On Thu, Nov 19, 2020 at 10:46:50PM -0800, Brendan Barnwell wrote:
Yes, that's correct. All of what you described is how ordinary apps work. If I install a program and it has a bug or security vulnerability, then I am affected by that vulnerability. Having a way to install a Python program as a program in its own right means that it will also work that way. So what? That's how programs work.
Not all programs. There are many development languages that provide a separate development and runtime environment, (e.g. Mathematica and Wolfram Player). Or your programs run in a browser, like many notebook apps. There are definite trade-offs in the choice of static bundled apps versus dynamically linked apps with some sort of player or runtime environment. One solution does not fit all.
The goal of such an application-distribution mechanism is to detach the program as fully as possible from any dependence on the existing software environment (i.e., ideally all it needs to know is what OS it's being installed on), so that the user can install it without giving any thought whatsoever to what other programs they might or might not have installed before or after. I think that is an important goal for making Python competitive in the realm of user-facing applications.
If that's really what you want, you probably should look at making a way to run Python apps in the browser. Everyone has an OS, everyone has a browser, GUI browsers have similar looking look-and-feels, the days when devs assumed Internet Explorer are long gone. Having Python run in the browser is a dream for many people. I wouldn't trust random websites to run Python code in my browser, but if I trusted an app enough to install it, there's no real difference security-wise between running it in a browser and running it in a Python interpreter or a stand-alone executable.
Whether that's to be achieved with PyInstaller or something else isn't clear to me, but I disagree strongly with the idea that dependency-bundling and native-installing shouldn't be in the stdlib. It would be great if they were included in some form or fashion.
From the PyInstaller downloads page: https://www.pyinstaller.org/downloads.html "Maintaining PyInstaller is a huge amount of work." The latest PyInstaller download on PyPI is 3.5MB. Using that as a rough measure of the complexity of the project, adding it to CPython would increase the complexity of CPython by about 12%. -- Steve