Hacker News new | past | comments | ask | show | jobs | submit login

Yes. I recently had to debug my gf’s entire work computer setup getting fubar’d from installing a pip package at a user level that conflicted with the name of some package used internally by the 10k+/seat/year software the company devices have installed. Proximal cause? The installer “helpfully” failed over to installing at the user level when she didn’t have permissions to write to the place she told it to. Root cause of course is that million dollar fancy fancy enterprise software somehow being unable to give itself an isolated python package namespace, or provide any relevant errors when conflicts occurred.

The python packaging system has to be used in case studies of worst design decisions of all time.




Sigh https://dublog.net/blog/so-many-python-package-managers/


Python has dogshit package management that makes java look well thought out and sane.


> that makes java look well thought out and sane

That's not hard. Java's package management is well thought out and sane.


Well, it's still PATH based, which is much worse than virtual environments (directory scoped) or Nix (well-versioned sharing).


I actually like Python's package management (with just pip and venv). It's different to all other modern solutions, taking a per-shell rather than per-project approach, but that doesn't mean worse.

The advantage is that it's less "magic" than, say, npm. No need for rules saying how to find node_modules, you just have a PYTHONPATH env variable.

The Rust and Java approach is to do everything through a build tool's CLI, and I can't complain about that. It's probably the best compromise: Less magic than npm, and more user-friendly than Python.


What magic is there for finding node_modules? It's in the same directory as package.json. Very similar (though simpler) to how Python modules work.

There's also usually one global package dir, but that's almost exclusively used for runnable binaries, and not even really needed when there's npx.

If you think Python packaging has less magic, you probably don't know it very deeply.

I lost all hope for Python package management to ever get better when PEP 582 got rejected for some stupid tribal reasons.

https://peps.python.org/pep-0582/


I was talking more about the package lookup when running code, via e.g. `node script.js`. I think it looks in all parent directories of the CWD, or maybe of the script? It's not too complicated, but it is "more magic" IMO.

Actually building Python packages is pretty complex, but that's the case for JS too. Java avoids this by distributing compiled libraries.


It looks up from script.js'd directory or the earliest parent with node_modules. Not CWD. A lot like "import somemodule" in script.py tries to import somemodule.py file from the directory script.py is in.

Traversing to the parent is especially nice for scripts. In python having scripts outside the module directory is quite painful.

Gyp is a lot easier than Python setup.py. The "easy" Java packages are comparable to pure Python/pure JS packages. With e.g. C bindings JNI/Java packaging is a horrid pain.


Python's package management makes JavaScript look well thought out and sane.

The bar is so low, you have to excavate it from a landfill of rotten node_modules...


Node.js has (or at least had before the ES6 mess) the sanest and best thought out package manager out there.


NPM’s original sin was making package installation and general management so painless that folks installed micro packages for everything. Can’t really fault the software for that.

The issue was, as you say, the introduction of ESM. It used to be that you required modules one way and one way only (yes there was AMD for advanced use cases, but it was an add-on), then people felt the need to “standardize” that, no we have this mess of ESM and CJS.


I don't see what's wrong with micropackages.


Massive attack surface. That's true as a security risk, but also as a dependency risk (eg. left-pad).


Review and pin your direct dependencies. With transitive dependencies it doesn't differ from trusting large dependencies in general.

The alternative to micropackages has significant downsides. Pulling in extra surface and rolling your own buggy implementations while waiting for some commitee to bikeshed years on the implementation.

Making the right thing easy rather than the wrong thing hard is a lot better approach.


If you don’t vendor your dependencies. Which is a poor practice that is commonly associated with NPM, but is by no means a requirement of the technology.


Especially if…, I should say. Even vendored dependencies are a risk as NPM commits the additional sin of allowing the act of pulling a package onto the local machine for inspection to execute arbitrary code in the form of “postinstall” hooks.


PYTHON @&$!!

The Python community needs to solve this ASAP. This almost weekly pain point has turned a language I used to love in college into one of my most despised languages. The fact that the ML community uses this broken platform is infuriating.

Make a Python version 4 that focuses only on fixing the packaging. 100% per-project hermeticy. No global packages whatsoever. Solve just this issue and bring the entire ecosystem on board. Kill all the various virtualenvs, the anacondas, global packages. All of it.

Learn from Rust/Cargo. That project does it mostly right (sans lack of namespaces and reproducible builds).


As far as I'm concerned, this is the fix: https://github.com/astral-sh/uv


It took 10 years to force a breaking migration from Python 2 to Python 3 in order to handle Unicode...

I have resigned myself to repeatedly smashing my keyboard on the desk until it rains keys in blind rage induced frustration to let off steam and then calmly creating an issue in the appropriate repo instead of allowing even a modicum of hope that this will ever be fixed systemically.


It's never going to be solved. The mess is deeply ingrained in the Python development culture.

https://peps.python.org/pep-0582/


Wouldn’t this end up like the XKCD standards cartoon. You’d have yet another Python package system and even more fragmentation.

https://xkcd.com/927/


If Python users weren't comfortable living in that reality already, they wouldn't still be Python users.


> package used internally by the 10k+/seat/year software the company devices have installed

Sounds like a skill issue that shouldn’t be seen in “10k+/seat/year software.” I wonder what other fails are in it.


Well it constantly crashes and requires every shop to develop their own half-broken way of interfacing between it and other industry-standard software, but at least ~half the pixels you’ve seen in any modern movie or tv show have been touched by it at one point or another. So that’s interesting.


Thats extremely fascinating. What's it used for?


By the books Digital Compositing, but Editors also gravitate towards it for generalist work.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: