Embed Notice

Source-based

gentoobro

There is a real problem with this approach, and it's seen with Python. Python, by default, without all the tricks, has a global package list. There can only be one version of a package in it at a time. This is all nice and good in fairy-land where spergs don't just flip their API's upside-down for shits and giggles because it wasn't RAII-y enough or whatever the latest fad is, however in the real world this turns into a maintenance nightmare. Every package has to play keep-up with all its deps, all the time. And this means that it's entirely possible (and even likely, for non-toy projects) that you'll end up locked on some certain very narrow set of versions due to the overlap of compatibility for all the different packages you need to use and whether the drunken Russian in Siberia who maintains it has woken up from his bender yet and noticed the backwards-incompatible changes to a dep. This is real, and while I have avoided Python in all of my jobs, happened multiple times to my friends who weren't so lucky in their career. This disaster leads to all sorts of "virtual environment" nonsense to try to work around it, which only works sometimes.

The other side is NodeJS and npm. Every package keeps a copy of its own deps in a big nested tree of source code. Further, each package can pin the version range of its deps. So either a package pins the version, including all the bugs and exploits of the version, or it unlocks it and you're left with the situation above. Nevermind that you have to compile slightly different versions of lodash several dozen times.

C/C++/ELF shared objects leave these decisions to users and distro maintainers, who take a varied approach. Further, because there's no central package manager to just magically push changes to all the time, library authors tend to be a lot more thoughtful with their releases and breaking compatibility.