> Den 6. apr. 2016 kl. 13.42 skrev Marc Tamlyn <marc.tam...@gmail.com>: > > Does anyone (potentially from OS packaging worlds maybe) have a good reason > NOT to have a dependency?
Here is a list off the top of my head. This is not necessarily an argument against dependencies, just some things to consider. 1: Availability. If Django depends on version x.y.z and x.y.z is removed from PyPI, or the whole package is deleted, then Django is no longer installable (google "NPM kik" for a recent example). 2: Customization. We need to tweak functionality in some non-upstreamable way, cherry-pick new functionality, or fix security issues before they are published on PyPI. 3: Version conflicts, as mentioned by Sylvain. 4: Security/stability. We depend on version x.y and a witty developer uploads dependency x.y.z+1 with an Easter egg, or the PyPI developer account is hacked and x.y is replaced. These issues are amplified in a world where many people have automated production deployments running 'pip install -U -r requirements.txt'. Issues could spread very fast. This may not be much different than what people are already exposed to with their own project dependencies, but vendoring (directly or by dependency) is endorsement by the Project, so any issues in the dependencies will fall back on the Project. Erik -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/19C24081-78F8-4790-9302-84BFB4AC0A46%40cederstrand.dk. For more options, visit https://groups.google.com/d/optout.
