Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

Let's talk about packages

Recently the Python community got to celebrate the triumphant launch of the new Python Package Index. It’s been a long time coming, and the folks who made it happen all deserve a round of applause. PyPI is an incredibly important piece of infrastructure for the Python community, and if you use Python you probably use PyPI, directly or indirectly, on a daily basis, and many different sites, services, and companies rely heavily on it. But: if you rely on PyPI, how often do you think about that reliance? What would you do if an incompatible version of one of your dependencies, or one of your dependencies’ dependencies, suddenly appeared? What if one of them disappeared? Would your applications or your deployments break? What would you do if PyPI had extended downtime? Would you still be able to deploy your applications? What if PyPI got hacked? If someone replaced one or more packages with malicious versions, would you be safe, or would you install the malicious packages and end up running them on your servers? The people who run PyPI are smart and conscientious and do what they can to keep it running 24/7 and not hacked, but these are still serious questions you should be thinking about. The people who run PyPI certainly are thinking about some of the scarier cases, and working on ways to make them less scary, but there are also things you can do. So let’s talk a bit about that.

Don't be the product, buy the product!