Managing Python Dependencies Transcripts
Chapter: Finding Quality Python Packages
Lecture: "Rules of Thumb" for Selecting a Great Package - Part 2
Login or
purchase this course
to watch this video and the rest of the course contents.
0:01
Not all Python packages are going to have a dedicated project homepage.
0:04
But what every project should have is some form of README file,
0:09
that introduces you to the project. So I always check those too.
0:13
And what I like to see here, is that
0:16
I want the README to cover the basics of the project,
0:19
what does the library do, and how do I install it.
0:23
You could learn a lot about the quality of a library,
0:25
by looking at how the maintainers communicate the value that the library provides,
0:30
I also want to know what license the project is under,
0:33
because that could really influence in what circumstances
0:36
you can actually use the project and then, it makes sense to quickly check
0:40
who the author is, is it a group of people,
0:43
is it a company, is it an individual contributor,
0:46
what have they done in the past, and do they seem trustworthy?
0:49
Let's take a look at a real project README now.
0:53
Alright, I am going to try and find the README file for the Reqests library now.
0:57
So, typically, what you'd be looking for is a link to the project source repository
1:02
so it already looks like this is hosted on GitHub here,
1:05
so I am just going to look for a link.
1:09
Alright, there we go, requests at GitHub,
1:12
so that should be the link to the GitHub project
1:14
where we can check out the project README, yes, this is it,
1:16
so when I scroll down this is where GitHub displays the README file,
1:19
and for other source control websites like Bitbucket,
1:22
they will either display the readme in the same fashion
1:25
or you can view it by finding the README file and then clicking directly on that.
1:29
Now the first thing that I can see here is that this looks really similar
1:32
to the project homepage which isn't a bad thing,
1:35
I mean, this contains all of the information that I wanted to get out of the README
1:38
and it looks like it's really well structured and nicely formatted.
1:41
So this is great, this tells me how to install the library, and it looks really simple,
1:46
it's pointing me to the documentation
1:48
and it also tells me how to contribute to the project.
1:52
If you're wondering what should go into a great README file,
1:54
I wrote this article a while ago,
1:56
about how you can write a great README for a github project,
1:59
I am covering a number of things here that in my opinion
2:01
should go into a great README, for example, it should talk about
2:05
what the project actually does, how to install it,
2:07
some example usage, how someone could set up a development environment,
2:11
some link to a change log, and then also license and author info,
2:16
you can check out the full article in the link that you see here.
2:24
Now let's go back to the Requests README. I said that I'd like to know
2:28
under which license a library was published, so let's find that out now.
2:31
Usually where you can find that information is in a license file,
2:34
at the root of the repository.
2:37
So this tells us that Requests is under the Apache license,
2:39
a popular open source license; if you're wondering
2:42
what the most common open source licenses are,
2:44
and what their terms are there is a really great website you should check out.
2:48
Go to choosealicence.com/licenses and they have great simple
2:54
and human readable explanations of the conditions and permissions
2:58
and limitations in the most popular open source licenses.
3:02
So for example, this is the Apache license used by Requests,
3:05
and this gives us a quick overview over the terms of the license,
3:09
without actually having to drill down into the nitty gritty details.
3:13
Another thing that I'd like to know is who the authors are,
3:17
who wrote a library. Now, typically, in an open source library,
3:21
you can find an AUTHORS file that will list all the contributors,
3:24
again here with Requests you can get a really quick overview
3:29
of who the core maintainers are, and then there was apparently
3:33
a whole bunch of people who have submitted patches over time,
3:36
and this is a great sign because it means you have a project leadership
3:39
and then you also have a large group of people who are dedicating patches
3:42
and contributions to the project.
3:45
We could also check out the GitHub user account that hosts the Request library,
3:49
and in this case, it's Kenneth Reitz and you can see that Kenneth has
3:52
a number of very popular libraries in the Python space,
3:56
he is working for respectable and well known company
3:59
and these are all indicators that Requests is a really great library.
4:04
At the end of step 4, maybe the field has narrowed down a little bit further,
4:09
every Python library should have a good project README,
4:12
and I find it helpful to familiarize myself with the licensing terms for the project,
4:17
and the team of people working on or maintaining the library.
4:23
In step 5, you're going to make sure that the project is actively maintained.
4:27
In my mind, this is one of the most important quality indicators,
4:31
now how can you find out if a project is under active development,
4:35
usually a great way to find that information is to check out
4:39
the project changelog and the update history.
4:42
You could either do that directly on PyPi
4:45
or by checking the project source repository,
4:48
also on the source repository you can usually find a bug tracker for the project.
4:52
Now this can tell you a lot about how the project is being maintained.
4:57
Are there discussions going on, are there many open tickets for severe bugs?
5:02
If there are no tickets, than that is usually not a great sign either,
5:05
because in my experience, any project that gets some traction,
5:08
has a flood of bug reports coming in; now I would recommend
5:12
that you skim through some of those bug reports,
5:15
just to make sure that there isn't some large problem with the project
5:18
that would affect your ability to use it properly.
5:20
Another piece of information you can find directly on the source repository
5:24
is when the last commit to the project happened.
5:27
Now you don't want to discount projects that do not have
5:30
a lot of development activity going on at the moment,
5:33
I'd rather pick a well seasoned project that is also well maintained
5:37
or at least not abandoned over one that's super maintained but also brand new,
5:43
because then you don't really know what the future holds,
5:46
maybe the project is going to get abandoned in a few months,
5:49
and then you're stuck with it, whereas a seasoned library
5:52
that still does its job properly but it's not getting a lot of feature updates,
5:55
could still be totally worth your while, there is nothing wrong
5:58
with an older library that does its job really well.
6:00
At the end of step 5, your list of candidates projects
6:03
will likely have narrowed down further and this is a good thing,
6:06
the more projects you can weed out, the easier it will be
6:09
to pick the perfect library for your usecase.
6:12
You are almost done here. In step 6,
6:16
you would spot check the source code of the project.
6:19
I always like to look under the hood
6:22
of a library that I am going to use in my own programs.
6:26
And usually, this is really easy to do if you're dealing with an open source project,
6:29
you just open the project repository website and browse around in the code a little bit.
6:34
Here is what I like to see.
6:36
Does the code follow community best practices,
6:39
for example, does it have a consistent formatting style,
6:42
are there comments in the code, are there docstrings, stuff like that,
6:46
another hugely important topic for me is whether or not
6:50
the code has automated test coverage, in my mind,
6:53
a good quality Python package will always have an automated test suite.
6:57
Looking at the code will also give you a good idea
7:00
of how experienced the developers were who wrote the library;
7:03
often you can tell at a glance whether it was someone
7:06
who had a deep understanding of Python who wrote a library,
7:09
or if it was someone who was maybe coming from
7:12
an entirely different language background
7:14
and was just kind of told to write a Python library.
7:17
Now, this doesn't automatically mean disaster,
7:20
but it's still a really good quality indicator. In the end,
7:23
it all boils down to the question would you feel comfortable
7:26
making small changes to this library if you had to?
7:30
Because that is what the worst case scenario is.
7:33
Imagine you are building a really successful application
7:35
that is using a particular library and then
7:37
the original authors of the library stop maintaining it.
7:40
Well, if you don't want to give up your project,
7:43
it will pretty much come down to you maintaining this library,
7:46
at least enough so you can use it for your own purposes.
7:49
This is something that I always try to keep in the back of my head
7:52
when I make a decision whether to use one library or another.
7:55
Alright, let's take a look at what this looks like in practice.
8:00
So I am back here looking at the GitHub repository for the Requests library.
8:05
And that gives me a really easy way to browse through the library source code,
8:08
so I don't even have to install it, I can just use the GitHub code viewer
8:12
and browse around and I don't need to pull this over into my own editor.
8:17
So what I would do here is try and find the main directory
8:20
where all the source files live in, and in this case,
8:23
it's the requests folder so typically this would be named after the library,
8:27
and you can see here there is a bunch of Python files in there.
8:31
This seems pretty well structured already and you can also see
8:34
there is a lot of activity here so these are being updated all the time.
8:39
Now let's check out one of those files.
8:41
For example, the cookies.py file, that sounds tasty.
8:44
And I would just spend some time reading that code,
8:47
so things that I immediately like here is that there is docstrings,
8:50
the imports are nicely formatted, you can see here
8:54
the classes seem like they are named properly,
8:58
again, there are extensive docstrings for everything,
9:02
this class here with these methods on it, they seem well structured, right,
9:09
there is not this crazy long like a thousand lines methods here.
9:13
This is all pretty nice and tidy and when I scroll further through the file,
9:17
it all just seems like it's following a structure and it's formatted in the way
9:24
that makes it easy on the eyes, and that is usually a really good sign,
9:28
like imagine you have to maintain this code,
9:31
personally I would much rather work with code that looks like this,
9:34
than some convoluted mess.
9:36
And you can see here it seems to adhere to the PEP 8 formatting style
9:40
which I think is also a good sign
9:42
because if you are also using PEP 8 or something similar,
9:45
than this library code is going to look similar to your application code,
9:47
which also helps maintenance.
9:52
Yeah, so I would say this looks pretty good, let's see if we can find some tests.
9:57
Okay, so there is a tests folder here, and again,
10:04
it looks like there are whole bunch of tests here,
10:06
so let's check out the test_structures, alright,
10:10
so they are using pytest which is a library that personally I like a lot
10:13
so this would be a good sign for me, first of all I love the fact
10:18
they have an automated test suite here and just glancing over those tests,
10:26
I mean, they seem pretty reasonable, right,
10:30
they seem like they are actually testing stuff, they are not just placeholders
10:33
or dummy tests they are actually doing some things.
10:36
Now, usually I wouldn't do like a full code review for a library that I want to use,
10:41
but I just want to do some spot checking to get an idea
10:45
of the code quality for that library, because, in the worst case scenario
10:49
I might actually have to do some maintenance work on this library,
10:52
if someone stops maintaining it and it's an important part of my own application,
10:56
then I would be pretty much responsible for keeping this thing alive
11:00
so that I can continue to use it.
11:03
So this is always something that is in the back of my head;
11:06
of course, Requests here passes that test with flying colors,
11:09
and seeing how popular that library is, it's probably going to be maintained
11:12
for a really long time so I wouldn't be too worried about this,
11:15
but, of course it helps that it has great code quality too.
11:19
Okay you made it all the way to step 7, and this is the last step in this workflow.
11:26
So at this point, you would have a much narrow down list of candidates,
11:31
and now it's time to try out a few of them.
11:33
So at this point, I would go over my notes and my memories,
11:36
and take this narrow down list of candidates and just start installing
11:39
some of them to try them out, in an interpreter session,
11:44
and I am always suing a fresh virtual environment for that
11:46
so that I am not cluttering up my system.
11:48
I would encourage you to do the same, and then you can just launch
11:51
into an interpreter session, import the library, and play with it a little bit.
11:55
Or you might write a couple of small programs
11:58
just to get a feel for how the library works,
12:01
so for example, with Requests, maybe I would write a little program
12:05
that downloads a file over HTTP and then I would try and implement
12:09
the same example with a different library to get a feel
12:12
for what the strength and weaknesses are of each of them.
12:16
Now actually, installing the library and then trying it out is
12:19
going to tell you something very important; it's going to tell you
12:22
whether the package installs and imports cleanly, because,
12:26
at the end of the day that is super important, even if you have the best library
12:30
for your purpose and it's so painful to install
12:33
or it doesn't work on your system, then that is not going to help you.
12:37
So I always make sure to actually get some hands on experience
12:40
with my top 3 choices or so, so that I can be confident into decision that I make.
12:45
Another very important question is
12:47
whether or not you enjoy working with the package.
12:50
I strongly believe that developers should use tools that they enjoy working with,
12:53
and this also applies to third party packages and modules and libraries.
12:57
So for me, this would always factor into the decision,
13:02
now I realize that there might be business constraints
13:04
and sometimes you just have to work with something
13:06
that you are not enjoying as much.
13:08
But if there is a way to get the best of both worlds,
13:11
a really great library that is actually fun to work with,
13:13
I would always pick the one that is fun to work with and gets the job done.
