[BangPypers] BangPypers Digest, Vol 84, Issue 14

Daniel Greenfeld pydanny at gmail.com
Wed Aug 20 15:26:30 CEST 2014 

> Date: Wed, 20 Aug 2014 02:09:32 +0530
> From: kracekumar ramaraju <kracethekingmaker at gmail.com>
> To: Bangalore Python Users Group - India <bangpypers at python.org>
> Subject: Re: [BangPypers] "The Python I would like to see" - Armin
        Ronacher
> Message-ID:
        > <CAO5c=mk5gkP71+1sW_fC_AxyH+nmjarDOTP3MBSgZfU=HuLWMw at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

> Hi

> I am late to the party, adding my thoughts.

> - Though pip, venv solve issue to certain extent. If there are 100+
> packages need to be installed, pip will take atleast 60 -  90 seconds to
> check all the packages are installed considering venv have all packages
> (AWS). Then deploy will look like code deploy + package install + restart
> of service. There are high chances request may pile up if restart of
> service takes more than 30 - 40 seconds if the app is single page app
> (Initial load during peak hours). Also if PyPi is down my deployment will
> fail, having PyPi mirror isn't affordable. So far I haven't faced any issue
> with PyPi, but there were times when npmjs.org is down :-) Yes you can
> package all your dependencies in .deb files and distribute but there is a
> cost associated with it. With golang style of deployment all the
> installation time and packaging issue is solved with single binary.

If you are worrying about PyPI dependability, don't use PyPI. Don't
even use a PyPI mirror! For what it's worth, this also applies to
RubyGems, NPM, and anything else.

Also, I don't really think of PyPI as secure. The maintainers are
well-meaning, but AFAIK none of them (even Donald Stufft) are paid
professionally to maintain PyPI. They are volunteers working on a
crufty application thats grown organically into security from
something that was never meant to be secure in the first place.

FWIW, this also applies to RubyGems and NPM. I'm not certain if it
applies to Go, but I wouldn't be surprised if it does.

So what do you do? How do you host your packages?

1. Host the packages on your own private server. You don't need all
the fanciness of a package server (PyPI, NPM, RubyGems, et al). All
you need is the ability to host files. If you don't want to go through
the trouble of setting this up with Apache or Nginx, then just set up
a git repo hosting the eggs/wheels (not GitHub) your project can
access from.

2. Purchase the services of a company whose job it is to provide
SECURED, dependable access to your packages. Off the top of my head I
can tell you that GemFury does it for Ruby, Python, Node, Go, et al.

Yes, this is extra work, but if you want dependability/security, it's
the way to go.

Sincerely,

Daniel Greenfeld

More information about the BangPypers mailing list