0 added
0 removed
Original
2026-01-01
Modified
2026-02-21
1
<p>At one point, developers realize they want to share their code with other programmers. They can write a library of functions or a ready-made program and then pass it on to others. Programmers usually use packages used in this case.</p>
1
<p>At one point, developers realize they want to share their code with other programmers. They can write a library of functions or a ready-made program and then pass it on to others. Programmers usually use packages used in this case.</p>
2
<h2>How packages work</h2>
2
<h2>How packages work</h2>
3
<p>Packages are sets of modules and nested packages. But that's not the only meaning of the term. In a broader sense,<strong>a package</strong>is a unit of code exchange between developers.</p>
3
<p>Packages are sets of modules and nested packages. But that's not the only meaning of the term. In a broader sense,<strong>a package</strong>is a unit of code exchange between developers.</p>
4
<p>Python packages contain source code and<strong>metadata</strong>- additional information, including:</p>
4
<p>Python packages contain source code and<strong>metadata</strong>- additional information, including:</p>
5
<ul><li>Purpose of the package</li>
5
<ul><li>Purpose of the package</li>
6
<li>The current version of the package and a list of previous versions</li>
6
<li>The current version of the package and a list of previous versions</li>
7
<li>Compatibility with different versions of Python</li>
7
<li>Compatibility with different versions of Python</li>
8
<li>The license under which creators distribute the package</li>
8
<li>The license under which creators distribute the package</li>
9
<li>List of package dependencies</li>
9
<li>List of package dependencies</li>
10
</ul><h2>Index</h2>
10
</ul><h2>Index</h2>
11
<p>Suppose we've created a finished package and want to share it with the world. The assembled package is an ordinary file we can pass on to another person. It is the simplest case.</p>
11
<p>Suppose we've created a finished package and want to share it with the world. The assembled package is an ordinary file we can pass on to another person. It is the simplest case.</p>
12
<p>Let's complicate the task and imagine that our package needs another package to work. It gets complex, so we need to add more packages, which sometimes need more packages. And this cycle can go on forever.</p>
12
<p>Let's complicate the task and imagine that our package needs another package to work. It gets complex, so we need to add more packages, which sometimes need more packages. And this cycle can go on forever.</p>
13
<p>To handle this complexity, we use<strong>package repositories</strong>. They are usually called<strong>indexes</strong>in Python. They also provide a user-friendly interface for searching for packages and familiarizing yourself with their descriptions. It's usually in the form of a web page. The most popular package index is<strong>PyPI</strong>(<em>Python Package Index</em>). It is what you'll be working with most of the time.</p>
13
<p>To handle this complexity, we use<strong>package repositories</strong>. They are usually called<strong>indexes</strong>in Python. They also provide a user-friendly interface for searching for packages and familiarizing yourself with their descriptions. It's usually in the form of a web page. The most popular package index is<strong>PyPI</strong>(<em>Python Package Index</em>). It is what you'll be working with most of the time.</p>
14
<p>But there are other indexes. Most package management tools can handle a variety of indexes. For example, many companies use custom indexes to host packages that aren't open source. Another index is<strong>Test PyPI</strong>. It is an index of packages used to teach the Python packaging system.</p>
14
<p>But there are other indexes. Most package management tools can handle a variety of indexes. For example, many companies use custom indexes to host packages that aren't open source. Another index is<strong>Test PyPI</strong>. It is an index of packages used to teach the Python packaging system.</p>
15
<p>It's not very convenient to display hundreds or thousands of training packages. They get caught in searches, they take all the names, and others clutter up the main index.</p>
15
<p>It's not very convenient to display hundreds or thousands of training packages. They get caught in searches, they take all the names, and others clutter up the main index.</p>
16
<p>The test index works just like the main PyPI. It allows you to upload and download packages but periodically deletes all data.</p>
16
<p>The test index works just like the main PyPI. It allows you to upload and download packages but periodically deletes all data.</p>
17
<h2>Indexes versus code repositories</h2>
17
<h2>Indexes versus code repositories</h2>
18
<p>Some repositories don't store packages but only index and manage package metadata. The code is on GitHub, BitBucket, and GitLab, source code repositories.</p>
18
<p>Some repositories don't store packages but only index and manage package metadata. The code is on GitHub, BitBucket, and GitLab, source code repositories.</p>
19
<p>This approach generally works for interpreted languages; you need access to the source code to use the package code anyway.</p>
19
<p>This approach generally works for interpreted languages; you need access to the source code to use the package code anyway.</p>
20
<p>However, storing code on third-party resources with metadata sources has several drawbacks.</p>
20
<p>However, storing code on third-party resources with metadata sources has several drawbacks.</p>
21
<p>First, only the author of the code owns the published code. The author can delete his repository, but the information about the package in the index remains. People who already started using the deleted package won't be able to build their projects.</p>
21
<p>First, only the author of the code owns the published code. The author can delete his repository, but the information about the package in the index remains. People who already started using the deleted package won't be able to build their projects.</p>
22
<p>Second, GitHub and other Git repositories do not guarantee the integrity of the data when we use tags and branches alone. And this is the most common way of tying code state to information in the index, meaning that anyone with access to the repository can rewrite its history.</p>
22
<p>Second, GitHub and other Git repositories do not guarantee the integrity of the data when we use tags and branches alone. And this is the most common way of tying code state to information in the index, meaning that anyone with access to the repository can rewrite its history.</p>
23
<p>Even if you bind package versions in the index to hash sums of commits in Git, changing the history will lead to the first problem: the package version will point to a non-existent source. If we overwrite the history, the hash sums of the commits will also change.</p>
23
<p>Even if you bind package versions in the index to hash sums of commits in Git, changing the history will lead to the first problem: the package version will point to a non-existent source. If we overwrite the history, the hash sums of the commits will also change.</p>
24
<p>Both of these reasons break an essential feature of the packaging system: the<strong>reproducibility of the repository</strong>. This property implies that any project with an accurate description of its dependencies will run at any time, even if we use old versions of packages and the interpreter.</p>
24
<p>Both of these reasons break an essential feature of the packaging system: the<strong>reproducibility of the repository</strong>. This property implies that any project with an accurate description of its dependencies will run at any time, even if we use old versions of packages and the interpreter.</p>
25
<p>For reproducibility, a centralized index that independently stores all versions of all packages in unmodified form is more appropriate. It gives the programmer a better guarantee that an old project will run at any time, under any circumstances.</p>
25
<p>For reproducibility, a centralized index that independently stores all versions of all packages in unmodified form is more appropriate. It gives the programmer a better guarantee that an old project will run at any time, under any circumstances.</p>