[python-uk] Reviewing third-party packages

[PyUK at getaroundtoit.co.uk]

Patrick,


> All of the above are good

=indeed - am still digesting...


> You could also use the following to check for known vulnerabilities
> https://www.openhub.net/explore/projects

Thank you for this - I had forgotten about BlackDuck (have apparently 
fallen off their mailing list).

Will have to spend some time settling on some 'acceptable' metrics: just 
for fun and because it was the latest import I've typed* I tried PyYAML. 
It is reported as "Very Low Activity" and "6 months since last commit". 
Perhaps these are basically the same thing? Yet it is a widely used 
facility, and one (amongst many on PyPI) I wouldn't even question using...

However, putting such into a check-list would inform discussion at a 
code/system review, and enable anyone to interpret and perhaps express 
concern, the code-author to defend (with facts cf opinion or emotion), 
the team to consciously evaluate, etc. Excellent!


* code review showed that 'new guy' habitually litters his code with 
'constants' and parameters, and for whom I've been developing a quick 
alternative 'suggestion' in preparation for our next discussion!

-- 
Regards,
=dn