Hacker News new | ask | show | jobs
by FridgeSeal 1798 days ago
That people weren’t version-pinning critical dependencies was the most eye-opening thing about that whole affair. The tools to make this easy have been available and well-used for years, don’t have a lot of sympathy for them.
1 comments
fnord123 1797 days ago
Well people think they are pinning their critical dependencies by using a requirements.txt file. But it normally the transient dependencies are not listed. And anytime you rebuild a

You probably know this but for people reading along who think using requirements.txt is the same thing: it is not.

How lockfiles work is that you define your dependencies in a file like pyptoject.toml or Pipfile (similar to a Cargo.toml). You then use pipenv or poetry or pants to compute all the dependent versions of your dependencies and transient dependencies. Then that's saved in a lockfile. Any time you need to remake a venv for local Dev or rebuild a docker container or install deps for CI is uses the same locked versions from the lockfile. Only when you decide to recompute the dependencies do the transient dependencies change in the lockfile.

Sadly, a standard lockfile was rejected from PEP-650, held back by pip being woeful:

https://www.python.org/dev/peps/pep-0650/#a-standardized-loc...

link
FridgeSeal 1796 days ago
That link was a very frustrating read hahaha

> Additionally, pip would not be able to guarantee recreating the same environment (install the exact same dependencies) as it is outside the scope of its functionality.

Well then, maybe fix it? Because clearly it’s an issue? A good chunk of that explanation really reads like “ehhhh, can’t really be bothered fixing this”, which makes sense given the Python devs approach to the last couple of Python versions: no fixes for anything important, just more half-baked features nobody asked for.

link
fnord123 1795 days ago
>Python versions: no fixes for anything important, just more half-baked features nobody asked for.

Oh god, tell me about it! 'Hey guise I heard pattern matching in rust and Scala and Haskell is popular! Let's add it to python but with no compile time checks to make sure matches are exaustive!'

Some excellent and smart devs who I really do respect worked really hard to deliver a complete dog shit feature while pip languishes for almost a year with a broken version resolver [1]. It's so frustrating. :( :( :(

[1] https://github.com/pypa/pip/issues/9187

link