On Fri, 20 Nov 2020 at 08:55, Chris Angelico
On Fri, Nov 20, 2020 at 6:06 PM Brendan Barnwell
wrote: You've mentioned this objection at least twice now and I still don't see it having any real relevance. All kinds of programs have bugs and vulnerabilities. There is no special reason why someone should expect a program to shield them from bugs or vulnerabilities in that program's underlying components, whether that program is written in Python or any other language.
So what you're saying is: "Everyone else who distributes native executables has these problems, so Python apps distributed as native executables will have these problems". Yes. Of course they will. But a Python app distributed as a .py file or a .pyz archive *won't* have these problems. Is that of no value?
Of course it is. But it's not the *only* consideration. What you seem to be doing is dismissing any possibility that in some circumstances, the balance is in favour of bundled executables over zipapps. The discussion here (at least this part of it) is about those situations where zipapps aren't a useful solution. So *by definition*, zipapps aren't relevant as an option in that case. You may not think that any such cases exist. Fair enough. But those of us that do are trying to discuss ways to handle those situations, and saying "that will never happen" or equivalently "do you mean zipapps" repeatedly, isn't helping.
The special reason is the entire point of language interpreters. Let's suppose that there's a vulnerability discovered in the V8 JavaScript interpreter (the one behind Node.js and Google Chrome and such). Does everyone who's ever published a web app now have to push out a new version? Certainly not, and I think many web devs would be offended at the mere suggestion. They expect that a browser update will automatically fix it, and it should! Why should Python apps *not* take advantage of this separation?
It's hardly the *entire* point, but I agree it's a benefit of them. And web development is *far* from being the only use for Python. And tools like VS Code (written with Node.js, I believe) bundle the V8 engine, so contrary to the point you're trying to make, Javascript could be viewed as an example of why Python needs a way to bundle apps... Paul