Some much needed wisdom from Dan Bader

[Vipul Gupta]

Hello, 

There has been some time since I first started to write on ALiAS's mailing list but in the twisted world of switching between Slack, Discord, Whatsapp, Instagram, Twitter, Gitter, Facebook, Linkedin, and Matrix. I feel mails still are the best form of communication when you would like the talk to be heart to heart. Hence, here I am sharing some good wisdom from Dan Bader, about Python dependencies and pitfalls related to it. 

Good Plug: Dan runs an awesome course on Real Python that is just right for people who have now plateaued over the course of learning the Python language. When I met him back in October 2018, he told me about his vision behind the course/mails reminders for people who would like to become the master of the language but don't want to learn it all from the beginning. 

I have been running far too long from this phenomena myself and have learned to finally embrace it, and work on it. I practice, I fail a lot of tests on Sugar Labs, maintainers have a field day on my pull requests and I note what I do wrong. I try again. The same is something we should all do. Start introspecting within yourself, start fixing the flaws in your ship and let it sail on the waves to see what far you can make it. With that thought, here my mail thread to keep me accountable in the summers. Make summers great again.

Dan's short courses on Python is done by mails that you receive from him daily, here's the first one today. 

Hey there, #1 on my list of dependency management pitfalls is there for a good reason: It lead to a single developer causing mayhem and breaking thousands of open-source projects around the world in one fell swoop. Here's how it all went down: A few years back, Azer Koçulu wrote a tiny library he published on Npm, the package repository for NodeJS. (The Python equivalents would be PyPI + pip.) That "library" contained only 11 lines of code in total, but it was downloaded MILLIONS of times every month of as a dependency in other JavaScript projects. What Azer's magical "micro library" did, you ask? It added a tiny piece of functionality that was frequently needed but wasn't a part of the NodeJS standard library: The ability to pad out the lefthand-side of strings with zeroes or spaces. For example, to format numbers for display. In Python you'd probably do something like this: >>> n = '4' >>> n.zfill(3) '004' Anyway, this tiny "left-pad" library was used across many projects, including important applications like Node itself. One fine day, Azer decided to close his NodeJS package repository account… Which removed all of the packages associated with it. And suddenly, "left-pad" was no longer available for download… Can you guess what happened to the dependency install setup steps on projects using "left-pad?" Well, they came to a SCREECHING HALT: App deployments became stuck dead in their tracks. Automated tests stopped working. And thousands of developers couldn't even RUN their apps locally… All because "left-pad" had disappeared—and some important build tools required it to work. It was quite crazy. Even some newspapers reported about the "left-pad incident." You can imagine that there was a lot of "bruhaha" about the NodeJS packaging system— But to tell you the truth the *exact same thing* could happen at any time with Python's packaging repository, PyPI. It's easy to think that pulling in functionality from 3rd party dependencies is always a net benefit. But every time you're adding an external dependency to your own project you're walking a fine line… BAD external dependencies can make your stomach churn as a developer or project maintainer. The people who got burned by the NodeJS "left-pad" incident know what I'm talking about... On the other hand, a great quality third-party package can save you hours or even days of work. The challenge is deciding whether a dependency adds value or is just a liability: >> See step-by-step how to research and make Python dependency decisions (and how to explain them to your team/manager) — Dan Bader P.S. There's an important skill that Python dev managers look for in a candidate, but they rarely find it. More on that tomorrow.

Toodles, 

vipulgupta2048