Re: can pip be made using local Debian packages for any dependencies

To: Philippe Cerfon <philcerf@gmail.com>
Cc: Ian Norton <inorton@gmail.com>, Donald Stufft <donald@stufft.io>, debian-python@lists.debian.org
Subject: Re: can pip be made using local Debian packages for any dependencies
From: Stefano Rivera <stefanor@debian.org>
Date: Fri, 17 Feb 2023 14:35:05 +0000
Message-id: <[🔎] 20230217143505.7tfifdmm3dsu6okp@satie.tumbleweed.org.za>
Mail-followup-to: Philippe Cerfon <philcerf@gmail.com>, Ian Norton <inorton@gmail.com>, Donald Stufft <donald@stufft.io>, debian-python@lists.debian.org
In-reply-to: <[🔎] CAN+za=MhwSzXe3K4_QGF9mQSghAgCUzYNbPediXMD9DHfPxSQw@mail.gmail.com>
References: <[🔎] CAN+za=M3QvK2eb_OPoxYpCA2_gtejXDMcY0kH+U6s+x_hJomCg@mail.gmail.com> <[🔎] CAGUnuBF1BxOyrx1_GGEOtJONf=j08UgE9T2-juUXQnTp8p-8Mg@mail.gmail.com> <[🔎] CAGUnuBGzeH3Uy8Fe6fJvoxsi9yCJXHvLYss4FKR+V+9XTut35Q@mail.gmail.com> <[🔎] CAGUnuBGCqzqR-h5=rtCLD0RNTiVNHP_d+GFjtTDNE05cPCwN7g@mail.gmail.com> <[🔎] Mailbird-3d2f35ae-00ad-4864-a8f9-a39876df65ae@stufft.io> <[🔎] CAN+za=Nh9jMfUKmvvoJUZ3rhaPBvXFxC7PGJVc0c5euEwTmWXg@mail.gmail.com> <[🔎] 20230215163553.dky22eeiwdwdabnm@satie.tumbleweed.org.za> <[🔎] CAGUnuBEM9PHo2ZMcFPcfqJeaJ1Jq9mfGSiaEEinLT90sTEM7Fg@mail.gmail.com> <[🔎] 20230215200949.5zrdyu5p33nhahgz@satie.tumbleweed.org.za> <[🔎] CAN+za=MhwSzXe3K4_QGF9mQSghAgCUzYNbPediXMD9DHfPxSQw@mail.gmail.com>

Hi Philippe (2023.02.17_02:17:49_+0000)
> Well in my case the main motivation was security (i.e. only using
> code) that has security support by Debian.

There is probably some value there. You're safer from a variety of
attacks that *could* theoretically happen on PyPI.

But, let me deflate Debian's reputation a bit here.
Debian security support doesn't mean you're completely protected.  There
is probably a human behind a Debian upload that has vetted the upload
and thinks it is safe. They thought this thing was useful to package for
Debian (so probably not malware), and did some review to see that it
installed itself correctly. They may have reviewed the upstream code,
they may not have. They may review new upstream version diffs, they may
not. (Generally, small things are easy to review, big complex things are
impossible to.)

For the security support, it's largely reliant on security issues being
reported as CVEs, which security researchers usually do, but upstreams
often fail to do. And then it needs a volunteer to find/figure out the
fix and apply it to the version in Debian.

So, again, there is definitely value here. If you're just using software
from Debian stable releases, you know that some people have reviewed
some of it. And you can be reasonably confident that you're using the
same stack as some other people.

But, on balance, for many problems the gains here aren't worth the pain
of restricting yourself to Python modules published in Debian stable
releases.

> But shouldn't that use case also be interesting for Debian
> Maintainers? Whenever their pip would need to download something from
> PyPI, it would mean that some dependency is likely not fulfilled in
> Debian (unless of course that Debian package is simply not installed).

Generally speaking when I'm working on code, I install libraries in
virtualenvs. This is what the upstream tooling expects and so it makes
everything more convenient. All the work may be done in a container, but
I'm not restricting myself to Debian packages.

If I am using Debian packages for something, I'll install them with apt.
I don't need pip involved. This is where I don't find the pip plugin
idea that useful.

Some people try to write software specifically to run on Debian stable,
without any third party packages. For simple projects, this can work
well. But, there are downsides. You often find you have to couple code
changes to Debian's release cycle, which can get problematic. And nobody
will understand what you're trying to do :)

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Reply to:

Follow-Ups:
- Re: can pip be made using local Debian packages for any dependencies
  - From: Philippe Cerfon <philcerf@gmail.com>

References:
- can pip be made using local Debian packages for any dependencies
  - From: Philippe Cerfon <philcerf@gmail.com>
- Re: can pip be made using local Debian packages for any dependencies
  - From: Ian Norton <inorton@gmail.com>
- Re: can pip be made using local Debian packages for any dependencies
  - From: Ian Norton <inorton@gmail.com>
- Re: can pip be made using local Debian packages for any dependencies
  - From: Ian Norton <inorton@gmail.com>
- Re: can pip be made using local Debian packages for any dependencies
  - From: "Donald Stufft" <donald@stufft.io>
- Re: can pip be made using local Debian packages for any dependencies
  - From: Philippe Cerfon <philcerf@gmail.com>
- Re: can pip be made using local Debian packages for any dependencies
  - From: Stefano Rivera <stefanor@debian.org>
- Re: can pip be made using local Debian packages for any dependencies
  - From: Ian Norton <inorton@gmail.com>
- Re: can pip be made using local Debian packages for any dependencies
  - From: Stefano Rivera <stefanor@debian.org>
- Re: can pip be made using local Debian packages for any dependencies
  - From: Philippe Cerfon <philcerf@gmail.com>

Prev by Date: Re: can one change the path of generated entry point console_scripts
Next by Date: Re: can pip be made using local Debian packages for any dependencies
Previous by thread: Re: can pip be made using local Debian packages for any dependencies
Next by thread: Re: can pip be made using local Debian packages for any dependencies
Index(es):
- Date
- Thread