Hacker News new | ask | show | jobs
by blibble 1217 days ago
> Amazon is the the easy case with `com.amazon`, but it isn't clear a priori whether you should trust `net.coolguy.importantpackage` or `net.cooldude.importantpackage`

this is a classic example of not letting perfect be the enemy of good

there is no perfect solution, there never will be

piggybacking off of DNS works extremely well for Java and Go (and the tooling is a pleasure to work with)

meanwhile Python continues to be a complete disaster
1 comments
woodruffw 1217 days ago
I agree there is no perfect solution. But I want a good solution, and I disagree that DNS is a good one.
link
blibble 1217 days ago
I look forward to another 20 years of no progress!
link
woodruffw 1217 days ago
Your cynicism isn't warranted: we've made significant improvements to PyPI over the last 4 years[1][2], and I'm currently working on additional features that will make secure publishing to PyPI easier[3]. We're also working on a codesigning implementation for PyPI, based on Sigstore[4].

Security needs to be evidence and outcome-driven, first and foremost. That takes a while, but improved outcomes make it worth it.

[1]: https://pyfound.blogspot.com/2019/06/pypi-now-supports-two-f...

[2]: https://pythoninsider.blogspot.com/2019/07/pypi-now-supports...

[3]: https://github.com/pypi/warehouse/issues/12465

[4]: https://www.sigstore.dev/

link
blibble 1217 days ago
> That takes a while, but improved outcomes make it worth it.

meanwhile the integrity of the supply chain continues to be compromised

> Your cynicism isn't warranted

it is: the python packaging situation is worse today than it was when I started writing Python in 2005

the legions of meetings, grandiose titles, conferences and mountains of unreadable proposals have produced tooling that is objectively worse than what Maven offered close to two decades ago

link
woodruffw 1217 days ago
In 2005, PyPI didn’t even host packages. It was an index that pointed you to the HTTP-only host that served the distribution. As far as I know, even basic hash checking wasn’t added until a decade later.

I have no opinions about titles, etc. But saying that Python packaging was better in 2005 is incorrect along all axes.

link