top | item 34228604

(no title)

If you're installing a command-line tool globally, I usually go for the system package manager (e.g. `apt` on debian), or `pip` if I want a newer version. With pip, make sure to use the `--user` flag so things aren't installed with root.

If you're writing Python code, `poetry` has been the least bad package manager in my experience. It has a lock-file, so it should help avoid supply-side attacks (like the PyTorch one from a few days ago [1]), and it means your local environment and CI/CD environment should have the same packages installed.

I'd also recommend setting the [`virtualenvs.in-project`][2] setting to `true`, to store the `.venv` in the same folder as your code, so that when you delete your code, all of the downloaded packages get deleted too. Otherwise they'll just stick around in your user directory and use up a lot of disk space.

[1]: https://pytorch.org/blog/compromised-nightly-dependency/

[2]: https://python-poetry.org/docs/configuration/#virtualenvsin-...

discuss

No comments yet.