Proposal to reduce anti-bundling requirements

Nick Coghlan ncoghlan at gmail.com
Mon Sep 14 07:24:20 UTC 2015 

On 14 September 2015 at 00:05, Sérgio Basto <sergio at serjux.com> wrote:
> On Sex, 2015-09-11 at 22:41 +0000, Jóhann B. Guðmundsson wrote:
>>
>> On 09/11/2015 09:09 PM, Orion Poplawski wrote:
>> > What does Fedora users gain with "dnf
>> > install rails" or "dnf install ipython" versus "gem install rails" and "pip
>> > install ipython"?
>>
>> This indeed is very good question.
>
> I don't think so , if foo package have a security hole , dnf update will
> have an update when pip or gem install don't .

In my experience as Python developer, this is largely a myth, as very
few Python packages are actively maintained with backports at the
distro level, and Linux distro release cycles are so slow that they
regularly lag upstream by weeks or months. For example, on Fedora 22:

$ pip show pip
You are using pip version 6.0.8, however version 7.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
---
Name: pip
Version: 6.0.8
Location: /usr/lib/python2.7/site-packages
Requires:

So, upstream is on 7.1.2, we're on 6.0.8. Within the 6.x series, 6.0.8
was released back in February (7 months ago), with the last version
being 6.1.1 in April (5 months ago).

I don't believe this is the pip package maintainer's fault, I believe
it's due to the fact that our processes for updating packages are far
too manual and thus require significant amounts of additional work
following even a backwards compatible upstream release. That then
makes it impossible to keep up with upstream projects that are making
new releases every couple of weeks.

This is why I wrote the Software Component Pipeline concept as the
feedback from Envs & Stacks into the larger Fedora modularisation
discussion: https://fedoraproject.org/wiki/Env_and_Stacks/Projects/SoftwareComponentPipeline

> Other big reason is if you need foo package to build foo2 package ,
> system doesn't know the existence of foo package with pip or gem ,
> neither can force the installation of it when is in a another system.

pip at least is entirely open to the idea of plugin support for
integration with distro packaging systems, and we're actively working
on properly declaring our binary platform dependencies in a way that
can be reliably mapped to system packages. Containers also help a lot
here, as we can use a layered model where we use the system package
manager to install the language runtime, and then the runtime plugin
manager (which is effectively what pip, gem, maven, npm, etc are) to
install the language level components.

Regards,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the devel mailing list