra optimizations, both clever ones that pip should probably adopt, and ones which involve assumptions that don't strictly comply to the standards, which pip should probably not adopt.
oblvious-earth
·قبل سنتين·discuss
I would say, as someone who works on performance of pip, no one else was able to reproduce OPs severe performance issue, not saying it didn't happen, just it was an edge case on specific hardware (I am assuming it was this issue https://github.com/pypa/pip/issues/12314).

Since it was posted a lot of work was done on areas which likely caused performance problems, and I would expect in the latest version of pip to see at least a doubling in performance, e.g. I created a scenario similar to OPs that dropped from 266 seconds to 48 seconds on my machine, and more improvements have been made since then. However OP has never followed up to let us know if it improved.

Now, that's not to say you shouldn't use uv, it's performance is great. But just a lot of volunteer work has been put in over the last year (well before uv was announced) to improve the default Python package install performance. And one last thing:

> for a non-compiler language?

Installing packages from PyPI can involve compiling C, C++, Rust, etc. Python's packaging is very very flexible, and in lots of cases it can take a lot of time.
oblvious-earth
·قبل سنتين·discuss
Write an issue on their GitHub if you don't already see one, they're very responsive
oblvious-earth
·قبل سنتين·discuss
> I doubt the typical LSP servers will be aware of dependencies specified in that way and so won't offer autocompletion etc for those libraries.

Given this is a recently accepted standard (PEP 723), why would language servers not start to support features based on it?