1·
18 hours agothat’s an oversimplification.
python is slow because it’s meant as glue; all the important parts of the ml libraries are written in other languages.
all the dependency stuff is due to running outside of a managed environment, which has been the norm for 10 years now. yes venv/bin/activate is clunky, but it solves the problem.
also, what supply-side attacks?
lua is probably a better first language though.
python dependencies, like all scripting language dependencies, must not be installed via the system package manager. yes python’s package management is bad, but if package maintainers for nix are not following best practices then honestly that’s their problem, not the tooling’s. this is python packaging 101.
also, malicious PRs being accepted due to ml people being famously bad at actual software engineering is not a “supply chain attack”. and they are definitely not worse than npm, because the problem wasn’t in pypi. pypi is historically really good at preventing this sort of thing, but what can you do when the actual, well-formed release approved and pushed by the actual maintainers has a cryptominer in it?