On 14 September 2015 at 00:05, Sérgio Basto <sergio@xxxxxxxxxx> wrote: > On Sex, 2015-09-11 at 22:41 +0000, Jóhann B. Guðmundsson wrote: >> >> On 09/11/2015 09:09 PM, Orion Poplawski wrote: >> > What does Fedora users gain with "dnf >> > install rails" or "dnf install ipython" versus "gem install rails" and "pip >> > install ipython"? >> >> This indeed is very good question. > > I don't think so , if foo package have a security hole , dnf update will > have an update when pip or gem install don't . In my experience as Python developer, this is largely a myth, as very few Python packages are actively maintained with backports at the distro level, and Linux distro release cycles are so slow that they regularly lag upstream by weeks or months. For example, on Fedora 22: $ pip show pip You are using pip version 6.0.8, however version 7.1.2 is available. You should consider upgrading via the 'pip install --upgrade pip' command. --- Name: pip Version: 6.0.8 Location: /usr/lib/python2.7/site-packages Requires: So, upstream is on 7.1.2, we're on 6.0.8. Within the 6.x series, 6.0.8 was released back in February (7 months ago), with the last version being 6.1.1 in April (5 months ago). I don't believe this is the pip package maintainer's fault, I believe it's due to the fact that our processes for updating packages are far too manual and thus require significant amounts of additional work following even a backwards compatible upstream release. That then makes it impossible to keep up with upstream projects that are making new releases every couple of weeks. This is why I wrote the Software Component Pipeline concept as the feedback from Envs & Stacks into the larger Fedora modularisation discussion: https://fedoraproject.org/wiki/Env_and_Stacks/Projects/SoftwareComponentPipeline > Other big reason is if you need foo package to build foo2 package , > system doesn't know the existence of foo package with pip or gem , > neither can force the installation of it when is in a another system. pip at least is entirely open to the idea of plugin support for integration with distro packaging systems, and we're actively working on properly declaring our binary platform dependencies in a way that can be reliably mapped to system packages. Containers also help a lot here, as we can use a layered model where we use the system package manager to install the language runtime, and then the runtime plugin manager (which is effectively what pip, gem, maven, npm, etc are) to install the language level components. Regards, Nick. -- Nick Coghlan | ncoghlan@xxxxxxxxx | Brisbane, Australia -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
