Python and IDEs [was Re: Python 3 is killing Python]
Chris Angelico
rosuav at gmail.com
Fri Aug 1 19:48:16 EDT 2014
On Sat, Aug 2, 2014 at 6:22 AM, Michael Torrie <torriem at gmail.com> wrote:
> On 08/01/2014 08:39 AM, Chris Angelico wrote:
>> The installer has basically three choices.
>> 1) Install libnettle inside the application directory
>> 2) Install libnettle to some system library directory
>> 3) Don't install libnettle, and demand that someone else (perhaps the
>> user, or the system package manager) install it.
>>
>> Option 1 results in duplications. (Unless one application is allowed
>> to access a library in another application's directory, which is a
>> HORRIBLE mess.) Option 2 is exactly what you're complaining about,
>> scattering files all over the FS. And option 3 is what package
>> managers are for. What are you advocating?
>
> Option 1 also is a huge security hole. A prime example of this was the
> so-called heartbleed bug. In such a model, each app that distributes
> openssl in the app bundle has to be updated or it is at risk. This
> turns out to be a huge vulnerability.
More generally, that's exactly what Steven said about needing every
package to update before you can confidently say it's updated. But
that's also the greatest feature of the first option: you can't break
this application by upgrading that library, because only upgrading the
application (which hopefully will have been tested by the author) will
upgrade the library it uses.
ChrisA
More information about the Python-list
mailing list