Why for open source? A lot of important libraries are open source and this for a very long time. Here we have compromised libraries in the npm repository. NodeJS is also used in closed source applications. A supply chain attack could also happen in python. Golang simply uses github, which offers a lot of possibilities for a compromise - also used in this supply chain attack.
Difference is, that in NodeJS people use a lot of packages as dependencies. Even for stupid tasks like the legendary isEven. Its dependancy hell.
I think Python has a better overall philosophy with the batteries included concept. It’s good to have a comprehensive set of libraries which don’t need to rely so much in third party libraries, or where these third-party project solve very specific problems and are well known. Node.js ecosystem, on the other hand, is a huge mess…
I mean bad PR for open source because those issues are happening more and more frequently. And the widespread use of open source means more good and bad actors are posting their codes in GitHub and most of people who use it aren’t aware of all the issues.
I think Python has a better overall philosophy with the batteries included concept.
But still you have dependency hell there. NodeJS ecosystem is a mess but I wouldn’t say it python is that much better. All this virtual environment stuff is annoying as well. And also making a mistake while typing a package name to install can also lead to a compromise. However my point is, that this all is not a bad PR for open source.
NodeJS is a framework. And the language used in NodeJS is open source as well. And this is normal. C, C++, Python, Rust, Perl etc. are free to use. How can it be a bad for open source, if there are security risks in the ecosystem of a language?
And the widespread use of open source means more good and bad actors are posting their codes in GitHub and most of people who use it aren’t aware of all the issues.
Look here. Is this also bad for open source? I mean, this are security problems. GitHub is just a repository hosting provider. Even if my repo is private, the same things could happen.
And we are talking about libraries. It is almost normal, that libraries used in a project have a open source licence. While it is not that normal, that open source software is used.
I think it is again bad PR for npm. But not for open source. And indeed, if I find a cool software but it is based on NodeJS, I will rather not use it. The ecosystem is bad and it is still JavaScript.
Everyone has been recommending lxml over the built in XML module for as long as I remember.
And this is just observations you could have made a decade ago too. More recently (well 5 years ago) I’d say the most damning thing is the removal of distutils without promoting setuptools to the status of a core library. Python now not even includes the tools to build a python module.
Pythons a huge mess I mean, virtual environments started because just having the wrong libraries together on the system could break either one of them. On newer Linux distros they discourage you from installing pip system wide because the distros rely so much on python you could break something. So instead you do everything through venvs which is a cool mess to sort out when you want something to work system wide and it has to go through the venv.
Or some libraries exist as apt package but only like 10 of them it seems so it’s just easier to set up a venv anyway.
And upgrades to python not being incremental meaning you need like 3 different versions of it installed because this one program needs 3.11 not 3.12, remembering which one to call, remembering which one needs to be the default system wide and making sure it stays that way…
Good to know… I don’t use Python very often, so I’m always a bit oblivious of the recent changes. I’m mainly a Java developer (or Kotlin, when the employer is generous and let me pick the language). In this regard, JVM ecosystem seems to be a bit less chaotic. Maven and Gradle approach seem to be less of a mess than what I find in other ecosystems. The main issues on this ecosystem are some widespreadly used behemoths like Spring framework and Java EE, which often encapsulate and integrate other libraries in all sorts of creative ways and which can cause a big dependency hell if devs don’t consider carefully their choices.
By the way, which is the better tool for virtual envs in Python, nowadays? Pipenv or venv?
I’d Java is more batteries included than python (not sure how that has been changed by Java 9 and later).
I never liked any frameworks that take over the main method. My first instinct working with Java frameworks was always to find the main method and use the debugger to step through all the code until I get to my code. Then try to make sense of everything in between.
Best virtual env tool is python right now is probably uv. Will be devastating when astral decides they need to start making money.
Why for open source? A lot of important libraries are open source and this for a very long time. Here we have compromised libraries in the npm repository. NodeJS is also used in closed source applications. A supply chain attack could also happen in python. Golang simply uses github, which offers a lot of possibilities for a compromise - also used in this supply chain attack.
Difference is, that in NodeJS people use a lot of packages as dependencies. Even for stupid tasks like the legendary isEven. Its dependancy hell.
I think Python has a better overall philosophy with the batteries included concept. It’s good to have a comprehensive set of libraries which don’t need to rely so much in third party libraries, or where these third-party project solve very specific problems and are well known. Node.js ecosystem, on the other hand, is a huge mess…
I mean bad PR for open source because those issues are happening more and more frequently. And the widespread use of open source means more good and bad actors are posting their codes in GitHub and most of people who use it aren’t aware of all the issues.
But still you have dependency hell there. NodeJS ecosystem is a mess but I wouldn’t say it python is that much better. All this virtual environment stuff is annoying as well. And also making a mistake while typing a package name to install can also lead to a compromise. However my point is, that this all is not a bad PR for open source.
NodeJS is a framework. And the language used in NodeJS is open source as well. And this is normal. C, C++, Python, Rust, Perl etc. are free to use. How can it be a bad for open source, if there are security risks in the ecosystem of a language?
Look here. Is this also bad for open source? I mean, this are security problems. GitHub is just a repository hosting provider. Even if my repo is private, the same things could happen.
And we are talking about libraries. It is almost normal, that libraries used in a project have a open source licence. While it is not that normal, that open source software is used.
I think it is again bad PR for npm. But not for open source. And indeed, if I find a cool software but it is based on NodeJS, I will rather not use it. The ecosystem is bad and it is still JavaScript.
Batteries included is long dead in python.
Tinker is dead.
Nobody uses plain urllib
Everyone has been recommending lxml over the built in XML module for as long as I remember.
And this is just observations you could have made a decade ago too. More recently (well 5 years ago) I’d say the most damning thing is the removal of distutils without promoting setuptools to the status of a core library. Python now not even includes the tools to build a python module.
Pythons a huge mess I mean, virtual environments started because just having the wrong libraries together on the system could break either one of them. On newer Linux distros they discourage you from installing pip system wide because the distros rely so much on python you could break something. So instead you do everything through venvs which is a cool mess to sort out when you want something to work system wide and it has to go through the venv.
Or some libraries exist as apt package but only like 10 of them it seems so it’s just easier to set up a venv anyway.
And upgrades to python not being incremental meaning you need like 3 different versions of it installed because this one program needs 3.11 not 3.12, remembering which one to call, remembering which one needs to be the default system wide and making sure it stays that way…
And you have to install pip first too. At least they decided to include venv at some point.
Good to know… I don’t use Python very often, so I’m always a bit oblivious of the recent changes. I’m mainly a Java developer (or Kotlin, when the employer is generous and let me pick the language). In this regard, JVM ecosystem seems to be a bit less chaotic. Maven and Gradle approach seem to be less of a mess than what I find in other ecosystems. The main issues on this ecosystem are some widespreadly used behemoths like Spring framework and Java EE, which often encapsulate and integrate other libraries in all sorts of creative ways and which can cause a big dependency hell if devs don’t consider carefully their choices.
By the way, which is the better tool for virtual envs in Python, nowadays? Pipenv or venv?
I’d Java is more batteries included than python (not sure how that has been changed by Java 9 and later).
I never liked any frameworks that take over the main method. My first instinct working with Java frameworks was always to find the main method and use the debugger to step through all the code until I get to my code. Then try to make sense of everything in between.
Best virtual env tool is python right now is probably uv. Will be devastating when astral decides they need to start making money.