I feel like this entire post reinforces just how difficult Python dependency management is. I’m a huge fan of Python, despite all of its flaws, but the dependency management is horrible compared to other languages. Nobody should have to learn the intricacies of their build tools in order to build a system, nor should we have to memorize a ton of flags just for the tools to work right. And this isn’t even going into the issue where building a Python package just doesn’t work, even if you follow the directions in a README, simply because of how much is going on. It is incredibly hard to debug, and that is for just getting started on a project (and who knows what subtle versioning mistakes exist once it does build).

I think Cargo/Rust really showed just how simple dependency management can be. There are no special flags, it just works, and there are two tools (Cargo and rustup) each with one or two commands you have to remember. I have yet to find a Rust project I can’t build first try with Cargo build. Until Python gets to that point, and poetry is definitely going down the right path, then Python’s reputation as having terrible dependency management is well deserved.

Pythonistas looking at Java Hello World:

Why is this so complicated!? It should just be print("hello world"). All that other complexity is boilerplate that hurts ordinary users.

Pythonistas looking at pip.

This is fine.

I think much of the meme comes from the difficulty of obtaining the understanding, not of employing the best practice at a given point in time.

IME this is greatly exacerbated by an information environment soaked in recommendations from multiple generations/branches of tooling. The people who most need to be able to find the current best practices will be least equipped to tell the difference between cutting-edge and out-of-date.

That said, a post outlining the ecosystem is probably a good cure if people can find it.

Agreed on that repeating the meme is just being too lazy to call out which part specifically is broken.

That said, by far the biggest problem I have with Python dependencies is failures during installation of packages that compile C/C++ code that break on wrong headers, libraries, compiler versions etc. Most often with numpy, scipy and similar.

Now, is there hope the situation improves without migrating off of setup.py scripts? I doubt it. Everything needs to migrate to something declarative/non-Turing-complete so that those edge cases are handled in the tool itself, once and for all packages. I’m not sure if setup.cfg/pyproject.toml cover all the use cases to become a complete setup.py replacement. Probably not (yet).

I’ve had Sublime Text plugins broken in subtle weird ways because of outdated/incompatible Python dependencies in its custom environment that I don’t even know how to manage.

I keep running into problems with npm dependencies that use gyp that uses Python. Why would they use Python in a JS tool I don’t know, but they want a specific Python version which my OS doesn’t have.

I install Ansible via homebrew, which means it wants whatever Brew-installed Python things there are, and I need to be careful not to use any other Python software that would mess with them (which happens if I run a Python tool from elsewhere and forget to jail it in its own env).

Scripts still can’t decide if it’s python or python3.

Then there’s the dozen of various envs and package managers, and I lost track which one of them in the current one and which ones are the old crappy ones that will make things worse.

It all is probably super obvious to people who are into python, but as someone who isn’t actively involved it’s just an endless source of problems testing my patience.

I liked this article

I think the majority of people who propagate this meme (which thankfully I see less and less) are largely dogpiling and not in touch with the Python ecosystem (it’s trendy to hate).

On the other hand I don’t think the camp advocating to “just learn the tools and remember to do X Y Z” help the situation because there is definitely a problem to be addressed. There’s some truth to the meme after all.

Looking at other languages for inspiration like node + npm I wonder whether the root cause is just providing sensible defaults. In python land, package installations (pip install) aren’t local to your project by default (unless you create + run inside a virtual env). I think it’s just this extra step tripping newer/unfamiliar/junior developers up

I don’t see the same kind of hate for node/npm for throwing stuff into node_modules by default (except criticisms about the folder size). And the node ecosystem has similar approaches for managing node versions like nvm/n similar to pyenv (so I don’t think that’s a point of friction either).

i think it’s a helpful meme for two reasons:

• it goes in the “con” column for choosing python for a new project
• when people encounter these problems, it lets them know they’re not alone

for the first one, my workplace usually starts C# projects by default, largely for environment/dependency reasons. we use python for throw-away work, existing python projects, and when there’s a python library that saves us a lot of effort.

the second one can be especially important, because python also has a reputation for being easy. many people get stuck on dependency hell and assume that they are the problem

(rust is also very good at this problem, but i basically never want to use rust for a problem i was considering python for. it’s like when a vegan tells you that a banana is a good substitute for an egg, but you don’t want bananas benedict)

The author is right that this isn’t black magic nor is it specific to Python. But it is a source of continual annoyance to developers. You get confused about where you are and what python/ruby/whatever you are using is and stuff breaks in weird ways. You can absolutely figure it out but it doesn’t take away from the fact that daily use means you’ll stub your toe somewhat frequently because dependency management is a hard problem that has to be tailored to each codebase.

I think that python dependency/project/environment management still has plenty of room for improvement, but it has also made steady progress in recent years. The slow evolution can be confusing for users, as someone else mentioned.

Wheels have made installing packages with non-python dependencies much easier. This has removed the need for something like conda/mamba for all of my projects.

Python adopted pyproject.toml as a centralized project configuration file. tomlib will be part of the standard library in the next version of python which will remove any external dependencies.

Pip got a new dependency resolver.

After installing python on any system, I start with pip install pipx so that I can install any global python based tools in isolated environments.

I’ve recently started to use hatch (installed with pipx, of course) to manage projects. It pieces together some existing tools in the python packaging ecosystem and helps enforce best practices. Think of something like black for project management. It tries not to re-invent the wheel like poetry does and fits well/uses existing tools. It is also part of the Python Packaging Authority (like pipx), which feels promising. One of my favorite parts about hatch compared to npm or typical venv usage is that it keeps the virtual environment out of the project folder.

$ hatch new my-project
$ cd my-project
$ hatch shell
(my-project) $ 

Again, this doesn’t solve everything and I’m still experimenting to find the best workflow for myself, but I do see things getting better.

There are 2 big problems from my perspective:

• Lazy developers that don’t solve the dependency management problem for their user(s) (i.e. they don’t make and build binaries, zipapp or use other dependency tools)
• Lazy developers that don’t keep their own build time dependency management problem for other developers sane.

Both of these are easily solved by less lazy developers and/or forcing the ecosystem to ensure developers can’t be lazy. Go, Rust, etc all went the 2nd way, by ensuring developers can’t be too lazy, by making the default in the ecosystem the only sane way to do it. That generally means anything outside of the blessed way gets hard to very hard, depending on the language/ecosystem.

Python obviously doesn’t enjoy those same defaults. Could the Python ecosystem be “fixed”, of course, it’s not a technical problem. So far nobody has managed to do the hard work and make it happen, so I’m not optimistic.

Some applications, like Calibre do the work for their user(s) and include binaries for the platforms they want to support. Most python developers seem to lean on other people to fix the distribution problem. It’s not even that hard to build binaries for the different platforms to solve the user side of this, many different tools exist to solve these problems.

The developer side of the problem has plenty of tools also(poetry, pip-tools, etc).

So I’m sure I’ll get a lot of flack, but my perspective is, it’s a lazy developer problem and a lack of consensus problem(as far as getting the defaults fixed).

I expended a tremendous amount of effort within my company to make make make Python dependency management one-command-and-done. I did a talk about it for PyOhio this year: make python devex: Towards Clone to Red-Green-Refactor in One Command w/ a ~45y/o Tool [PyOhio 2022].

The TL;DR of the talk is that I use make + pyenv + poetry to ship data science pipelines, libraries, and some CLI tools. Make is the UI that tells pyenv which Python to install and then poetry does the dependency management, building, and publishing. I make a point in the talk that one could use Conda-managed Python instead, if your use of it complies with their licensing (corps gotta pay, ours does).

All of this to get the ~same out-of-the-box experience I had in Scala— the stack in which I’d worked for nearly a decade before moving to a Python team— for a decade.

The venv stuff is easy. Although mostly unique to python, it is not a difficult very problem to solve. When i dunk on python dependency management i refer to the issues that have been plaguing the ecosystem due to shortcomings in its design. I am sorry for the incoming rant.

Pip used to ignore version conficts, which has resulted in package ecosystem having bonkers version constraints. I’ve found it common for packages which require compilation to build, to have an upper python version constraint, as each new python version is likely to break the build. The most common drive-by PR i do is bumping the upper python version bound.

Poetry, although a major improvement for reproducibility, is in my opinion a bit too slow (poetry –help takes 0.7 seconds) and unstable (Of course this poetry version wipes the hashes in my lockfile!), has poor support for 3rd party package repositories, and does not even support the local-version-identifier part of the version schema correctly, which has resulted in people overriding some packages in poetry venv using pip.

Every python package manager (other than conda, which is fully 3rd party) is super slow during dependency resolution, as it can’t know what the subdependencies of a package are without first downloading the the full package archive and extracting the list of dependencies (pypi issue here from 2020), which is incredibly fun when dealing with large frameworks such as pytorch, tensorflow, scipy and numpy, where each wheel is at least a gigabyte in size.

For source distributions, dependencies are usually defined by setup.py, which must be executed to allow us to inspect its dependencies. This of course cannot be cached on pypi, as it is possible for setup.py to select its dependencies depending on the machine it runs on.

Then there is the setup.py build scripts which never seem to quite work on any of my machines. Some build scripts only ever work in docker environments I would never have been able to reproduce had it not been for dockerhub caching images build with distros whose repositories now have gone offline. This is especially becomes a problem when the prebuilt binary packages, made available by the package author, typically don’t target ARM and/or musl based platforms.

My pretty strong belief has been that OS-level installs of Python are a major source of all of these issues. Apt and homebrew showing up with system installs means that you get into so many weird scenarios (especially if you happen to have one script somewhere with a badly-formatted shebang).

There is also an issue not covered in this, which is packaging for distribution to other systems. There are lots of packaging tools out there, but it’s still pretty tough to package things that aren’t really pure python. Even avoiding dependencies you get into issues! urllib2 installs on a clean Mac machine don’t work with HTTPS (you have to run some script first…), so things are not cut out for you.

My recent idea is to have a binary like cargo, where you run the binary on your project, it will set up an environment to run your script, but first will completely wipe all Python-related env vars, and then set up as hermetic a thing as possible. It’s a ball of mud solution, but it’s nicer to me than the current state of the art (Docker, basically).

But really I think that beyond pip + requirements.txt, a lot of the new tooling simply is broken way too often. Poetry is kinda buggy, pipenv would just randomly hang all the time…. I think everyone would be very happy to adopt something that works without having major changes in workflows.

And hey, motivated people would quickly send patches to upstream libraries! Everyone wants Python to work nicely, just so far people aren’t actually showing up with nice solutions (beyond a lot of the amazing work with wheels and the like, of course. Talking more about the top-level binaries).

The only thing I have never really understood is Python deployment, but I’ve never understood deploying anything that isn’t compiled, really. The best non-Docker mode of deployment is rolling your own service files, or pex or something?

I don’t know if I’ve just been supremely lucky with what dependencies I’ve chosen, but I’ve always found Python dependency management pretty straightforward.

virtualenv venv
source venv/bin/activate
pip install -r requirements.txt

Is just about everything you need. It just works. It’s not significantly different to any other language. I don’t need to learn the intricates of how pip works, or to memorise a load of flags. There’s just one flag there!

If installing dependencies fails due to needing a C compiler or whatever, I’ll just bring one into the path and try again. To generate a lock file it’s just pip freeze > requirements-freeze.txt. If you install from the lock file, you get exactly the same versions of everything again. Simple.

Pretty nice article that came just in time when I was swearing about building a conda environment for our jupyter instance. I just can’t find a set of packages that fit together, and messages I get are not that helpful. I had to switch to pip-compile to get a good overview what versions/packages have conflicting dependencies. And after reading this thread it occured to me that there is another pitfall of python’s packaging tools: if I try to create an environment in one go (a’la pip-compile followed by pip-sync) I will get failures. If I use pip, it will happily install packages with conflicting dependencies – only if I install them one by one, it will warn me. That’s not what I would expect from packaging tools.

That’s all well and good until you run into a missing wheel, which leads to a compilation error due to a missing header file. Or until you need to upgrade a package to fix a bug, but there were unrelated breaking changes because Python package devs don’t follow anything like SemVer, and break backwards compatibility constantly. Or until you end up with CUDA version mismatches, or similar dynamic linking issues with other system libraries.

This talks about Poetry. And about using venv directly. But what about pipenv? I remember that being pushed quite heavily. Does it do the same as Poetry? Or the same as venv? Or both? Neither? Should I use Poetry in addition to pipenv? Why do we need all these different tools? Are they complementary or competing? If they’re competing, is there a community consensus about what’s “right”/“best”?