|
Jeb Bush 2012 posted:python has all kinds of flaws but the least defensible is the lack of variable declaration (as opposed to dynamic typing, which I dislike but does have some advantages) But, it has inverted variable declarations! Python 3 literally introduced the nonlocal statement to declare that that variable is not in this scope.
|
#
?
Aug 29, 2017 21:07
|
|
|
|
| # ? Jun 1, 2024 17:38 |
|
|
nielsm posted:But, it has inverted variable declarations! Python 3 literally introduced the nonlocal statement to declare that that variable is not in this scope. Oh yeah, I'll add the scoping rules to my list of things that are acceptable to gripe about in Python. The lack of scopes besides "module" and "function" has bitten me several times in the past. That said, `nonlocal` is just a variant on `global`, which lets a function work with values from the global namespace. I don't really have a problem with `global`; you need some way to say "I want to assign to the global named "foo", not create a new local named "foo"." It's either this or have var declarations. 
|
|
#
?
Aug 29, 2017 21:14
|
|
|
necrotic posted:npm also just had that post install fiasco with some typo squatting packages. So recently isn't really accurate ah they've had over a year and a half to deal with this and they are just now "getting around" to implementing some kind of (probably optional) 2fa for publishing.
|
|
#
?
Aug 29, 2017 21:14
|
|
TooMuchAbstraction posted:Hot take: if your problems with Python don't have to do with the GIL, the lack of type safety, or the timeline for updating to Python 3, then your opinions are wrong. It has no other major flaws. I disagree. Python is my favorite langugage, but the following things bug the heck out of me, in order of pettiness: bools as a subtype of int the way mutable default function arguments are handled else is incredibly poorly named in the context of try/except/else/finally and for/else (though I do like the feature) {} being an empty dict and not an empty set I also have problems with some things that are legacy cruft: I love fstrings, but the fact that python now has THREE different string formatting methods is kind of crazy. I think the benefits of adding them outweigh the flaws, but still. The biggest problem of all, though, is lack of portability. It is incredibly hard to just give someone a file and say 'run this'. Javascript should have this problem, but so much infrastructure has been built up that pretty much anyone can run your Javascript anywhere. nielsm posted:But, it has inverted variable declarations! Python 3 literally introduced the nonlocal statement to declare that that variable is not in this scope. I like this. I would like a Python-like, compiled, statically-typed language, but it wouldn't let you do half the dark magic that makes python really loving fun. Like, for example, you can do this in Python: Python code:Python is the best language to write, hands down. It is not always the best language to develop in. Eela6 fucked around with this message at 21:25 on Aug 29, 2017 |
|
|
#
?
Aug 29, 2017 21:18
|
|
|
TooMuchAbstraction posted:Oh yeah, I'll add the scoping rules to my list of things that are acceptable to gripe about in Python. The lack of scopes besides "module" and "function" has bitten me several times in the past. I've generally enjoyed writing Python and I still use it for occasional odd tasks, but the scoping is bad. I very much prefer to declare my variables where they live rather than where they don't live. (I largely grew up on Delphi and came to like the declaration discipline of Pascal.)
|
|
#
?
Aug 29, 2017 21:32
|
|
|
GenJoe posted:I'm also very skeptical of the "save time by writing the same code for the server and the client!" line. That's not really how web development works. I wouldn't force it on anyone though. Every file has this dumb boilerplate like: code:Ranzear fucked around with this message at 21:37 on Aug 29, 2017 |
|
#
?
Aug 29, 2017 21:32
|
|
|
Dr. Stab posted:Can I write my node server in python and transpile it to js? You could probably compile Python itself into asm.js or whatever it is called and run the script unmodified.
|
|
#
?
Aug 29, 2017 21:39
|
|
|
necrotic posted:They learned from left pad and then immediately ignored the new policy so no they haven't learned poo poo. Still no package signing either. they serve all packages over https. why do you think that's worse than signed packages?
|
|
#
?
Aug 29, 2017 21:43
|
|
|
this post is
|
|
#
?
Aug 29, 2017 21:58
|
|
|
Based on my experience, doing websocket stuff in Node with socket.io is easier than in other languages/frameworks, though I don't know why that would need to be the case and I'd believe there was some easy tool I've been missing.
|
|
#
?
Aug 29, 2017 22:10
|
|
|
MrMoo posted:You could probably compile Python itself into asm.js or whatever it is called and run the script unmodified. I should probably compile gcc itself to js and use that to compile python. Closer to the metal that way.
|
|
#
?
Aug 29, 2017 22:13
|
|
|
A big problem of language X vs language Y discussions is that they usually come down to pointing out the inevitable flaws of each language and trying to decide which flaws are the worst. That's incredibly difficult to do. People talk about the flaws in JS or Python and I always have a feeling like..."yeah, those are things that are not good, but I know about them and account for them and get on with my day". On the other hand, that can't possibly mean all languages are good, but of the half dozen languages I'm half-competent with, none of the flaws about them that are commonly brought up really get me mad. Thermopyle fucked around with this message at 22:24 on Aug 29, 2017 |
|
#
?
Aug 29, 2017 22:21
|
|
|
Mad Jaqk posted:Based on my experience, doing websocket stuff in Node with socket.io is easier than in other languages/frameworks, though I don't know why that would need to be the case and I'd believe there was some easy tool I've been missing. If you're going to do websockets in a lovely language that was never designed with for I/O, at least do them in the best lovely language that was never designed for async I/O: PHP. https://amphp.org/aerys/ The people that make this are some of the sharpest PHP developers I've ever met. They are absolutely batshit insane.
|
|
#
?
Aug 29, 2017 22:29
|
|
|
Suspicious Dish posted:they serve all packages over https. why do you think that's worse than signed packages? Package signing is for verifying package contents, which SSL is incapable of doing. If NPM was well run and private repositories did not exist it becomes less important, but right now there is no mechanism to verify your getting what you think you're getting. Every other package manager I've used supports this.
|
|
#
?
Aug 29, 2017 22:29
|
|
|
nielsm posted:I've generally enjoyed writing Python and I still use it for occasional odd tasks, but the scoping is bad. I very much prefer to declare my variables where they live rather than where they don't live. (I largely grew up on Delphi and came to like the declaration discipline of Pascal.) I don't understand. If you want variable X to live in function A, then it lives there and nowhere else; isn't that exactly what you want? I'm having difficulty parsing the last sentence (in what sense do you declare variables where they don't live? What does that mean?)
|
|
#
?
Aug 30, 2017 00:31
|
|
|
I have never hosed up using pip, and I gently caress up everything.
|
|
#
?
Aug 30, 2017 00:31
|
|
|
Every time I look up at babel.js/react.js/JSX combo I get angry. It's just one big why. Cool, so it's node.js, but in php?
|
|
#
?
Aug 30, 2017 00:37
|
|
|
QuarkJets posted:I don't understand. If you want variable X to live in function A, then it lives there and nowhere else; isn't that exactly what you want? I'm having difficulty parsing the last sentence (in what sense do you declare variables where they don't live? What does that mean?) nonlocal is an explicit declaration that the variable doesn't live at the point of the declaration, but says nothing about where it actually does live other than that it's some containing scope.
|
|
#
?
Aug 30, 2017 00:52
|
|
|
Slimchandi posted:I'm fairly new to Python but I recognise the boolean conditional is phrased poorly. Otherwise is it bad because you generate an entire list just to pluck off the first item? Or the general inpenetrableness of how you generate the name list? Unfortunately what does seem to be a property of the language is the level of awful it induces in authors. Many languages have map or comprehension, but only in Python have I seen someone try to get through a nested comprehension with conditions and exceptions. (I'll have to try to find that example)
|
|
#
?
Aug 30, 2017 01:48
|
|
|
Dr. Stab posted:Can I write my node server in python and transpile it to js? No, but you can transpile it from Haskell! 
|
|
#
?
Aug 30, 2017 02:05
|
|
|
necrotic posted:npm the org is what kills it as a package manager. They have no clue how to properly run a repository of packages. npm has a repository? Looking at https://www.npmjs.com/browse/keyword/repository things seem to be as they've always been (mind numbing insane, on the "wtf are you thinking" level or, more accurately "are you even thinking?") as in: "we download poo poo from some git repo, where we try to match your required version with some branch tags, and then we run code on your local machine and then we cross fingers that we got it right". It's fine to not like maven or the linux package managers or FreeBSD's ports, but if you want to build a different package manager, wouldn't "be better than the rest" be a requirement? And, to be fair, that requirement is not met by far. I mean, they don't even seem to have the concept of a repository. Please correct me if I'm wrong here. Please.
|
|
#
?
Aug 30, 2017 04:00
|
|
|
you are not wrong
|
|
#
?
Aug 30, 2017 04:17
|
|
|
You just linked a search result for some really bad npm projects, nothing you said actually describes how npm works. essentially, if you want to add your code to npm, you create a package.json file that lists your project name, a version number (w/ major, minor, and patch versioning), and whatever dependencies your code requires. You then publish using "npm publish" and it uploads your project to npm's public repository. Everyone else can now pull down your project with an "npm install <project name>". They can also pull down a specific version, or they can list your project as a dependency for their own project using their package.json. you can also give npm your money and they will publish private repositories for you, kind of like how github does with their paid plans.
|
|
#
?
Aug 30, 2017 04:35
|
|
|
Plorkyeran posted:nonlocal is an explicit declaration that the variable doesn't live at the point of the declaration, but says nothing about where it actually does live other than that it's some containing scope. Oh, I thought that the complaint was about Python scoping generally rather than just talking about nonlocal specifically The complaint seemed to suggest that you can't declare where a variable lives, but that's actually just the default behavior QuarkJets fucked around with this message at 05:00 on Aug 30, 2017 |
|
#
?
Aug 30, 2017 04:55
|
|
|
GenJoe posted:You just linked a search result for some really bad npm projects, nothing you said actually describes how npm works. So, hold on, if they have their own repository, where do the various git websites come into play? Why does a connection to github.com needs to be made? And, more so, if they have their own repository, why isn't package signing done? One would think that would be a blocking requirement, wouldn't it?
|
|
#
?
Aug 30, 2017 06:07
|
|
|
Volguus posted:So, hold on, if they have their own repository, where do the various git websites come into play? Why does a connection to github.com needs to be made? And, more so, if they have their own repository, why isn't package signing done? One would think that would be a blocking requirement, wouldn't it? You are allowed to, optionally, specify a git repository as a dependency, instead of pointing directly to an NPM project/version. This is useful if you're developing something that depends on some feature branch somewhere that hasn't been merged/published to NPM yet. It looks like: code:
|
|
#
?
Aug 30, 2017 06:17
|
|
|
Volguus posted:And, more so, if they have their own repository, why isn't package signing done? One would think that would be a blocking requirement, wouldn't it? Suspicious Dish posted:they serve all packages over https. why do you think that's worse than signed packages? the npm core team wasn't mature/experienced enough to know that https isn't a strong enough guarantee for package authenticity. I think this is kind of a common mistake (but I'm not defending them because of that, it's reaaaaaly bad), and it led to all kinds of fun when npm inadvertently started spreading a worm around that could modify and publish packages using the installed-on user's credentials: https://www.kb.cert.org/vuls/id/319816 GenJoe fucked around with this message at 06:30 on Aug 30, 2017 |
|
#
?
Aug 30, 2017 06:25
|
|
|
how does package signing fix the above attack
|
|
#
?
Aug 30, 2017 06:46
|
|
|
GenJoe posted:You are allowed to, optionally, specify a git repository as a dependency, instead of pointing directly to an NPM project/version. This is useful if you're developing something that depends on some feature branch somewhere that hasn't been merged/published to NPM yet. It looks like: I'm not talking about that. If i specify a dependency all the way to alpha centauri, then sure, that's my fault. but I want to install package "foo", version 4.5 and the drat thing goes to github to get it for me? How does that make sense? How does that work? What is the "repository" role then?
|
|
#
?
Aug 30, 2017 07:04
|
|
|
Suspicious Dish posted:how does package signing fix the above attack I think there are a lot of moving parts here, but the most important idea is that your private key is locked down and won't be accessible by an npm post-install script that's been executed without root or specific permissions (I think that's the bare minimum requirement, ideally your private key is locked down even further, i.e. on different hardware or whatever). This is how maven does the whole package signing thing if you're interested: http://central.sonatype.org/pages/working-with-pgp-signatures.html Volguus posted:I'm not talking about that. If i specify a dependency all the way to alpha centauri, then sure, that's my fault. but I want to install package "foo", version 4.5 and the drat thing goes to github to get it for me? How does that make sense? How does that work? What is the "repository" role then? it really shouldn't be? NPM keeps their own repository, it doesn't store things on github like that. do you have a specific example here?
|
|
#
?
Aug 30, 2017 07:09
|
|
|
When I program in Go I just write github URLs in the source code.
|
|
#
?
Aug 30, 2017 07:12
|
|
|
GenJoe posted:I think there are a lot of moving parts here, but the most important idea is that your private key is locked down and won't be accessible by an npm post-install script that's been executed without root or specific permissions (I think that's the bare minimum requirement, ideally your private key is locked down even further, i.e. on different hardware or whatever). It doesn't store things in github, yet it manages to depend on github (that is, get hosed when github doesn't work). Specific example? How about the documentation: quote:What is a package? So, if I write a package.json file that among other things is dependent on a github repo .... then what?
|
|
#
?
Aug 30, 2017 07:20
|
|
|
Issue just got opened up, apparently our preview release breaks :nsfw: this :nsfw: Thats definitely a thing...
|
|
#
?
Aug 30, 2017 07:28
|
|
|
Volguus posted:So, if I write a package.json file that among other things is dependent on a github repo .... then what? then it downloads it from github! This is completely fine and I don't think worrying about github going down is a rational gripe with npm here. Sure it can go down just like the npm repository can go down, but the good news is that doesn't happen. Like ever. if it makes you feel any better, published packages rarely list git dependencies. It's really meant for development like I said, where you need to temporarily redirect your dependency to a specific commit or branch somewhere.
|
|
#
?
Aug 30, 2017 07:31
|
|
|
Xarn posted:Issue just got opened up, apparently our preview release breaks :nsfw: iirc that language dominates the entire AWS backend
|
|
#
?
Aug 30, 2017 07:32
|
|
|
GenJoe posted:then it downloads it from github! This is completely fine and I don't think worrying about github going down is a rational gripe with npm here. Sure it can go down just like the npm repository can go down, but the good news is that doesn't happen. Like ever. Ughh ... I'm not sure this is fine, but anyway. Not about github going down (duh, github will be with us forever), but how about taking over repositories, typosquatting or other forms of injecting unknown/unwanted code. I mean, how can one trust what npm has to offer when npm has no way of checking its offerings? In what universe does that make any sense? And that documentation sample that I just posted is a perfect example of "no brain cells were used in the making of this thing". How can it be possible to get things from a 3rd party location without me telling you specifically to do so and say that "it's fine" with a straight face?
|
|
#
?
Aug 30, 2017 07:41
|
|
|
QuarkJets posted:Oh, I thought that the complaint was about Python scoping generally rather than just talking about nonlocal specifically Yes, the problem is that in Python, any assignment is an implicit declaration that the variable lives in the assignment scope, unless it has been declared nonlocal in the same scope... unless it's a global, I think? So in Python 1 and 2 you can't reassign a variable that lives in an outer function scope from an inner function, but have to use "tricks" like making the thing you want to reassign a member of something or a dict entry. (This alone is reason enough for me to prefer Python 3.)
|
|
#
?
Aug 30, 2017 07:41
|
|
|
canis minor posted:Every time I look up at babel.js/react.js/JSX combo I get angry. It's just one big why. The why is you, as React is actually pretty good. Volguus posted:It doesn't store things in github, yet it manages to depend on github (that is, get hosed when github doesn't work). Specific example? How about the documentation: Python pip and Ruby gems are identical in this regard.
|
|
#
?
Aug 30, 2017 07:46
|
|
|
GenJoe posted:I think there are a lot of moving parts here, but the most important idea is that your private key is locked down and won't be accessible by an npm post-install script that's been executed without root or specific permissions (I think that's the bare minimum requirement, ideally your private key is locked down even further, i.e. on different hardware or whatever). what's preventing a post-install script from reading ~/.gnupg? how is that locked down? signed packages *might* be a step up but you have to define your threat model and figure out what each technology helps with. blindly going "hurr durr signed packages will fix this" isn't how we should be doing security in 2017.
|
|
#
?
Aug 30, 2017 07:58
|
|
|
|
| # ? Jun 1, 2024 17:38 |
|
|
here's a recent example of typo squatting https://www.theregister.co.uk/2017/08/02/typosquatting_npm/ It's definitely a problem and I have no idea how you fix something like that. NPM did take some steps to try and mitigate project hijacking, by removing the ability to unpublish projects, and by removing force pushing over existing project versions, but with semver that doesn't really matter because people will mostly automatically download new patch versions anyway, so an attacker can just upload their exploit as a new patch-level update and it'll spread just as easily. The 3rd party dependency thing is tricky, idk you're right that there's no way to verify those, but being able to point to a specific tarball or git branch when you're developing really is immensely helpful. Maybe they should enforce that projects on their public repository can only list other npm-hosted projects as dependencies, but if you're working with something locally or if it's hosted on a private repository then you can do whatever the gently caress you want. GenJoe fucked around with this message at 08:53 on Aug 30, 2017 |
|
#
?
Aug 30, 2017 08:05
|
|