Andras Simon wrote: > Le mar. 19 nov. 2024, 16:16, Todd Zullinger <tmz@xxxxxxxxx> a écrit : > >> [...] >> >> ¹ I'm sure many people swear by pip, but I think it's barely >> better than running `curl ... | bash` to install things, >> which I consider to be a bad practice. > > I agree, but is there a better way when something is not > packaged for Fedora (other than packaging it, and all its > dependencies for Fedora)? Short of packaging things, running it in a container is a mild improvement. It's still a hideous thing to do and if you're going to run the software more than once or twice, packaging it properly is worth the effort. But for a quick one-off, I could stomach running pip inside a container. My bias comes from looking at things as a sysadmin rather than a developer. So I place more importance on having a solid, auditable, reproducible system than on getting library X, Y, and Z installed quickly so I can prototype some new feature for a product manager. I'm the one who will be paged late at night if things break, so I do everything I can to block folks from using quick and dirty methods to push code to systems I must then maintain. I also think the security of pip (or any of the other language-specific install tools) leaves a lot to be desired, compared to installations from a trusted distro repository where things are signed and build logs are available. Short of directly auditing and building all code yourself, the distro repos are so much better than pip install will ever be. > Maybe a script that would check which dependencies of a > random Python package are dnf installable would help to > some extent; then one could use --system-site-packages > when creating a virtual environment in which pip is used > to minimize the number of pip installations. Of course, > one can do this by hand, too. I _think_ that pip from Fedora may do this already (though it might only pick up dependency which are already installed at the system level)? I'm not sure and have never looked into it, because I start from the premise that if it's worth installing on my system, it's going to have to be packaged properly (as an rpm or deb or whatever system I'm using). -- Todd
Attachment:
signature.asc
Description: PGP signature
-- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue