7
votes
How do you keep pypi programs up to date?
If you install a bunch of stuff from pypi (like in virtualenv), how do you keep abreast of security fixes and updates etc?
If you install a bunch of stuff from pypi (like in virtualenv), how do you keep abreast of security fixes and updates etc?
I think it depends exactly what you're doing, but for larger projects I usually try to use a method similar to this one: A Better Pip Workflow.
That's what I do for Tildes - there are two separate files related to the pypi packages I'm using:
Now when I want to update the pypi packages, I go through this process:
pip install -r requirements-to-freeze.txt. This installs the newest versions of all the packages and their dependencies.pip freeze > requirements.txt. This overwrites the previous "full installed snapshot" with the new one.git diffto see which packages have been upgraded to new versions, and potentially visit their docs/repos/etc. to check their changelogs if I want to know what changed.Kenneth Reitz (who wrote the workflow post this is based on) has also been working on Pipenv, which is supposed to include some of this natively and improve the process, so that may be an option as well if you're open to trying something new.
for
pip, there are a few suggestions here: https://stackoverflow.com/questions/2720014/upgrading-all-packages-with-pipI just use pacman and AUR packages though, one package manager on a system is plenty.
Eek. System python based packages are almost always far too limited/old for my use cases. This is probably the answer if you only use python casually, or with fairly standard packages but won't help you at all if you get even a bit off the beaten path.
I would recommend Conda (particularly miniconda) as the best python package manager currently. Something like a hybrid between
pip&virtualenvit can manage separate environments without a sweat, and upgrading / installing packages is simple (even on Windows, where pip usually sucks to try to set up correctly) as they're distributed in pre-built binaries (conda update --all)Personally I've only ever found one python package that wasn't in the AUR, so I added it. Maintainers are usually pretty good at keeping up to date with releases too. But sure, if you need something actually bleeding-edge (i.e. git master), or need to develop your own python software, use a virtualenv, possibly with a wrapper like Conda.
Is AUR more up-to-date / extensive than typical package repos on
aptoryum? It sure sounds it :)The AUR are just user produced build files, and they usually get updated (or flagged out-of-date) as soon as a new upstream version is out. Arch in general is rolling-release, so most software in the repositories is at most a week or two out of date. Debian tends to be more on the scale of months or years.
AUR is the Arch User Repository. It's a wild-west of user contributed package build scripts.
Sometimes quality can be so-so (though, really, there's only been a few instances of people getting malicious PKGBUILD scripts into the AUR) but as it's community-run, it tends to be pretty close to the bleeding edge.
I recall when Microsoft first released VS Code (IIRC only for Ubuntu) and there was a PKGBUILD within 2 hours that unpacked the Debian package, moved things to where Arch would expect them, and then bundle it up.
Additionally, as Arch is built around being a rolling-release distribution, it should ALWAYS be at (or very closely following) the latest stable release of most any piece of software. Debian, Ubuntu, Centos, RHEL, and Fedora all stamp a "stable" release and then don't really push new versions of software. Arch is never "stable" (though the platform itself tends to be more often than not) so because there isn't an arbitrary line drawn in the sand, they can push updates like this.
Arch is great for a desktop/laptop machine...but unless you're containerizing all the things, I wouldn't use it for a server because you never know when something might break (or an update to a library might break your software).
If you use Anaconda it has a command for updating all of your packages.
I try to use my distro's package manager instead of pip when possible. In general I try to avoid having too many dependencies. But it's a hard problem anyways.