[BangPypers] BangPypers Digest, Vol 84, Issue 14

kracekumar ramaraju kracethekingmaker at gmail.com
Wed Aug 20 15:54:04 CEST 2014 

On Wed, Aug 20, 2014 at 6:56 PM, Daniel Greenfeld <pydanny at gmail.com> wrote:

> > Date: Wed, 20 Aug 2014 02:09:32 +0530
> > From: kracekumar ramaraju <kracethekingmaker at gmail.com>
> > To: Bangalore Python Users Group - India <bangpypers at python.org>
> > Subject: Re: [BangPypers] "The Python I would like to see" - Armin
>         Ronacher
> > Message-ID:
>         > <CAO5c=mk5gkP71+1sW_fC_AxyH+nmjarDOTP3MBSgZfU=
> HuLWMw at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> > Hi
>
> > I am late to the party, adding my thoughts.
>
> > - Though pip, venv solve issue to certain extent. If there are 100+
> > packages need to be installed, pip will take atleast 60 -  90 seconds to
> > check all the packages are installed considering venv have all packages
> > (AWS). Then deploy will look like code deploy + package install + restart
> > of service. There are high chances request may pile up if restart of
> > service takes more than 30 - 40 seconds if the app is single page app
> > (Initial load during peak hours). Also if PyPi is down my deployment will
> > fail, having PyPi mirror isn't affordable. So far I haven't faced any
> issue
> > with PyPi, but there were times when npmjs.org is down :-) Yes you can
> > package all your dependencies in .deb files and distribute but there is a
> > cost associated with it. With golang style of deployment all the
> > installation time and packaging issue is solved with single binary.
>
> If you are worrying about PyPI dependability, don't use PyPI. Don't
> even use a PyPI mirror! For what it's worth, this also applies to
> RubyGems, NPM, and anything else.
>
> Also, I don't really think of PyPI as secure. The maintainers are
> well-meaning, but AFAIK none of them (even Donald Stufft) are paid
> professionally to maintain PyPI. They are volunteers working on a
> crufty application thats grown organically into security from
> something that was never meant to be secure in the first place.
>
> FWIW, this also applies to RubyGems and NPM. I'm not certain if it
> applies to Go, but I wouldn't be surprised if it does.
>
> So what do you do? How do you host your packages?
>
> 1. Host the packages on your own private server. You don't need all
> the fanciness of a package server (PyPI, NPM, RubyGems, et al). All
> you need is the ability to host files. If you don't want to go through
> the trouble of setting this up with Apache or Nginx, then just set up
> a git repo hosting the eggs/wheels (not GitHub) your project can
> access from.
>
> 2. Purchase the services of a company whose job it is to provide
> SECURED, dependable access to your packages. Off the top of my head I
> can tell you that GemFury does it for Ruby, Python, Node, Go, et al.
>
> Yes, this is extra work, but if you want dependability/security, it's
> the way to go.
>
>
Hmmm. The point I was making was different. Any service can go down, can't
see why third party or my own service won't go down.
Ability to package the dependencies once all the tests pass is what all I
want. If Python wheels or any third party library which can give
me that kind of solution, I am happy.

I am aware of the dstuff work
https://caremad.io/blog/how-has-python-packaging-failed-you/ and
https://warehouse.python.org/. AFAIK PyPI is much
better maintained that NPM and rubyGems.



> Sincerely,
>
> Daniel Greenfeld
> _______________________________________________
> BangPypers mailing list
> BangPypers at python.org
> https://mail.python.org/mailman/listinfo/bangpypers
>



-- 

*Thanks & Regardskracekumar"Talk is cheap, show me the code" -- Linus
Torvaldshttp://kracekumar.com <http://kracekumar.com>*

More information about the BangPypers mailing list