On Tue, Mar 9, 2021 at 4:20 AM Miroslav Suchý <msuchy(a)redhat.com> wrote:
Dne 08. 03. 21 v 18:33 Mattia Verga via devel napsal(a):
> In what way is different from installing them by pip? Does packaging
> them worth spending resources (disk space, Koji cycles) and packagers time?
1. You know from where the package comes. Verified using GPG checks. Helps to avoid
Dependency Confusions attacks
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
It also avoids having an RPM update down the road replace or overwrite
bits of the module, breaking functionality of other parts of the
system such as RPM itself. and having an update replace a module with
a newer and incompatible version unknown to *other* modules on the
system.
2. You can audit files on your disk using rpm -qf /some/file
Nothing stops you to create these packages automatically using `pyp2rpm`.
It can be awkward to resolve all the dependencies, especially when it
has mismatched version dependencies on critical modules such as
sphinx. Been there, done that, done this for awscli and Samba
dependencies.