It's probably pertinent to mention that the Python installation ecosystem is a hot mess, with multiple ways of installing Python (e.g. standard Python installer, multiple different packages managers on different OSes, Conda, and myriad package managers which can also install Python. And of course, these can all be in different locations, and may have different approaches to installing libraries.

Which is to say, I don't blame the author for wanting a single installation that his app can manage and rely on, even though I wish it was different.

> instead of checking for what's already installed

Plenty of software come with their own Python runtime. Even Blender uses its own Python runtime. I can name so many apps with embedded Python runtime: Blender, Houdini, Bitwig, Substance Painter, Krita, etc. Checking for what's already installed isn't the norm. In Krita's case, it uses installed Python to build it... and in the building process it builds another Python runtime for its own!

This app should have probably bundled the runtime instead of downloading a new one though.

> install its own vendored dependencies

> lead to both security and performance issues

npm install and pip -r theoretically have the same kind of security issue. How many projects on github run this kind of command during build process? My guess is in the order of millions.

> How come this is trying to install its own vendored dependencies

"Why does this new software do X?" is probably answered by "the vibe worked on my system"

This is unfortunately becoming more common.

Just yesterday, I went to try out some cool new AI thing that was here on the front page of HN. It's written in Python. Great, I thought, that means I can put it into a virtualenv and just rm the whole tree when I'm done and my system will be exactly in the same state it was previously.

But sadly... no... the first time I ran it, this Python program started downloading and installing Node/NPM, and all kinds of other stuff to my machine WITHOUT even asking for permission. Sorry app developers, but my machine and my home directory are my workplace. They are curated property, you are NOT allowed to just install whatever you wish.

I expect this kind of behavior from programs whose only supported installation method is a curlpipe. (And I do avoid those.) I do not expect it from programs that claim to be installable by pip, or ship their own binaries. These NEED to be called out as vulnerable to supply-chain attacks at worst and extremely disrepectful to users at best.

> How come this is trying to install its own vendored dependencies, including executable binaries, instead of checking for what's already installed? That approach can lead to both security and performance issues.

I've been sympathetic to your viewpoint, and I can see why this kind of thing is becoming more common.

The idea that users can reliably supply their own vendor libs/execs for applications is a bit of a fantasy. Devs working on fixing issues caused by the user having a strange issue due to the version of Python or whatever that they have installed is largely a waste of time when the application can "simply" ship with the exact dependencies it expects. This is especially true when it comes to open source work. Dealing with weird edge cases because the user has a version of FFMPEG installed that, for whatever reason, is missing h264, is work that nobody asked for. Given that the audience of this kind of app is a general one (not specific at all to devs) then it doesn't make sense to require other system packages to be present; if things like Python and FFMPEG are not required and will be downloaded anyway as part of the app install process, then there's no point in not always doing that. If you think about it, it's hardly different from any other sort of software dependency. The dependencies are just relatively bigger.

Personally, I have no desire for my applications to use other executables on my system unless I request that they do so explicitly. I'm sympathetic to the idea from a mere efficiency perspective, especially when it comes to developer tooling. But a karaoke app? No offense, but why care? A Python interpreter will be anywhere between 50 and 200 megabytes. FFMPEG is even smaller, especially if you don't enable every single feature and codec. Compared to how ridiculously bloated your average basic mobile app is (without anything like a built in JIT), bundling a desktop application with something like Python provides a lot of power relative to the number of bytes added.

>How come this is trying to install its own vendored dependencies, including executable binaries, instead of checking for what's already installed? That approach can lead to both security and performance issues.

Because the person who vibecoded this had no idea they should have been doing that.

I'm just using cross https://github.com/cross-rs/cross to build cross-arch. you can still use `cargo build`, it will just work.

welcome to the millenial way of doing things

always assumes internet is connected

always assumes everything is trusted