Depends on the company. Staff can mean somebody who...
- Has very specific domain expertise in an area critical to the company
- Can work across the stack and get a project done from 0 to 1 without throwing their hands up in defeat when they can't plow through it with SO/Copilot
- Gets a bunch of stuff out the door that management cares about
- Acts as technical lead on large cross-team initiatives
There's basically no consistency from company to company as to which of these truly qualifies somebody as Staff-level. As I'm so fond of pointing out there are places that call every non-Junior person a "Principal Engineer" and places that hire 24-year-olds as "Senior". Titles simply aren't fungible across companies. Show an Amazon employee this comment and they'll say that those first 3 are expected of a Senior engineer. I similarly was doing a lot of 2, 3, and 4 at a company that flat-out refused to promote me to Senior because I didn't meet some arbitrary HR criteria that they cooked up decades prior.
At this point I don't care what somebody calls me as long as I get paid market value to do things in a smart way with people that are well-intentioned.
You're being downvoted (for snark presumably) but you have a point.
During my tenures as a Python developer I've had to deal with pip, pipx, venv, pipenv, setuptools, conda, and poetry. I'd not heard of pyenv or uv until this thread (or maybe I've touched pyenv and got it confused with one of the 7 other tools I mentioned) and I'm sure there are other dependency/environment management tools floating around that I missed.
Now that I'm back to Go it's `go get` with some mise tasks. It's a serious breath of fresh air. The Python ecosystem probably won't ever catch up to npm when it comes to cranking out shiny new things but it's definitely more bleeding edge than a lot of other languages.
In the past 10 years, virtualenv and pip have been perfectly fine for me. They still are. I ignored any new tooling.
uv is great so far, I did run into a hiccup where moving from
pip with a requirements.txt file to uv slowed a CI pipeline way down that I had to revert.
> I'd not heard of pyenv or uv until this thread (or maybe I've touched pyenv and got it confused with one of the 7 other tools I mentioned)
I must have seen at least a dozen threads here about uv since joining half a year ago. But maybe that's because I actively look for Python discussion (and I'm probably just generally more active here).
I wish I'd paid more attention a few years ago and thought about the packaging problem more intensely - in an alternate universe I might have released Paper before uv came out, but I didn't even really start considering these issues until mid-2023 (and of course I've had plenty of other things to distract me since then).
For what it's worth, my general thesis is that most of the problems really boil down to Pip being what it is, and a lot of the rest boil down to Setuptools being what it is.
They don’t have a point. You listed seven tools – most of which aren’t package managers at all – which were created over the course of twelve years. That’s not even remotely like changing package manager every two weeks. That goes far beyond hyperbole, straight into misrepresentation.
The reason there have been so many is because the standard included tools (pip, venv) are not great. And others could still use improvements.
Venv and setup tools aren't really package managers.
Pipx is only meant for installing Dev tools per user (in isolated Venvs).
pyenv does something a bit different from those tools you listed(maybe it'd part of cones I haven't tried it). Its not a dependency manager its a python version manager like nvm (node version manager).
It helps you manage downloading and compiling python from source and it let's you specify python version in a .python-version file and provides a shim to find the right python for a project(compiling it if its not already available).
I tried pipenv and despite being hyped for it, it had a lot of issues. Then I tried poetry which seemed much better but was still sort of slow and got stuck updating lock files sometimes.
I haven't even tried pdm. Or various conda package managers since its mainly used by scientists with lots of binary dependency needs.
Then ~~uv~~ rye came along and seemed to fix things. It replaced pip+pip tools/pipenv/poetry. Also replaced pipx(install python tools in isolated venvs then add it to users ./local/bin). Also replaced pyenv but instead of compiling python which takes a while and can be troublesome it downloads portable builds https://astral.sh/blog/python-build-standalone (which do have some downsides/compatibility issues but are usually better then compiling python).
It was also written in rust so avoided circular venv issues that sometimes come with installing python packages since it had a self contained binary(plus some shims).
Then UV came along, the projects merged and most development is happening in uv. Despite the rye-> switch most things are pretty similar and I feel a lot of excitement towards it. The one big difference is there's no shims to automatically call the right python for a project from UV. Instead you need to run uv run script.py
Astral the guys behind UV took over the independent python builds and have also built the most popular python formater/linter these days - ruff (also written in rust, also fast they're also looking into adding a better type checker for python type hints).
I'd reccomend trying it for your next project I think it could become the defacto packaging/version tool for python
`venv` is fine. The work of just creating the virtual environment is hardly anything, and `venv` really can't screw it up. If you create environments `--without-pip`, it's actually faster than `virtualenv` and `uv venv` in my testing (because those are fundamentally doing the same thing with a little extra window dressing). What slows it down is bootstrapping Pip into the new environment, via the standard library `ensurepip`, which requires running zipped un-bytecode-compiled code from a bundled wheel.
(As it happens, this is the exact topic of the blog post I'm currently in the middle of writing.)
Pip is indeed not great (understatement - there are many other things about it that I have picked on or will pick on in this series).
>Venv and setup tools aren't really package managers.
Setuptools nowadays is a build backend. Long ago (when expectations were much lower), Pip had Setuptools as a dependency, and the combination was about as close to a "package manager" as anyone really cared for. But Pip today really can't be called anything like a "package manager" either - it only installs the packages, and resolves dependencies. It records some basic information about the dependency graph of the things it installed - in the sense that it preserves such information from the wheels it installs - but it doesn't really do any processing of that information. If you ask it to remove packages it's (last I checked) not very smart about that. It doesn't help you figure out what packages you need, and it doesn't help you maintain your `pyproject.toml` file.
And, of course, it doesn't create or keep track of virtual environments for you. (Pipx does the latter, wrapping Pip and `venv`, but it only installs "application" packages that define an entry point.)
Poetry and PDM are the only things listed that really belong to the same category as uv. They're not only package managers, but complete workflow tools. (Conda is a package manager, for languages other than Python as well, but it's not meant to take over your entire Python workflow in the same way.) They even wrap themselves around the process of uploading to PyPI (which seems really excessive to me; seriously, `twine` is fine too.)
In the context of what OP is asking this is not true. DNS zones aren't enumerable - the only way to reliably get the complete contents of the zone is to have the SOA server approve a zone transfer and send the zone file to you. You can ask if a record in that zone exists but as a random user you can't say "hand over all records in this zone". I'd imagine that tools like Cloudflare that need this kind of functionality perform a dictionary search since they get 90% of records when importing a domain but always seem to miss inconspicuously-named ones.
> Even if it were not, the message you pasted says outright that they scan the entire IP space, so they could be hitting your server's IP without having a clue there is a subdomain serving your stuff from it.
This is likely what's happening. If the bot isn't using SNI or sending a host header then they probably found the server by IP. The fact that there's a heretofore unknown DNS record pointing to it is of no consequence. *EDIT: Or the Cert Transparency log as others have mentioned, though this isn't DNS per se. I learn something new every day :o)
> In the context of what OP is asking this is not true. DNS zones aren't enumerable - the only way to reliably get the complete contents of the zone is to have the SOA server approve a zone transfer and send the zone file to you.
This is generally true but also if you watch authoritative-only dns server logs for text strings matching ACL rejections, there's plenty of things out there which are fully automated crawlers attempting to do entire zone transfers.
There are a non zero number of improperly configured authoritative dns servers out there on the internet which will happily give away a zone transfer to anyone who asks for it, at least, apparently enough to be useful that somebody wrote crawlers for it. I would guess it's only a few percent of servers that host zonefiles but given the total size of the public Internet, that's still a lot.
Cloudflare themselves gives more information here:
> NSEC3 was a “close but no cigar” solution to the problem. While it’s true that it made zone walking harder, it did not make it impossible. Zone walking with NSEC3 is still possible with a dictionary attack.
So, hardening it against enumerability is a question of inserting non-dictionary names.
Zone transfers are super interesting topic. Thanks for mentioning that.
It's basically the way how to get all DNS records a DNS server has. Interestingly in some countries this is illegal and in some this is considered best practice.
Generally, enabled zone transfers is considered as misconfiguration and should be disabled.
We did research on that few months back and found out that 8% of all global name servers have it enabled.[0]
In practice it's not so far fetched: A zone transfer is just another dns query at the protocol level, i suppose you can conceptually view it as sending a file if you consider the dns response a file. Something like "host -t axfr my.domain ns1.my.domain" will show the zone depending on how a domain's name server is configured (eg in bind, allow-transfer directive can be used to make it public, require ip acl to match the query source, etc).
Configuring BIND as an authoritative server for a corporate domain when I was a wee lad is how I learned DNS. It was and still is bad practice to allow zone transfers without auth. If memory serves I locked it down between servers via key pairs.
I'm irrationally excited about two of my more niche hobbies ('puters/OSS and guitar) colliding. I've built several PedalPCB [1] and BYOC [2] pedal kits and used Tayda pre-drilled enclosures as Linus is apparently planning on as well. I've been using Fractal stuff live since before it was cool but there's something intangibly awesome about slamming the front end of an old AB763 circuit with a homemade dirtbox.
It is a common misconception that children are universally disallowed in places that serve alcohol. If this were true then kids wouldn't be allowed in Applebees or at baseball games. "Minors aren't allowed in bars" is often a lie told by security or bartenders so that they don't have to worry about carding people that are already inside the establishment; this falsity has since worked its way into the zeitgeist as law. To be fair there _are_ places that have statutes that prohibit minors in bars that don't sell food specifically but it's typically on a jurisdiction (county or state) basis per their respective ABC boards. Every single time I was denied entry to a bar (typically music venues) under the age of 21 it was strictly based on feels - none of those places had such regulations. See also security denying "up and down" (vertical) licenses despite the birthday complying or denying passports or requiring ID for all people under a certain age... it's mostly about streamlining operations. The law generally prohibits serving those under 21 and makes no stipulations regarding how they identify themselves.
In this case, however, CA has a state-wide ABC that apparently _does_ make it illegal for minors to "enter and remain" in "bars and night clubs". The hotel would likely have a restaurant license though so the point is moot.
Why is the "Ultra" more powerful than the "Max"? I would expect "Max" to mean "maximum" in this context but it seems to mean "directly subordinate to that which is the maximum". This is pretty obviously a point of confusion. Just because other CPU manufacturers do goofy stuff with naming doesn't mean that Apple is exempt from criticism for doing something so obviously bereft of common sense.
Well then, it's a good thing I didn't say anywhere that they should be exempt from criticism. Incidentally, it's not something I believe. But I do think they are still doing a much better job at naming than other CPU manufacturers, despite the obnoxious Pro/Max/Ultra stuff.
I suppose I commented here because I think people are letting their subjective distaste for those terms sway their opinion of a superior naming scheme.
Why would you expect that? Also, the M4 is faster than the M3, but that doesn't mean Apple couldn't or didn't want to fuse two of them together for an M4 Ultra.
Is an Intel 10700K faster than a 12400F? The generations are different but the chips have vastly different capabilities and features.
M4 is the generation. The modifier modifies the generation. M4 Pro is an M4 with some extra pizzaz. M4 Max is an M4 with lots of extra pizzaz.
I got a Dreamcast a few months ago and fired up Ducati World with great anticipation. The coolest part of the game ended up being the Windows CE logo on the boot screen... Moto Racer it certainly ain't. I immediately fired up Rez for some EDM-scored mainframe hacking to wash away the disappointment :-D
> As someone who was shoved and occasionally bullied while operating machines like belt saws... I'm not sure it was worth it.
This. It's all fun and games until one of your classmates shoots you in the face with an air compressor while you're using a bandsaw. I still have all my fingers but did end up in trouble because everybody only saw the immediate aftermath of me making it abundantly clear how much I didn't appreciate his antics (only verbally, of course).
Your comment is logically fallacious. Instead of addressing the substance of their argument you attack a straw man because their opinion doesn't align with yours. The fact that it isn't one extreme or the other is of no consequence to its validity; your dislike for it is based strictly on its nuance, not whether it holds up, and that makes no sense. They even capitulated by saying
> But now the lose this balance.
and it still wasn't good enough for you. In case it isn't clear enough: I'm not defending "enlightened centrism" (whatever that is) so much as pointing out that your reasoning is flawed to the point of adding negative value to the discussion. Please review HN Guidelines [1], particularly the part about comments.
> Instead of addressing the substance of their argument you attack a straw man
The substance of their argument was to say "nobody is 100% evil". It's a platitude that clarifies nothing and helps nobody. Everyone has a redeeming quality, so what? How does pointing out that nobody is 100% evil change the bigger picture? Does it offer any moral resolution, especially for the victims of their evil?
> But now the lose this balance.
Honestly I did not know what to make of this sentence
But neither does your dismissal of OP’s point help those people either. The damage has already been done. This is an internet comment thread at best.
Understanding that people aren’t 100% evil also helps you understand “how are ANY of the locals around him ok with this guy being in charge?” Because it helps to see the next one coming.
What are the modern equivalents? For Terraform I'd imagine it's Pulumi or OpenTofu but what is it for Vault? Last I checked OpenBao didn't seem to have much juice but it's been a minute since I did so. Or are there unrelated projects in this space that are on the same trajectory as Hashicorp was a decade ago?
Crossplane is excellent but you need to understand CRDs and kubectl at what I'd consider n intermediate level to really grok it whereas Terraform's CLI is almost fool-proof.
Relying on cloud key vaults is expensive and locks you in. Vault and Consul can run anywhere, even in your toaster. They also support those same KMS. Also, dead easy TUI and GUI with Vault Enterprise
- Has very specific domain expertise in an area critical to the company
- Can work across the stack and get a project done from 0 to 1 without throwing their hands up in defeat when they can't plow through it with SO/Copilot
- Gets a bunch of stuff out the door that management cares about
- Acts as technical lead on large cross-team initiatives
There's basically no consistency from company to company as to which of these truly qualifies somebody as Staff-level. As I'm so fond of pointing out there are places that call every non-Junior person a "Principal Engineer" and places that hire 24-year-olds as "Senior". Titles simply aren't fungible across companies. Show an Amazon employee this comment and they'll say that those first 3 are expected of a Senior engineer. I similarly was doing a lot of 2, 3, and 4 at a company that flat-out refused to promote me to Senior because I didn't meet some arbitrary HR criteria that they cooked up decades prior.
At this point I don't care what somebody calls me as long as I get paid market value to do things in a smart way with people that are well-intentioned.
reply