I've told myself that I'm going to point out generic issues rather than point fingers at specific projects, but I guess that makes more sense for mistakes rather than deliberate harmful behavior, so…
The drama continues. The #multipart and python-multipart #PyPI packages both claim the #Python import name of "multipart". Both have arguments for their claims, both refuse to step down, and unsurprisingly, both reach the same compromise: vendoring. Except that one says they're eventually going to vendor it in their popular package (at some future time), while the other tells everyone to vendor the other package in the meantime.
The damage is quite deep here. First, people start using one of the packages. Then they learn that they've just introduced a potential dependency conflict. And the only thing that they can do now is start vendoring an arbitrary version of the package. And one day, someone will have to clean this mess up.
And of course, people are now looking for technical solutions to this disturbing social problem. In fact, I'll probably end up going for the rename-and-patch approach in #Gentoo to start unvendoring immediately. What a mess.
The bottom line is: if you're using #starlette, you may want to reconsider.
https://github.com/pypa/packaging-problems/issues/818
mgorny-nyan (he) :autism:🙀🚂🐧 /
npub1wy…7vl62
2024-10-08 06:24:14
Author Public Key
npub1wy39drjyvk52qfvl2a8zxrpg3zdxll2s9xmv26ears5v5ppa0mpqc7vl62Published at
2024-10-08 06:24:14Event JSON
{
"id": "eb12c6a5e259faa092183cef448050142424f86077061449dce4883eead70744",
"pubkey": "7122568e4465a8a0259f574e230c28889a6ffd5029b6c56b3d1c28ca043d7ec2",
"created_at": 1728368654,
"kind": 1,
"tags": [
[
"t",
"multipart"
],
[
"t",
"pypi"
],
[
"t",
"python"
],
[
"t",
"gentoo"
],
[
"t",
"starlette"
],
[
"proxy",
"https://social.treehouse.systems/users/mgorny/statuses/113270368131877391",
"activitypub"
]
],
"content": "I've told myself that I'm going to point out generic issues rather than point fingers at specific projects, but I guess that makes more sense for mistakes rather than deliberate harmful behavior, so…\n\nThe drama continues. The #multipart and python-multipart #PyPI packages both claim the #Python import name of \"multipart\". Both have arguments for their claims, both refuse to step down, and unsurprisingly, both reach the same compromise: vendoring. Except that one says they're eventually going to vendor it in their popular package (at some future time), while the other tells everyone to vendor the other package in the meantime.\n\nThe damage is quite deep here. First, people start using one of the packages. Then they learn that they've just introduced a potential dependency conflict. And the only thing that they can do now is start vendoring an arbitrary version of the package. And one day, someone will have to clean this mess up.\n\nAnd of course, people are now looking for technical solutions to this disturbing social problem. In fact, I'll probably end up going for the rename-and-patch approach in #Gentoo to start unvendoring immediately. What a mess.\n\nThe bottom line is: if you're using #starlette, you may want to reconsider.\n\nhttps://github.com/pypa/packaging-problems/issues/818",
"sig": "b7660c12993de1dd36a5ebb678535f40f6d9707b13db7533f0bffc2ce39035c82c0a239d4a7e867a9e9cff14c005357a78f30c1a84fa1a34d916b0714f0f244d"
}