logoalt Hacker News

gerdesjtoday at 12:36 AM3 repliesview on HN

I've recently updated a Python script that I originally wrote about 10 years ago. I'm not a programmer - I just have to get stuff done - think sysops.

For me there used to be a clear delineation between scripting languages and compiled languages. Python has always seemed to want to be both and I'm not too sure it can really. I can live with being mildly wrong about a concept.

When Python first came out, our processors were 80486 at best and RAM was measured in MB at roughly £30/MB in the UK.

"For the longest time, ..." - all distros have had scripts that find the relevant Python or Java or whatevs so that's simply daft. They all have shebang incantations too.

So we now have uv written in Rust for Python. Obviously you should install it via a shell script directly from curl!

I love all of the components involved here but please for the love of a nod to security at least suggest that the script is downloaded first, looked over and then run.

I recently came across a Github hosted repo with scripts that changed Debian repos to point somewhere else and install ... software. I'm sure that's all fine too.

curl | bash is cute and easy and very, very insecure.

Replies

wiseowisetoday at 3:47 AM

> Obviously you should install it via a shell script directly from curl!

No? You can install it via pip.

show 1 reply
mrochetoday at 1:29 AM

My solution to this is:

1) Subscribe to the GitHub repo for tag/release updates.

2) When I get a notification of a new version, I run a shell function (meup-uv and meup-ruff) which grabs the latest tag via a GET request and runs an install. I don't remember the semantics off the top of my head, but it's something like:

    cargo install --jobs $(( $(nproc) / 2 )) --tag ${TAG} --git ${REPO} [uv|ruff]
Of course this implies I'm willing to wait the ~5-10 minutes for these apps to compile, along with the storage costs of the registry and source caches. Build times for ruff aren't terrible, but uv is a straight up "kick off and take a coffee break" experience on my system (it gets 6-8 threads out of my 12 total depending on my mood).
pjc50today at 9:17 AM

> For me there used to be a clear delineation between scripting languages and compiled languages. Python has always seemed to want to be both and I'm not too sure it can really. I can live with being mildly wrong about a concept.

Eh. There's a lot of space in the middle to "well actually" about, but Python really doesn't behave like a "compiled" language. The more important question is: what do you ship to people, and how easily can they use it? Lots of people in this thread are bigging up Go's answer of "you ship a thing which can run immediately with no dependencies". For users that solves so many problems.

Quite a few python usecases would benefit from being able to "compile" applications in the same sense. There are py-to-exe solutions but they're not popular or widely used.