this post was submitted on 13 Oct 2023
304 points (80.8% liked)

Programmer Humor

32596 readers
488 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
 

Sorry Python but it is what it is.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 120 points 1 year ago* (last edited 10 months ago) (4 children)
[–] [email protected] 55 points 1 year ago (1 children)

npm is objectively worse. Base pip packages aren't getting hijacked.

[–] [email protected] 23 points 1 year ago (1 children)

Maybe I’m misremembering, but didn’t pip have it’s own security concerns earlier this year?

[–] [email protected] 6 points 1 year ago (1 children)

I believe that was just name squatting.

[–] [email protected] 6 points 1 year ago (1 children)

It’s less the name squatting and more pip not supporting a certain PyPI resolution order: https://github.com/pypa/pip/issues/8606

For example, I have A, B and C in my requirements.txt but I want to install C from my own private PyPI. Everything works fine until someone uploads a package name C to the public PyPI then suddenly I’m not installing my private package anymore.

[–] [email protected] 2 points 1 year ago

Yeah, I remember now. the name squatting was from people putting malicious packages under misspelled names of well known packages, like "requets" instead of requests.

[–] [email protected] 50 points 1 year ago (1 children)

That's not a controversial opinion. I'd say it's worse than pip. At least pip doesn't put nag messages on the console or fill up your hard drive with half a gigabyte of small files. OP is confused.

[–] [email protected] 12 points 1 year ago (1 children)

npm is so good there are at least 3 alternatives and every package instructs on using a different one.

[–] [email protected] 1 points 1 year ago

About the only good thing about npm is that I can use one of the superior alternatives. Using npm is almost always a headache as soon as you start working with a decent number of packages.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (4 children)

In my experience npm is not great but it does work most of the time. I just tried installing bunch of stuff using pip and NONE of them worked. Python is backwards compatibility hell. Python 2 vs 3, dependencies missing, important libraries being forked and not working anymore. If the official installation instructions are 'pip install X' and it doesn't work then what's the point?

npm has A LOT of issues but generally when I do 'npm i' i installs things and they work.

But the main point is that cargo is just amazing :)

P.S. Never used ruby.

[–] [email protected] 42 points 1 year ago (2 children)

Well there’s your problem lol.

Don’t use 2 for anything, it’s been “dead” for almost 4 years.

[–] [email protected] 7 points 1 year ago (2 children)

The problem is 2 and modules for 2 still tend to worm their way in somehow. I always use python3 -m pip because I never trust that "pip" alone is going to be python3 pip and I think that's what the people who have lots of trouble with pip aren't doing.

[–] [email protected] 3 points 1 year ago

Valid point.

I force everything to 3 and don’t accept any 2.

And in fairness, there were some moderate breaking changes 3.6-3.8

[–] [email protected] 3 points 1 year ago

It would be weird to have python2-pip installed if you don't have python2 installed, pip should be python2-pip by default on most systems.

I... Dunno, are you suggesting that sometimes pip2 is the default and that that somehow mixes 2 and 3 modules? Pip 2 should install into python 2's directory and pip 3 to python 3's. The only times I have had messy python environments is when I mix pipenv, conda and/or pip, and when people install into the main python with specific versioning, use a virtual env for God's sake, that's what npm does.

[–] [email protected] 2 points 1 year ago (1 children)

Ahh the blissful ignorance of not having to manage tech debt

[–] [email protected] 1 points 1 year ago

No, I just don’t ignore it for 4 years.

The bliss is in having management that actually DOES manage the debt instead of ignoring it until it shits the bed

[–] [email protected] 25 points 1 year ago (1 children)

I don't think it's fair to blame pip for some ancient abandoned packages you tried to use.

[–] [email protected] -3 points 1 year ago (1 children)

The issues I had:

  • packages installing but not working due to missing dependencies
  • packages installing but not working due to broken dependencies (wrong lib version installed)
  • packages not building and failing with obscure errors
  • one package was abandoned and using Python 2.7

If a 'pip install X' completes successfully but X doesn't work it's on pip. And when it fails it could tell you why. Cargo does.

[–] [email protected] 10 points 1 year ago* (last edited 1 year ago)

packages installing but not working due to missing dependencies

This is the fault of the package author/maintainer

packages installing but not working due to broken dependencies

Sometimes the fault of the package author/maintainer. Sometimes this is the fault of a different package you're also trying to use in tandem. Ultimately this is a problem with the shared library approach python takes and it can be 'solved' by vendoring within your own package.

packages not building and failing with obscure errors

Assuming the package is good, this is a problem with your build system. It's like complaining a make file won't run because your system doesn't have gcc installed.

one package was abandoned and using Python 2.7

Unfortunately there's a ton of this kind of stuff. I suppose you can blame pypi for this, they should have some kind of warning for essentially abandoned projects.

[–] [email protected] 7 points 1 year ago

Hmm, I personally haven't seen that kind of issue myself though. I also tend to not use random packages from random authors though, so that might help.

[–] xmunk 2 points 1 year ago* (last edited 1 year ago)

I'd personally take PECL over npm and I loathe PECL.

Composer, though, is excellent.