On Fri, Nov 20, 2020 at 6:06 PM Brendan Barnwell <brenbarn@brenbarn.net> wrote:
Yes, that's correct. All of what you described is how ordinary apps work. If I install a program and it has a bug or security vulnerability, then I am affected by that vulnerability. Having a way to install a Python program as a program in its own right means that it will also work that way. So what? That's how programs work. The fact that my program happens to depend on Python under the hood doesn't magically make it any different than other programs. So, again, an executable-creating library is just a way to make Python programs work like ordinary programs work.
You've mentioned this objection at least twice now and I still don't see it having any real relevance. All kinds of programs have bugs and vulnerabilities. There is no special reason why someone should expect a program to shield them from bugs or vulnerabilities in that program's underlying components, whether that program is written in Python or any other language.
So what you're saying is: "Everyone else who distributes native executables has these problems, so Python apps distributed as native executables will have these problems". Yes. Of course they will. But a Python app distributed as a .py file or a .pyz archive *won't* have these problems. Is that of no value? The special reason is the entire point of language interpreters. Let's suppose that there's a vulnerability discovered in the V8 JavaScript interpreter (the one behind Node.js and Google Chrome and such). Does everyone who's ever published a web app now have to push out a new version? Certainly not, and I think many web devs would be offended at the mere suggestion. They expect that a browser update will automatically fix it, and it should! Why should Python apps *not* take advantage of this separation? You've mentioned this objection to my objection multiple times too, and I don't understand why you think that more vulnerabilities isn't a problem. There is no special reason why someone should expect a program to have more bugs or vulnerabilities because it's distributed as an app rather than made available through a web browser (aside from the restrictions of web browsers themselves, of course, but that's beside the point). ChrisA