Hacker News new | past | comments | ask | show | jobs | submit | lmm's comments login

> Honest question: is uv more reproducible/portable than cramming your Python project into a Docker container?

Yes (unless you use uv in your Dockerfile). I mean, a Docker container will freeze one set of dependencies, but as soon as you change one dependency you've got to run your Dockerfile again and will end up with completely different versions of all your transitive dependencies.


People used pip-tools for this prior to uv (uv also replaces pip-tools).

> I've honestly never heard of any dependency resolver that allows you to dynamically inject an override of a package's built in specification for an indirect dependency.

You can do it with [patch] in cargo (I think), or .exclude in SBT. In Maven you can use <dependencyManagement>. In fact I can't think of a package manager that doesn't support it, it's something I'd always expect to be possible.

> Point blank, that's a packaging failure and the solution is, and always has been, to immediately yank the offending package.

Be that as it may, PyPi won't.

> It should never be on the end user to be specifying overrides of indirect dependency specifications at the top level though

It "shouldn't", but sometimes the user will find themselves in that situation. The only choice is whether you give them the tools to work around it or you don't.


What do you do when you accidentally run pip install -r requirements.txt with the wrong .venv activated?

If your answer is "delete the venv and recreate it", what do you do when your code now has a bunch of errors it didn't have before?

If your answer is "ignore it", what do you do when you try to run the project on a new system and find half the imports are missing?

None of these problems are insurmountable of course. But they're niggling irritations. And of course they become a lot harder when you try to work with someone else's project, or come back to a project from a couple of years ago and find it doesn't work.


You can get pretty far without needing to run pip. Whereas you can't change anything in a rust codebase without compiling it.

I have the opposite feeling, and that's why I like uv. I don't want to deal with "environments". When I run a Python project I want its PYTHONPATH to have whatever libraries its config file says it should have, and I don't want to have to worry about how they get there.

You and I can't buy it because they don't want their competitors getting it. But they'll happily use it to target ads at you, and the US government has access to it and can use it to decide who they want to send their CIA kidnap-torture squads after.

Huh? TPTB in the US do not try to censor those topics; if anything they encourage discussion of them (or at least did until this year). US "AI" systems censor much the same topics as US social networks, just as Chinese "AI" systems censor much the same topics as Chinese social networks.

Would you say that US-based apps that use e.g. Google Analytics, and therefore share information with Google, "surface the interconnectedness between all of these firms" and are a good reason to e.g. ban apps from US-based developers?

Not the op, but yes, I would; this is why I approve of GDPR and the cookie popup rules and am actively angry at every company who think it's legit to share browsing habbits with more "trusted partner" companies than there were students in my secondary school.

This is a problem that can and has been solved, but notably isn't solved by just posting this kind of "pledge" without actually setting up the escrow infrastructure.

Thought that was going to be https://xkcd.com/125/. Iteration of the same concept I guess.

Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: