eggs considered harmful

[Harry George]

Robert Kern <robert.kern at gmail.com> writes:

> Harry George wrote:
> > ...at least around here.
> > 
> > I run a corporate Open Source Software Toolkit, which makes hundreds
> > of libraries and apps available to thousands of technical employees.
> > The rules are that a) a very few authorized downloaders obtain
> > tarballs and put them in a depot and b) other users get tarballs from
> > the depot and build from source.
> > 
> > Historically, python packages played well in this context.  Install
> > was a simple download, untar, setup.py build/install.
> > 
> > Eggs and with other setuptools-inspired install processes break this
> > paradigm.  The tarballs are incomplete in the first place.  The builds
> > sometimes wander off to the internet looking for more downloads.  The
> > installs sometimes wander off to the internet looking for
> > compatibility conditions.  (Or rather they try to do so and fail
> > because I don't let themn through the firewall.)
> 
> Have you considered establishing a policy that these setuptools-using packages
> should be installed using the --single-version-externally-managed option to the
> install command? This does not check for dependencies.

I didn't know that one.  I'll try it.  Thanks.

> 
> Alternately, you can provide a company repository of the tarballs and their
> depedencies tarballs. Your users can use the easy_install option --find-links to
> point to that URL such that they do not have to go outside of the firewall to
> install everything.
> 

This is a possibility.  The tarballs can be seen in a directory
listing.  They are in different subdirs (for different "bundles" of
functionality), so I'll need -f to look several places.

> > These are unacceptable behaviors.  I am therefore dropping ZODB3, and
> > am considering dropping TurboGears and ZSI.  If the egg paradigm
> > spreads, yet more packages will be dropped (or will never get a chance
> > to compete for addition).
> 
> I'm sorry to hear that.

Me too.  We worked long and hard to get Python established as a
standard language for corporate systems development, we have a host of
projects that need ZSI, and I look forward to making further inroads
into C++, Java, and VB development camps.  Didn't really need a
roadblock at this point.

> 
> > I've asked before, and I'll ask again: If you are doing a Python
> > project, please make a self-sufficient tarball available as well.  You
> > can have dependencies, as long as they are documented and can be
> > obtained by separate manual download. 
> 
> Given the options I outlined above, you can easily satisfy these requirements
> for the vast majority of setuptools-using packages that are out there. There are
> a handful of packages that only distribute the eggs and not the source tarballs,
> but those are rare.
> 

I agree pure eggs are rare.  The fact that they increased this past
quarter was what concerned me.  ZODB even looks like a normal tarball,
builds ok, but uses a easy-install-style lookup during install.


> -- 
> Robert Kern
> 
> "I have come to believe that the whole world is an enigma, a harmless enigma
>  that is made terrible by our own mad attempt to interpret it as though it had
>  an underlying truth."
>   -- Umberto Eco
> 

-- 
Harry George
PLM Engineering Architecture