|
Finster Dexter posted:Is it overreacting to put my foot down and make a rule about not allowing any more loving python code into our platform going forward?
|
#
?
Jul 30, 2021 16:29
|
|
|
|
| # ? Jun 8, 2024 00:28 |
|
|
maven nuget gems and npm have also had those. bottom line is that you cant trust it just cuz its a package, not that python idiosyncratically sucks
|
|
#
?
Jul 30, 2021 16:32
|
|
|
how about a rule against depending on packages with stupid names perhaps you're underreacting. the problem is not knowing all the code you're ultimately responsible for. and/or not pinning versions. ban all dependencies and you solve both problems
|
|
#
?
Jul 30, 2021 16:32
|
|
|
what kind of platform do you have where you can just say "im putting my foot down. no more python" and it doesnt immediately destroy the business
|
|
#
?
Jul 30, 2021 16:34
|
|
|
what kind of platform do you have where it does lol
|
|
#
?
Jul 30, 2021 16:43
|
|
|
I only use packages with hundreds of thousands of downloads to mitigate against my personal creds being stolen also because then I can say "b b b but everyone else was doing it"
|
|
#
?
Jul 30, 2021 16:46
|
|
|
lmao if you even process credit cards anywhere on your platform e: we do have some login poo poo but i think thats 0auth or whatever, its not my dept
|
|
#
?
Jul 30, 2021 16:46
|
|
|
Why the hell would you not freeze your dependencies and store them in the project? EVERY TIME this happens it's the same dumbass fuckup from the engineers blindly pulling their dependencies from the package manager instead of saving the package to source.
|
|
#
?
Jul 30, 2021 16:51
|
|
|
why store them in the project when you can just transparently use artifactory as your package source + use lockfiles
|
|
#
?
Jul 30, 2021 16:52
|
|
|
Bloody posted:what kind of platform do you have where it does lol a python one just read the article and yea if your platform leaked credit cards because you put the package "noblesse 0.0.6 This Module Optimises your PC For Python" into production and it found credit cards in chrome's local AppData folder, you deserved it
|
|
#
?
Jul 30, 2021 16:53
|
|
|
pokeyman posted:how about a rule against depending on packages with stupid names that's pretty much the same as forbidding dependencies
|
|
#
?
Jul 30, 2021 16:54
|
|
|
12 rats tied together posted:a python one Yeah but it's not just adding that package, it's all the downstream dependencies of dependencies etc. And even if my entire platform were python, we would just do all new dev in "something else". I hear rust is good (tee hee) Our platform is microservice nonsense, so it's easy to not use python for any more services. We've had discussions around it. But yeah, I'm not hyped about npm or nuget, either. I'm slowly turning into a package hypochondriac. These packages are full of disgusting gerrrrms I must be clean
|
|
#
?
Jul 30, 2021 17:23
|
|
|
rust will not solve this problem
|
|
#
?
Jul 30, 2021 17:23
|
|
|
bob dobbs is dead posted:rust will not solve this problem yeah that was the joke I'm terrible at jokes though, much like my programming
|
|
#
?
Jul 30, 2021 17:25
|
|
|
packages are not magic they are just other peoples code
|
|
#
?
Jul 30, 2021 17:30
|
|
|
Bloody posted:packages are not magic they are just other peoples code So black magic. Got it.
|
|
#
?
Jul 30, 2021 17:37
|
|
|
We just use Debian distro packages. If the dependency you want to introduce hasn't managed to get into Debian, you probably shouldn't be using it.
|
|
#
?
Jul 30, 2021 17:39
|
|
|
i also love using the same versions of packages my grandfather used back in his day
|
|
#
?
Jul 30, 2021 17:42
|
|
|
I use packages provided by Buildroot. You can even commit said packages and their dependencies in the download folder. You can even use buildroot to make containers if you want. And you get the added benefit of being able to support a bunch of different platforms.
|
|
#
?
Jul 30, 2021 17:45
|
|
|
every time I start this project in debug I have to wait while it tries to pull symbols from some ancient file share some dev hosted his garbo DLLs on and I am too lazy to work out what's doing it to stop it python works the same way I guess
|
|
#
?
Jul 30, 2021 17:45
|
|
|
me pushing artefacts to the repository: wow this code is garbage but it works so push it who cares me downloading artefacts written by someone else from the repository: well this loving sucks what the gently caress
|
|
#
?
Jul 30, 2021 17:47
|
|
|
animist posted:that's pretty much the same as forbidding dependencies well that would be a crying shame also yeah vendor your poo poo and pin your exact versions. "semantic" "versioning" only exists in elm
|
|
#
?
Jul 30, 2021 17:49
|
|
|
i had to run npm install 20+ times today (i lost count after i started just chaining the command w semicolons and checking back every 10-15 minutes to run it 4 more times) cause it kept failing on file permission errors that didnt make sense literally every time i ran it again, itd get a bit further* but fail on a different item, which then worked on the next run all package managers are bad, but npm takes the cake in my experience * theres no real indication either, so i just checked node_modules and could tell like oh, it got to stuff that starts with g before, and now we're at j Carthag Tuek fucked around with this message at 18:07 on Jul 30, 2021 |
|
#
?
Jul 30, 2021 18:04
|
|
|
also, loving one function packages "is-absolute-url"??? absolutely mental
|
|
#
?
Jul 30, 2021 18:05
|
|
|
bob dobbs is dead posted:maven nuget gems and npm have also had those. bottom line is that you cant trust it just cuz its a package, not that python idiosyncratically sucks
|
|
#
?
Jul 30, 2021 18:06
|
|
|
Carthag Tuek posted:all package managers are bad, but npm takes the cake in my experience loads of undocumented, surprising behaviour, loads of bugs, loads of weird incompatibilities and couplings, and loads of ways to do exactly the same thing, but none of them complete, each missing just that bit of functionality you need that all the other ways have but you can't use because of the first three reasons
|
|
#
?
Jul 30, 2021 18:44
|
|
|
oops
|
|
#
?
Jul 30, 2021 18:49
|
|
|
Jeoh posted:i also love using the same versions of packages my grandfather used back in his day That's definitely a feature, yes. If it doesn't have a maintainer or if it's too new I don't want it as a dependency, and the last thing I want to do is janitor dependencies. You just wait, this way of doing it is going to become the next big trend again.
|
|
#
?
Jul 30, 2021 18:53
|
|
|
Jeoh posted:i also love using the same versions of packages my grandfather used back in his day gently caress this old library! I need a new bespoke library that implements the same features as the old library but without documentation and the backing of the rest of the community!
|
|
#
?
Jul 30, 2021 19:03
|
|
|
toiletbrush posted:anyone who's had to janitor a private nuget repo might disagree what does private repo mean in nuget context, cause i read all that as the known issue of your own orgs code being garbage which is a constant factor regardless of package management
|
|
#
?
Jul 30, 2021 19:07
|
|
|
you should be able to use new poo poo but if your entire commitment to the process is "apt-get update -> hope its in there" i agree you should get the old poo poo by default. epel being optional is good, for instance
|
|
#
?
Jul 30, 2021 19:11
|
|
|
Carthag Tuek posted:what does private repo mean in nuget context, cause i read all that as the known issue of your own orgs code being garbage which is a constant factor regardless of package management i assume they mean the software that hosts code artifacts that are available over nuget, for example, i have in the past clicked "new nuget bullshit" buttons in sonatype nexus repo manager. it was bad, but im not a career windows janitor, so i can't tell if it's bad in the normal ways that windows poo poo is bad or if it's extra bad in some special ways
|
|
#
?
Jul 30, 2021 19:16
|
|
|
12 rats tied together posted:i assume they mean the software that hosts code artifacts that are available over nuget, for example, i have in the past clicked "new nuget bullshit" buttons in sonatype nexus repo manager. but if its a private repo, its not upstreams problem when its hosed up
|
|
#
?
Jul 30, 2021 19:53
|
|
|
12 rats tied together posted:i assume they mean the software that hosts code artifacts that are available over nuget, for example, i have in the past clicked "new nuget bullshit" buttons in sonatype nexus repo manager. yeah it's this. We host a Nexus instance and you can create NuGet format repos in it, just add a nuspec files to your solution, pack it and upload and (once you add the internal repo as a source) you can then reuse internal libs without having you solution fail because it can't find \\butts\fart\libs\boners.final.dll it's actually really easy to do once you've got it up an running. you just use the Nexus POM params to id the package and you can create dependencies between packages in the nuspec xml
|
|
#
?
Jul 30, 2021 20:01
|
|
|
Every project should be able to build all the dependencies from source. Stuffing binary files in a project is just asking for headaches and trouble.
|
|
#
?
Jul 30, 2021 20:03
|
|
|
idk that still doesnt sound like a package manager issue, like you either need to moderate your private repo so its not just a dumb cache/mirror of public repos (why even have it private then?) or you need to make your devs not put garbage homebrew in there
|
|
#
?
Jul 30, 2021 20:06
|
|
|
in this case it would specifically be the mechanism by which the packages are made available, the integration with your solution file and IDE, etc., that is bad. the code that is hosted can be bad too but that is distinct from this the only fair comparison here would be to another language's package manager like pipenv, which i think is better, but i hate visual studio and everything to do with it so ymmv e: actually there's probably tons of windows bullshit that you could compare to that would be worse. back in the day i used to manually install poo poo into the gac in production. nuget is probably better than that 12 rats tied together fucked around with this message at 20:34 on Jul 30, 2021 |
|
#
?
Jul 30, 2021 20:27
|
|
|
DoomTrainPhD posted:Every project should be able to build all the dependencies from source. Stuffing binary files in a project is just asking for headaches and trouble. but yes it’s headaches all the way down
|
|
#
?
Jul 30, 2021 20:45
|
|
|
12 rats tied together posted:in this case it would specifically be the mechanism by which the packages are made available, the integration with your solution file and IDE, etc., that is bad. the code that is hosted can be bad too but that is distinct from this im not defending nuget or whatever im saying if you run a private repo, its your responsibility when the code is bad upstream code is obviously bad, and inhouse code is obviously bad, but as the maintainer of the private repo you assume the responsibility and from then on you cant blame it on a package manager script that selects from whatever you provide
|
|
#
?
Jul 30, 2021 20:54
|
|
|
|
| # ? Jun 8, 2024 00:28 |
|
|
if ur using azure dev ops you can setup a repo that will auto cache dependencies from central/nuget so you can still import a billion dependencies but at least they'll be statically available.
|
|
#
?
Jul 30, 2021 21:08
|
|