Python packaging and its tools
Python packaging and its tools
Posted Mar 2, 2023 16:31 UTC (Thu) by NN (subscriber, #163788)Parent article: Python packaging and its tools
Like, coming from js and with a very superficial knowledge of Python, the core question for me is why can't you have something like npm for Python. What sacrifices do you have to make?
Posted Mar 2, 2023 18:10 UTC (Thu)
by NYKevin (subscriber, #129325)
[Link] (16 responses)
* History.
"History" basically boils down to this: When Python was first getting started as a Real Languageā¢, language-specific package management wasn't really a thing. As a result, they did not provide any native tooling for it, and everyone just sort of figured out their own solution, or let their Linux distro do it for them. They have been trying to untangle the resulting technical debt for the last couple of decades or so, but nobody seems to agree on how, or even whether, to standardize a solution.
C extensions are a more interesting issue. Compiling and distributing C extensions is complicated, because you don't know what libraries (and versions of libraries) will be available on the target machine. That leaves you with four options:
1. Pick a "reasonable" set of libraries and versions that are "probably" installed. This is basically what manylinux does, and it's why it's called "many" rather than "all." The drawback is that this is probably going to be a fairly small set of relatively old libraries, so it doesn't really solve the problem very thoroughly.
Posted Mar 2, 2023 18:58 UTC (Thu)
by k8to (guest, #15413)
[Link] (5 responses)
As a python developer, my frustration is that I want to deliver complete running packages to users. I want to give them a tar and/or zip that unpacks and works, but yet the (python) libraries I end up needing to use tend to only document pip as a means of getting the library working, and pip tends to lean towards assuming local install. And the ecosystem tends to lean towards shifting dependencies semi-often.
So it feels like I end up sort of crafting my own bad packaging hacks on top of packaging tools to excise unwanted C extensions and so on, to get a runs-everywhere redistributable. I end up feeling very fragile and foolish in this approach, but asking my customers to become pip experts is a non-starter.
Sometimes it feels like the easiest path is to rewrite my key selling applications in something other than python, but there many years of sunk cost there.
Posted Mar 2, 2023 23:50 UTC (Thu)
by NYKevin (subscriber, #129325)
[Link]
Posted Mar 3, 2023 9:48 UTC (Fri)
by cyperpunks (subscriber, #39406)
[Link]
Unless you have very deep knowledge about C, shared libraries, Rust and Python on all target platforms (macOS, Windows, and a series of Linux distros) it can't be done. It's just more or less impossible to distribute software written in Python in this way.
Posted Mar 11, 2023 7:06 UTC (Sat)
by auxsvr (guest, #120007)
[Link] (1 responses)
Posted Mar 13, 2023 17:10 UTC (Mon)
by mathstuf (subscriber, #69389)
[Link]
Posted Apr 20, 2023 12:45 UTC (Thu)
by Klavs (guest, #10563)
[Link]
If you want to take that on - then docker (or podman etc.) container images is probably the way to go.
Posted Mar 3, 2023 7:10 UTC (Fri)
by LtWorf (subscriber, #124958)
[Link]
such as the entire rust toolchain as well
Posted Mar 3, 2023 17:22 UTC (Fri)
by sionescu (subscriber, #59410)
[Link] (7 responses)
Imagine if there was a universal package manager that worked across languages, and that permitted various integrators of specifying dependencies like a Go library build-depending on an R script which depends on a Python script that depends on the Python interpreter which depends on a C compiler and a bunch of C libraries, etc...
That would make life easier for all languages, for distribution maintainers but right now the best contender for a universal build system would be Bazel and imagine what the users of those languages would say at the prospect of depending on a Java project.
Posted Mar 3, 2023 17:56 UTC (Fri)
by pizza (subscriber, #46)
[Link] (1 responses)
I don't think Perl should be on this list; Not only does it predate Linux itself (Perl 4 was released five months before Torvalds announced his Linux kernel), it has always striven to play (and integrate) well in others' sandboxes, as befits its initial focus as a "glue" language.
Also, I recall that Perl has had, for quite some time (at least a decade, likely even longer), the tooling to automagically generate deb and rpms from arbitrary CPAN packages, including proper dependencies. And that provides the basis of most of what's packaged in RH/Fedora-land.
Posted Mar 5, 2023 2:33 UTC (Sun)
by cozzyd (guest, #110972)
[Link]
Posted Mar 5, 2023 9:04 UTC (Sun)
by NYKevin (subscriber, #129325)
[Link]
* You know what all of your dependencies are.
It's the last bullet point that tends to become a problem for people. There's always that one thing that has a ridiculous build process.
Posted Mar 7, 2023 6:12 UTC (Tue)
by ssmith32 (subscriber, #72404)
[Link] (3 responses)
How about apt or yum?
Work across languages, and are far closer to universal. Certainly would make life easier for distributions, if people just, you know, used the package manager provided with the distribution. Certainly checks all the boxes you asked for.
Of you're gonna harp on languages' obsession with having their own package managers, pitching a build tool that came out of Google's obsession with having their own.. everything.. is gonna generate a few funny looks.
Also, build tools are not package management. Or at least they shouldn't be.
Posted Mar 7, 2023 10:56 UTC (Tue)
by farnz (subscriber, #17727)
[Link]
Neither apt nor yum are package managers - they're repository handling tools build atop dpkg and RPM package managers. And dpkg and RPM don't supply a build system - at core, they specify a way to run a build system, and then how to find the files produced by the build to turn into a binary RPM.
Once you have a build system, you have one problem to solve: how do I track down my dependencies and integrate them into my build? If you use distribution package managers, you end up with two problems:
Given that reusing the distribution package manager doesn't solve a problem, but does add one more, why would I do that?
Posted Mar 8, 2023 0:17 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
They don't solve the problem of reproducible builds. By default, they will install the latest available versions of packages. So in practice every build environment will be slightly different.
It's possible to hack up a system that will add a "lockfile" with exact package versions that you can install in a container, but I'm not aware of any large-scale system using this approach.
Posted Mar 9, 2023 5:17 UTC (Thu)
by pabs (subscriber, #43278)
[Link]
Posted Mar 11, 2023 11:17 UTC (Sat)
by deltragon (guest, #159552)
[Link]
Python packaging and its tools
* C extensions.
2. Vendor and/or statically link everything, like Rust and Go. Now all of the distros hate your guts because they have to unvendor your work. OTOH, there is a reason that multiple other languages have reached this conclusion. Distros may just have to learn to live with vendoring.
3. Make your own private enclave on the target machine, where you can install whatever libraries you want, and package those libraries yourself. In other words, you basically roll your own package management, not just for Python, but for C libraries and all other dependencies. This is what Conda does, and I imagine the distros would hate this even more than (2), if all Python software were distributed like that. Fortunately, most things are packaged for both Conda and Pip, so distros can just quietly pretend it doesn't exist.
4. Distribute source code, and if it doesn't compile, it's the user's problem. This is what Pip does in practice (whenever manylinux is inadequate).
Python packaging and its tools
Python packaging and its tools
Python packaging and its tools
Python packaging and its tools
Python packaging and its tools
Python packaging and its tools
So either you have to "test for specific distros" and then security updates is managed "by owner of system".. or you package it all - and YOU bear that responsibility.
Python packaging and its tools
Python packaging and its tools
Python packaging and its tools
Python packaging and its tools
Python packaging and its tools
* You can enumerate all of them in a reasonable, machine-readable format.
* Preferably, your build process is at least halfway sensible. It doesn't "care" that much about the build environment, working directory, filesystem mount options, phase of the moon, etc., and just looks at the source code you tell it to.
* Everything is amenable to build automation. Nothing requires a human to e.g. click a button in a GUI, faff about with hardware, etc. just to build a binary.
* You want reproducible builds, or at least reproducible-by-default builds.
* You are willing to treat all of the above as strict requirements of all artifacts in your dependency graph, all the way down to raw source code of everything (or binary blobs, if you have binary blobs). You are willing to fix "irregular" build processes rather than accepting them as technical debt.
Python packaging and its tools
Python packaging and its tools
Python packaging and its tools
Python packaging and its tools
Python packaging and its tools
It used either prebuilt binaries or node-gyp to compile on the users machine at install time, and seeing how popular node-sass was/still is, that seems to have worked out.