People choosing Python 3

Michael Torrie torriem at gmail.com
Thu Sep 14 00:00:54 EDT 2017 

On 09/11/2017 01:47 AM, Stephan Houben wrote:
> Op 2017-09-10, Marko Rauhamaa schreef <marko at pacujo.net>:
>> Stephan Houben <stephanh42 at gmail.com.invalid>:
>>>
>>> Why not bundle the Python interpreter with your application?
>>> It seems to work for Windows developers...
>>
>> I've seen that done for Python and other technologies. It is an
>> expensive route to take. Also, it can be insecure. When vulnerabilities
>> are found, they are communicated to the maintainers of, say, Python.
>> When Python is fixed and released, the vulnerability is revealed, but
>> the version bundled with your product is still broken. You have to be
>> prepared perform an emergency release of your product and hope you don't
>> mess things up.
> 
> To each his own, but this is not different from any other
> third-party package your application depends on.

Actually, no it's completely different.  Except for compiled modules,
third-party packages (vetted and approved of course) can be bundled in
your app's python file tree as simple python files, all trackable via a
single git repository or some other change management tool.

Not so for binary installations that include various libraries, config
files, and binaries.  The biggest issue is configuration management.  As
I mentioned in my other post, we used to have a policy for our servers
that installation from source was strongly discouraged, and in some
cases simply not allowed.  This wasn't just for security; it was for
managing configuration of the servers. When everything is packaged up
nicely, it's trivial to deploy to new machines.  Even our own software
would often be wrapped up in RPMs.

That said, requiring a dependency on EPEL is, in my opinion completely
valid for your enterprise customers.  In all likelihood EPEL is already
in use anyway.

Docker is another possibility as more and more enterprises are using it
to deploy software to machines dynamically. Of course this has the same
problem Marko mentioned earlier. If the docker container maintainer
isn't constantly keeping it up to date, security flaws in the docker
image will be a problem.

More information about the Python-list mailing list