On Sun, Oct 15, 2017 at 7:57 AM, Marko Rauhamaa <ma...@pacujo.net> wrote:
> Chris Angelico <ros...@gmail.com>:
>
>> On Sun, Oct 15, 2017 at 5:20 AM, Marko Rauhamaa <ma...@pacujo.net> wrote:
>>> Even better:
>>>
>>>    sudo dnf install python3-pytz
>>
>> How is that better? It's the same thing, packaged differently, and
>> thus only available on Red Hat-family systems, and depends on the
>> update cycle of your OS.
>
> Use the native updater your distro.
>
> Several nice things follow from the OS packaging:
>
>  * You don't have to have *two* separate security update/bug fix
>    streams. Once you've added pytz to your OS package collection, you'll
>    get updates with the routine OS updates.
>
>  * You have the benefit of a major outside entity vetting your packages.
>    PyPI doesn't have any such oversight: <URL: https://arstechnica.com/in
>    formation-technology/2017/09/devs-unknowingly-use-malicious-modules-pu
>    t-into-official-python-repository/>.
>
>    (Of course, one shouldn't overestimate the security of
>    volunteer-maintained distros, either, but PyPI allows anybody to
>    submit any junk they want.)
>
>  * If you want to release your software to others, your third-party
>    dependency statement becomes more concise and possible more
>    acceptable to your customer. Also, you don't have to ship the
>    third-party package yourself.
>
>    Your customer likely knows how to update native distro packages, but
>    may not be familiar with Python and its ecosystem. Depending only on
>    the distro relieves you from educating your customer about PyPI.

* You get into the habit of posting distro-specific (not just
OS-specific) commands to global mailing lists.

ChrisA
-- 
https://mail.python.org/mailman/listinfo/python-list

Reply via email to