Language Registries Are Unstable by Default: https://nesbitt.io/2026/05/15/language-registries-are-unstable-by-default.html
-
Language Registries Are Unstable by Default: https://nesbitt.io/2026/05/15/language-registries-are-unstable-by-default.html
-
Language Registries Are Unstable by Default: https://nesbitt.io/2026/05/15/language-registries-are-unstable-by-default.html
@andrewnez I don't disagree but also I don't think this is the wrong decision. I think pushing it down to users is actually the right decision, as long as you accept that FOSS is all about enabling consumers.
I do think that our *deployment* tooling also kinda lost a lot of these channels ideas and it is also hurting.
But like. At some point, we have to accept that the user have to do most of the work in FOSS. That is the basic thing we push on them.
Hell, I am at the point where I do not want to run my production machine on `stable` channels of distros, because they tend to be so conservative they become a performance and security problem.
-
@andrewnez I don't disagree but also I don't think this is the wrong decision. I think pushing it down to users is actually the right decision, as long as you accept that FOSS is all about enabling consumers.
I do think that our *deployment* tooling also kinda lost a lot of these channels ideas and it is also hurting.
But like. At some point, we have to accept that the user have to do most of the work in FOSS. That is the basic thing we push on them.
Hell, I am at the point where I do not want to run my production machine on `stable` channels of distros, because they tend to be so conservative they become a performance and security problem.
@Di4na kinda agree, but these past few months have been rough, and calling it what it is definitely makes the trade-off more clear
-
@Di4na kinda agree, but these past few months have been rough, and calling it what it is definitely makes the trade-off more clear
@andrewnez yeah. I think we need to start to be a lot more explicit about the "no warranty" part of the licenses again....
-
@andrewnez yeah. I think we need to start to be a lot more explicit about the "no warranty" part of the licenses again....
@Di4na full refund available on request
-
Language Registries Are Unstable by Default: https://nesbitt.io/2026/05/15/language-registries-are-unstable-by-default.html
@andrewnez I don't think that's logically consistent.
If I ask a coworker to "install Debian", they will most likely install the latest release of Debian, because I didn't provide a selector of any kind. If I run "podman pull debian" I will get the latest release of Debian.
So, if "pip install requests" installing the latest stable release means that the registry is unstable, then the same terminology would classify container registries and distributions as "unstable."
-
@andrewnez I don't think that's logically consistent.
If I ask a coworker to "install Debian", they will most likely install the latest release of Debian, because I didn't provide a selector of any kind. If I run "podman pull debian" I will get the latest release of Debian.
So, if "pip install requests" installing the latest stable release means that the registry is unstable, then the same terminology would classify container registries and distributions as "unstable."
@andrewnez Whether we are talking about registries or distributions, a mechanism exists to provide a selector. If you provide a selector, you expect to follow a specific release stream. And if you don't provide a selector, then you will get whatever stream is newest.
-
@andrewnez Whether we are talking about registries or distributions, a mechanism exists to provide a selector. If you provide a selector, you expect to follow a specific release stream. And if you don't provide a selector, then you will get whatever stream is newest.
@andrewnez The only difference I can logically describe between Debian and a registry is that a stable release of Debian is a *set* of components.
So it might make sense for "pip" to have the option to update a venv by installing the newest release of each component's release stream without rebasing anything in the set.
-
@andrewnez The only difference I can logically describe between Debian and a registry is that a stable release of Debian is a *set* of components.
So it might make sense for "pip" to have the option to update a venv by installing the newest release of each component's release stream without rebasing anything in the set.
@andrewnez But I can't logically describe how PyPI could offer something more stable than it does. Who would define the release cadence? What is a set? In what way is the registry better suited to defining a set or a cadence than the application developers that pull components from it?
-
R relay@relay.infosec.exchange shared this topic
