fsebugoutzone.org:9999

       Post ARbztlcy3GNtTeLPk0 by tim@mastodon.tds.xyz
 (DIR) More posts by tim@mastodon.tds.xyz
 (DIR) Post #ARbxYtFgJEoJ8OMzQm by lanodan@queer.hacktivis.me
       2023-01-13T20:20:29.154120Z
       
       0 likes, 0 repeats
       
       @tim &quot;CI&quot; as a term is kind of a lie though, things like distros are the ones able to test new versions of libraries when they come out.
       
 (DIR) Post #ARbztlcy3GNtTeLPk0 by tim@mastodon.tds.xyz
       2023-01-13T20:38:05Z
       
       0 likes, 0 repeats
       
       @lanodan I&#39;m complaining from the perspective of trying to maintain an Enterprise Monorepo™️ so I&#39;m essentially my own distro.Your comment reminded me that there are other use cases -- ceiling pins are probably a reasonable compromise for someone who&#39;s just trying to install the damn thing in an isolated virtualenv.I wonder if some kind of &quot;soft ceiling&quot; (i.e. prefer version 1, but try to run on version 2 if it&#39;s present) would be a useful concept.
       
 (DIR) Post #ARbztmB00jbfBCGamm by lanodan@queer.hacktivis.me
       2023-01-13T20:46:46.026535Z
       
       0 likes, 0 repeats
       
       @tim I guess for virtualenv you&#39;re mostly referring to &quot;This dependency version has been tested and has been confirmed as working&quot; right?Isn&#39;t that what lockfiles (rare in python world for some reason) are pretty much for?
       
 (DIR) Post #ARc2t77mwLmziq8mdE by tim@mastodon.tds.xyz
       2023-01-13T21:01:34Z
       
       0 likes, 0 repeats
       
       @lanodan Yes and yes. A tool like pipx should probably prefer a lockfile to wheel metadata but doesn&#39;t seem to look for them today.I think there&#39;s a colorable argument that if you&#39;re shipping a lockfile somewhere you expect it to grow stale, you might actually want something like semver-ceilings in order to permit security updates to dependencies, but maybe that makes nobody happy!
       
 (DIR) Post #ARc2t7f6wSRbOBjOZU by lanodan@queer.hacktivis.me
       2023-01-13T21:20:07.615775Z
       
       1 likes, 0 repeats
       
       @tim Yeah, that&#39;s the big issue with lockfiles (or dependency vendoring, even without going the monorepo route), you need to keep up with updates, and current solutions like dependabot just doesn&#39;t works (as can be seen by rather obvious npm malware still being deployed).It&#39;s why to me it would make more sense to have proper distros (as in curated repository maintained collectively at scale) and ease of making things similar to lockfiles for reproducibility of the environment for binary releases, CI, bug reports, …I&#39;ve yet to use those but I feel like guix/nix is more in the right direction.