eggs considered harmful

Robert Kern robert.kern at gmail.com
Thu Jun 21 19:36:55 EDT 2007 

Harry George wrote:
> ...at least around here.
> 
> I run a corporate Open Source Software Toolkit, which makes hundreds
> of libraries and apps available to thousands of technical employees.
> The rules are that a) a very few authorized downloaders obtain
> tarballs and put them in a depot and b) other users get tarballs from
> the depot and build from source.
> 
> Historically, python packages played well in this context.  Install
> was a simple download, untar, setup.py build/install.
> 
> Eggs and with other setuptools-inspired install processes break this
> paradigm.  The tarballs are incomplete in the first place.  The builds
> sometimes wander off to the internet looking for more downloads.  The
> installs sometimes wander off to the internet looking for
> compatibility conditions.  (Or rather they try to do so and fail
> because I don't let themn through the firewall.)

Have you considered establishing a policy that these setuptools-using packages
should be installed using the --single-version-externally-managed option to the
install command? This does not check for dependencies.

Alternately, you can provide a company repository of the tarballs and their
depedencies tarballs. Your users can use the easy_install option --find-links to
point to that URL such that they do not have to go outside of the firewall to
install everything.

> These are unacceptable behaviors.  I am therefore dropping ZODB3, and
> am considering dropping TurboGears and ZSI.  If the egg paradigm
> spreads, yet more packages will be dropped (or will never get a chance
> to compete for addition).

I'm sorry to hear that.

> I've asked before, and I'll ask again: If you are doing a Python
> project, please make a self-sufficient tarball available as well.  You
> can have dependencies, as long as they are documented and can be
> obtained by separate manual download. 

Given the options I outlined above, you can easily satisfy these requirements
for the vast majority of setuptools-using packages that are out there. There are
a handful of packages that only distribute the eggs and not the source tarballs,
but those are rare.

-- 
Robert Kern

"I have come to believe that the whole world is an enigma, a harmless enigma
 that is made terrible by our own mad attempt to interpret it as though it had
 an underlying truth."
  -- Umberto Eco

More information about the Python-list mailing list