Duplicates of third-party libraries

Lie Ryan lie.1296 at gmail.com
Tue Dec 8 08:56:40 EST 2009 

On 12/9/2009 12:02 AM, David Cournapeau wrote:
> On Tue, Dec 8, 2009 at 9:02 PM, Lie Ryan<lie.1296 at gmail.com>  wrote:
>
>> I disagree, what you should have is an Operating System with a package
>> management system that addresses those issues. The package management must
>> update your software and your dependencies, and keep track of
>> incompatibilities between you and your dependencies.
>
> This has many problems as well: you cannot install/update softwares
> without being root,

A package manager with setuid, though dangerous, can run without being 
root. Some package manager (e.g. Gentoo's Portage w/ prefix) allow user 
to set to install in a non-default directory (one that doesn't require 
root access).

> there are problems when you don't have the right version,

That's the whole point of package management system! A package 
management system are not just plain software installers (like MSI and 
NSIS), they go beyond and figure out the "right version" of your 
dependencies.

In many package management system, bleeding edge packages are run by 
testers that will figure out the dependency your software requires. If 
you are nice (it is your responsibility anyway), you can save them some 
work by telling them the dependency version you've tested your software 
with.

 > when the library/code is not packaged, etc...

Don't worry, the majority of users are willing to wait a few weeks until 
the library/code gets packaged. Some even _refuses_ to use anything 
younger than a couple of years.

 > Don't get me wrong, I am glad that things like debian, rpm exist,
 > but it is no panacea

They're not; but software developers should maximize functionality 
provided by package managers rather than trying to build their own 
ad-hoc updater and dependency manager.

 > There are simply no silver bullet to the
 > deployment problem, and difference cases/user target may require
 > different solutions.

The only thing that package managers couldn't provide is for the 
extremist bleeding edge; those that want the latest and the greatest in 
the first few seconds the developers releases them. The majority of 
users don't fall into that category, most users are willing to wait a 
few weeks to let all the just-released bugs sorted out and wait till the 
package (and their dependencies) stabilize.

More information about the Python-list mailing list