On Tue, Mar 9, 2021 at 4:20 AM Miroslav Suchý <msuchy@xxxxxxxxxx> wrote: > > Dne 08. 03. 21 v 18:33 Mattia Verga via devel napsal(a): > > In what way is different from installing them by pip? Does packaging > > them worth spending resources (disk space, Koji cycles) and packagers time? > > 1. You know from where the package comes. Verified using GPG checks. Helps to avoid Dependency Confusions attacks > https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 It also avoids having an RPM update down the road replace or overwrite bits of the module, breaking functionality of other parts of the system such as RPM itself. and having an update replace a module with a newer and incompatible version unknown to *other* modules on the system. > 2. You can audit files on your disk using rpm -qf /some/file > > Nothing stops you to create these packages automatically using `pyp2rpm`. It can be awkward to resolve all the dependencies, especially when it has mismatched version dependencies on critical modules such as sphinx. Been there, done that, done this for awscli and Samba dependencies. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
