[Distutils] [Python-Dev] PEP 376 - from PyPM's point of view

[Nick Coghlan]

Joachim König wrote:
> So one would have to set up the application specific packages before
> running the application, but the
> whole clutter of uncounted versions of the same package in one directory
> could go away. The
> "drawback" of this approach would be, that the same version of a package
> would have to be installed
> multiple times if needed by different applications.

While this is a very common practice in the Windows world, it is far
less common in the *nix world of vendor managed packaging systems.

As for why it can be a problem, it (bundling libraries with
applications) makes security vulnerability management a *lot* more
difficult for system administrators. If a bug is found in a key library
(e.g. openssl) a dependency based system just needs to update the single
shared copy of that library. In a bundling system, you first have to
work out which of your applications contain an instance of that library
and then see if the application vendors have provided a security patch.
If any one of them hasn't released a patch and you can't patch it
yourself, then you either have to stop using that application or else
accept remaining exposed to the vulnerability.

The bundling approach also leads to applications being much bigger than
they need to be. That isn't much of a problem for desktop or server
systems these days, but can still be an issue in the embedded world.

As far as the idea of making bundling easier goes, we already
implemented that in 2.6 and 3.0. It's the whole reason that zip files
and directories are directly executable now: the named zip file or
directory itself is automatically added to sys.path, so the top level
"__main__.py" in that location can freely import any other co-located
modules and packages.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
---------------------------------------------------------------