> On Apr 7, 2016, at 8:20 AM, Erik Cederstrand <erik+li...@cederstrand.dk> > wrote: > > >> Den 6. apr. 2016 kl. 13.42 skrev Marc Tamlyn <marc.tam...@gmail.com>: >> >> Does anyone (potentially from OS packaging worlds maybe) have a good reason >> NOT to have a dependency? > > Here is a list off the top of my head. This is not necessarily an argument > against dependencies, just some things to consider. > > > 1: Availability. If Django depends on version x.y.z and x.y.z is removed from > PyPI, or the whole package is deleted, then Django is no longer installable > (google "NPM kik" for a recent example). > > 2: Customization. We need to tweak functionality in some non-upstreamable > way, cherry-pick new functionality, or fix security issues before they are > published on PyPI. > > 3: Version conflicts, as mentioned by Sylvain. > > 4: Security/stability. We depend on version x.y and a witty developer uploads > dependency x.y.z+1 with an Easter egg, or the PyPI developer account is > hacked and x.y is replaced. > > > These issues are amplified in a world where many people have automated > production deployments running 'pip install -U -r requirements.txt'. Issues > could spread very fast. > > This may not be much different than what people are already exposed to with > their own project dependencies, but vendoring (directly or by dependency) is > endorsement by the Project, so any issues in the dependencies will fall back > on the Project. >
For 1, 3, and 4, Django is already exposed to these problems for the vast majority of use cases since if you want to use any database other than SQLite then you have to install something or if you want to use an ImageField, or bcrypt, etc. Having ``pip install Django`` work but not ``pip install Django psycopg2`` when you’re running a site that uses PostgreSQL doesn’t get you anything extra there. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/989F87C0-B9E1-4745-BCFC-ED19DC61C37F%40stufft.io. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Message signed with OpenPGP using GPGMail
