You’re right about python being the same. Python doesn’t have a mature alternative to Typescript that launches it into having best-in-class type handling.
There’s so much that my C# devs can’t do with its horrible type system that Typescript “just does better”. At compile-time at least.
I used to work on a hybrid typescript/python product (some services js, some TS, some python), and the TS stuff was just faster-running, easier to iterate, and better. And story-point allocations consistently showed that for an excess of 20 devs working on those codebases.
As for pip/easy_install vs npm/yarn/pnpm… I’m curious what you think pip does well that yarn/npm doesn’t? I’ll say in my work experience there’s more/better enterprise private repository/cache support for node modules than for python modules. Using npm security databases alongside “known good versioning” allows a team of even 100 developers to safely add libraries to projects with no fear of falling out of corporate compliance regulations. I’ve never seen that implemented with pip
How so? The companies I worked for were using venv’s but nothing that could help with standards.
Using a private npm repo, I can actually do aninstall of a library I want to use and it’ll refuse to install if that library isn’t already approved for use by the organization, and if it is/does, it will install only the approved version. Further, I still don’t have any of the libraries installed I don’t want (even secure-seeming unnecessary code is a potential risk and unnecessary). The last 2 places I worked that used python used venv’s, but the pip requirements.txt file was still fairly hard to keep regulated.
So let’s say I want to add a library not currently being used in this project, but that might have been approved for another project in another repo? How does pip freeze solve that problem? Do python users endorse a “every single python app in the entire org should use the same requirements.txt” mindset? Or what am I missing?
Are you sure your knowledge of Python’s package management isn’t out of date? easy_install has been deprecated for years. There are a few mechanisms that the Python community now has for dependency management and installation. My favorite solution is Poetry, which like npm maintains a separate dependency (pyproject.toml) and lock (poetry.lock) file.
I didn’t think anyone was using easy_install anymore, but I still see it in docs for stuff.
Poetry looks interesting, but does it support private-only dependencies, where the system will reject a library or version if it has not been previously approved and cached?
You’re right about python being the same. Python doesn’t have a mature alternative to Typescript that launches it into having best-in-class type handling.
There’s so much that my C# devs can’t do with its horrible type system that Typescript “just does better”. At compile-time at least.
I used to work on a hybrid typescript/python product (some services js, some TS, some python), and the TS stuff was just faster-running, easier to iterate, and better. And story-point allocations consistently showed that for an excess of 20 devs working on those codebases.
As for pip/easy_install vs npm/yarn/pnpm… I’m curious what you think pip does well that yarn/npm doesn’t? I’ll say in my work experience there’s more/better enterprise private repository/cache support for node modules than for python modules. Using npm security databases alongside “known good versioning” allows a team of even 100 developers to safely add libraries to projects with no fear of falling out of corporate compliance regulations. I’ve never seen that implemented with pip
Depending on the regulations, python virtual envs could make it possible too.
How so? The companies I worked for were using venv’s but nothing that could help with standards.
Using a private npm repo, I can actually do aninstall of a library I want to use and it’ll refuse to install if that library isn’t already approved for use by the organization, and if it is/does, it will install only the approved version. Further, I still don’t have any of the libraries installed I don’t want (even secure-seeming unnecessary code is a potential risk and unnecessary). The last 2 places I worked that used python used venv’s, but the pip requirements.txt file was still fairly hard to keep regulated.
From approved environments:
pip freeze > requirements.txt?So let’s say I want to add a library not currently being used in this project, but that might have been approved for another project in another repo? How does
pip freezesolve that problem? Do python users endorse a “every single python app in the entire org should use the same requirements.txt” mindset? Or what am I missing?Are you sure your knowledge of Python’s package management isn’t out of date? easy_install has been deprecated for years. There are a few mechanisms that the Python community now has for dependency management and installation. My favorite solution is Poetry, which like npm maintains a separate dependency (pyproject.toml) and lock (poetry.lock) file.
I didn’t think anyone was using easy_install anymore, but I still see it in docs for stuff.
Poetry looks interesting, but does it support private-only dependencies, where the system will reject a library or version if it has not been previously approved and cached?
I think this is what you’re looking for, where you can configure both the resolution order and whether to just pull from a private repository.
Ah, yeah. Pretty awesome. Looks like they added that in 2019. I wonder why I’ve not seen that behavior used much at all.
Is there also good repo-mirror functionality to keep it easy to curate the private source?
I’m not sure why it’s not done as much. But yes, there’s tooling to maintain a mirror. I’m not sure about quality, since I haven’t done it myself.