-
-
Notifications
You must be signed in to change notification settings - Fork 471
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FIX] queue_job: remove requests
from Python dependencies
#530
Conversation
fdf4b1c
to
515b1c2
Compare
Hi @moylop260, @guewen, Could you review, please? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a requirement for the jobrunner, you cannot just delete it.
I never had an issue w/ the version.
However if you explain the problem you had and which range of versions would be good we could consider pinning it.
Hi @guewen, |
Hi @simahawk, I understand this is a required library. However, this library is also installed by Odoo natively: https://github.com/odoo/odoo/blob/54e58b3e47ee/requirements.txt#L51 So there's no need to add it also here, because, if we're using Odoo, we can know for sure it will be installed. Besides, as you may appreciate on the above link, library version varies depending on Python version, for compatibility reasons. If we try to install requirements from here, we could be installing an incompatible version for Odoo. Lastly, external dependencies are meant to be external packages not-already installed by Odoo. If we'd have to add I hope my point is clear now. Regards, |
Hi @pedrobaeza, What do you think about this one? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with the reasoning. It's redundant and may cause problems having this one without pinning version and the Odoo one being pinned.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I disagree. This is a required dependency of queue_job. There is no reason to remove it.
I think it is important that each modules explicitly declares the dependencies it relies on. At the minimum it has documentation value. The fact that Odoo depends on request is a kind of implementation detail of Odoo and they could decide to use something else in the future. In that case we'll be happy to know which module depend on it. This is true for all dependencies. @luisg123v could you elaborate in which cases this causes problems so we can better understand the reason for this PR? |
If it's a problem to remove from here the |
That is even worse, because different environments may require different versions of the request library. Addons authors should not pin dependencies unless there are very good reason to do so. Pinning dependencies is the role of the integrator, not the role of library/addons authors, who should only place constraints on the versions that are necessary for their needs, not more. |
Hi @sbidoul, Adding a requirement already included by Odoo unpinned could cause several issues:
On the other hand, answering to this:
It may be so, but this module is designed to work with this specific Odoo version. For this Odoo version, As I mentioned above, if we neeeded to specify all libraries used by our modules that are already part of Odoo, we will need for instance to include urllib in most of the theme modules. I hope I made my point clear now. Regards, |
Sure they guarantee that. But it often happens that we need to deploy other libraries that are not compatible with the versions pinned in Odoo's requirements.txt (which are often outdated, to be honest). In that case it is the responsibility of the integrator to resolve the conflict and test accordingly.
Then, frankly, it is the deployment process that needs to be fixed. We do that daily and never had that kind of issue. When you
It that case it is probable that there is no solution. But it never happens with a dependency without version constraints like
Yes, and if we have not declared direct external dependencies we'll have no easy way to analyze and locate places where we need to change.
Do you mean
This is not the correct definition of external dependency. An external dependency is any library that is not part of the standard python library and is used directly by the addon. To take another example, assume I write a python application that uses both |
I disagree on this. Suppose I want to implement a module related to product that is not compatible with the native product module. IMHO, it's responsibility of the module developer to make such module compatible with Odoo.
This is true only if no upgrade is asked. If I run
On this repo, a version different from the one included by Odoo will be installed
The solution is to pin or delimit valid versions. The problem with no delimiting versions is literally all available versions could be considered.
We have a lint for that, to detect external dependencies not declared on manifest. BTW, on that lint, we have whitelisted Odoo requirements for the same reason, which is we consider them implicit ones.
You're right, that was not a good example. We could take instead the
Where does that definition come from? I don't agree with that definition. See Odoo modules, none of them include
I think this is debatable. When you reference dependencies that you already know will be installed, that is called superfluous dependencies.
Exactly. When we need to depend on the account module, we don't manually depend also on product, portal, analytic, etc; even if we require features from those modules, because we know they are required by the account module, so we can assure they will be installed. Then, those dependencies are superfluous. |
This is really the part you need to fix in your workflow. Asking pip to do an upgrade without giving the full requirements set is going to break your environment one day or another. Imagine for instance that you need repo
Well, I do ;) If I inherit a view, I always depend on the lowest level module that defines the view with the features I need. And I try to do the same when I inherit a model. This give a much better understanding of the dependency graph. |
I agree on this. Actually, this is why I think all requirements should be pinned or at least delimited, whenever possible. Otherwise, if I depend on several OCA repos and each of them provides several unpinned requirements and I build a single requirements file containing all of them, pip could fail to find the right combination of pip dependencies (the case I commented above).
I disagree with this approach, this would force us to include a bunch of dependencies that are not necessary (superfluous ones). We even had a module that identified superfluous ones and linted them (I don't remember the repo, though, maybe server-tools).
I also disagree on this. When Odoo computes the dependency graph, it builds something similar to a tree, i.e. by levels. When we include only non-superfluous dependencies, our graph is more similar to what Odoo builds. But if we include them, is much more harder to determine which module depends on what one. Having a good notion of the actual module graph is useful in many situations, e.g. during migrations because we may know what modules to migrate at first. |
@sbidoul I have replicated the problem in odoo.sh. When placing this repo, the newest version is installed on top of the one that Odoo has pinned. request is already in the odoo requirements, it shouldn't be as a dependency here. |
I have seen a few projects with PRs already merged with similar changes except this one Should we have special consideration in this project? Also, It is installing non even compatible version py packages for deployments != OCA (e.g. OdooSH, DeployV) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Such dependency is already included in Odoo requirements using a pinned version [1]. Adding here could cause to upgrade the library to an incompatible version. [1] https://github.com/odoo/odoo/blob/54e58b3e47ee/requirements.txt#L51
515b1c2
to
14ec66d
Compare
It does not demonstrated that it was the right thing to do 😉
No, we should fix the others where nobody considered this from a more pythonic POV.
As reported above that depends on how you run pip install.
Which command runs to install such dependencies? BTW we pin dependencies on our projects, we don't rely on what you pin elsewhere. |
Thank you for your reply my friend
In fact, I was not talking about "the right thing to do" I like to understand what is unique in this project to do it differently (not correct or wrong) I mean, if we decide to do the same than this project for all OCA's projects so we should add a requirements file for all these projects with the same packages that Odoo has already considered in its requirements file Project: account-analytic. Packages: psycopg2
Project: account-budgeting. Packages: dateutil
Project: account-closing. Packages: dateutil
Project: account-consolidation. Packages: dateutil, lxml
Project: account-financial-reporting. Packages: psycopg2
Project: account-financial-tools. Packages: dateutil
Project: account-fiscal-rule. Packages: lxml, requests
Project: account-invoicing. Packages: dateutil
Project: account-payment. Packages: dateutil, lxml
Project: account-reconcile. Packages: psycopg2
Project: agreement. Packages: lxml
Project: apps-store. Packages: lxml
Project: bank-payment. Packages: dateutil, stdnum, lxml
Project: bank-statement-import. Packages: pytz, dateutil, lxml, requests
Project: brand. Packages: lxml, markupsafe
Project: commission. Packages: psycopg2, dateutil, lxml
Project: connector. Packages: psycopg2
Project: connector-infor. Packages: psycopg2
Project: connector-jira. Packages: pytz, dateutil, psycopg2
Project: connector-telephony. Packages: requests
Project: contract. Packages: dateutil, lxml
Project: credit-control. Packages: dateutil
Project: crm. Packages: psycopg2
Project: currency. Packages: dateutil
Project: data-protection. Packages: lxml, werkzeug
Project: delivery-carrier. Packages: PIL, lxml, requests
Project: donation. Packages: psycopg2
Project: e-commerce. Packages: psycopg2, werkzeug
Project: edi. Packages: dateutil, werkzeug, pytz, lxml, PyPDF2, requests
Project: event. Packages: pytz, babel
Project: helpdesk. Packages: werkzeug
Project: hr. Packages: dateutil
Project: hr-attendance. Packages: pytz, dateutil, psycopg2
Project: hr-holidays. Packages: pytz, dateutil
Project: interface-github. Packages: docutils, requests
Project: intrastat-extrastat. Packages: dateutil, stdnum, lxml
Project: iot. Packages: jinja2
Project: l10n-belgium. Packages: dateutil
Project: l10n-brazil. Packages: dateutil, werkzeug, pytz, lxml, requests, pkg_resources
Project: l10n-chile. Packages: pytz, dateutil, requests
Project: l10n-estonia. Packages: lxml
Project: l10n-france. Packages: dateutil, reportlab, pytz, lxml, PyPDF2, requests
Project: l10n-germany. Packages: dateutil
Project: l10n-iran. Packages: pytz, babel
Project: l10n-italy. Packages: psycopg2, dateutil, openupgradelib, lxml
Project: l10n-netherlands. Packages: dateutil, psutil, lxml
Project: l10n-portugal. Packages: requests, werkzeug
Project: l10n-romania. Packages: pytz, dateutil, lxml, requests
Project: l10n-spain. Packages: dateutil, pytz, cryptography, lxml, requests
Project: l10n-switzerland. Packages: jinja2, lxml, PIL, PyPDF2, requests
Project: l10n-thailand. Packages: pytz, dateutil
Project: l10n-ukraine. Packages: pytz, dateutil
Project: l10n-usa. Packages: psycopg2, dateutil, stdnum
Project: l10n-vietnam. Packages: lxml
Project: maintenance. Packages: lxml
Project: management-system. Packages: psycopg2
Project: manufacture. Packages: psycopg2, dateutil
Project: mis-builder. Packages: pytz, dateutil, lxml
Project: odoo-pim. Packages: lxml
Project: partner-contact. Packages: dateutil, psycopg2, pytz, lxml, requests
Project: payroll. Packages: pytz, dateutil, babel
Project: pms. Packages: dateutil, pytz, babel, PyPDF2, requests
Project: product-attribute. Packages: psycopg2, dateutil, lxml
Project: product-configurator. Packages: lxml, mako
Project: product-variant. Packages: lxml
Project: project. Packages: pytz, dateutil, lxml, werkzeug
Project: purchase-workflow. Packages: dateutil
Project: queue. Packages: psycopg2, dateutil, lxml, werkzeug
Project: report-print-send. Packages: PIL, requests
Project: reporting-engine. Packages: dateutil, werkzeug, qrcode, psycopg2, lxml, PIL, requests, pkg_resources, pydot, xlsxwriter
Project: rest-framework. Packages: marshmallow, apispec, werkzeug
Project: runbot-addons. Packages: requests
Project: sale-workflow. Packages: dateutil, werkzeug, psycopg2, pytz, lxml
Project: search-engine. Packages: elasticsearch
Project: server-auth. Packages: ldap, werkzeug, passlib, jwt, requests
Project: server-backend. Packages: psycopg2
Project: server-brand. Packages: lxml
Project: server-env. Packages: lxml
Project: server-tools. Packages: dateutil, werkzeug, psycopg2, jinja2, lxml, xlwt, requests, xlrd
Project: server-ux. Packages: pytz, dateutil, lxml
Project: social. Packages: lxml, markupsafe, werkzeug, requests
Project: stock-logistics-barcode. Packages: dateutil, lxml, barcode
Project: stock-logistics-warehouse. Packages: psycopg2, reportlab, werkzeug
Project: stock-logistics-workflow. Packages: lxml
Project: storage. Packages: requests, werkzeug
Project: timesheet. Packages: dateutil, pytz, psycopg2, lxml, babel, xlsxwriter
Project: vertical-abbey. Packages: pytz, dateutil, cStringIO
Project: vertical-association. Packages: dateutil
Project: vertical-hotel. Packages: dateutil
Project: vertical-isp. Packages: requests
Project: vertical-medical. Packages: dateutil, urllib2
Project: vertical-rental. Packages: dateutil
Project: web. Packages: PIL
Project: web-api. Packages: requests, werkzeug
Project: website. Packages: lxml
Project: website-cms. Packages: psycopg2, werkzeug, mock
Project: wms. Packages: psycopg2, werkzeug The question is: Why all these projects don't have these needed requirements following the same logic as queue project decisions? Why queue project has this decision and it needs this special consideration? |
Hola Moises, hope you are doing fine mate :) Sorry but I still don't understand while you think this is a special project. It's not. ℹ️ Declaring direct dependencies of a module/package is a must have. It's a best practice. Period. Until you all fail to recognize these important things we'll discuss forever and ever on this PR. Hence, if other OCA modules are doing the contrary we must fix them (unless strictly necessary I've never seen a precise pinning). We'll be glad to have a list of PRs like this: can you get back to us w/ some examples? Regarding
I do not understand this statement. It's not about OCA repos. Both Stéphane and me already pointed out that if you rely on the wrong pip install workflow you'll run into troubles unless you pinned all fragile direct and transitive python deps in your own projects not in our repos. Regarding "what's the possible solution to unstuck this?" Hope this helps :) |
Hi @simahawk Yes, you are right
If I understood well this point so we should have the following requirements too for this project: # generated from manifests external_dependencies
requests
+ psycopg2
+ werkzeug Because the code is using these packages directly?
Why they were not added but |
I think the Python rules can't apply strictly to Odoo modules, as they are not the same. We are using Python, but inside an ORM framework provided by Odoo. Being both the libraries and versions set at Odoo level, and not changing inside the same version, requiring to repeat the definitions at Odoo modules level is a nonsense, as if you don't have such requirements, Odoo won't work and won't execute your Odoo module. |
Hi @simahawk @sbidoul @pedrobaeza @luisg123v @rvalyi
Notice the following packages are used directly?
Following the best practice here, Should we add these packages too? # generated from manifests external_dependencies
requests
+ psycopg2
+ werkzeug I'm trying to get an OCA guideline, we have the following opinions Option A
Option B 1) Add all the requirements even if odoo has already defined and pinned
- 2) Odoo requirements should be unpinned even if odoo has pinned
+ 2) Odoo requirements should be pinned because odoo has pinned too Option C
What option should we use for OCA guidelines? Please, vote |
Hi @moylop260,
Yes, I think psycopg2 and werkzeug should be added to the manifest of queue_job, since they are direct dependencies, if only for documentation purposes. Regarding pinning, it is a responsibility of the integrator delivering the end-project. This means that:
If too strict bounds or pinning is done in addons, then integrators quickly land in dependency hell with unresolvable depency conflicts. Note that versions in Odoo's requirement.txt are a recommendation (known good versions), but Odoo does work perfectly well with more recent versions, and it frequently happens that one needs to use more recent versions of the Odoo requirements to be compatible with other modern libraries. |
I agree with everything @sbidoul said. That being said, I take the opportunity to share a minor issue we found in l10n-brazil with this approach: if several repo addons depend on the same Python package and if some addon start to require some minimum version, then we should also repeat this minum version in the manifest of the other addons of the repo to avoid conflicts in the requirements.txt automatic generation. Really not a big deal, but anyhow I shared it with you. |
@rvalyi actually, with recent (> ~21) versions of pip, it should not matter. A requirements file like this works:
|
we had it failed on the CI on 14.0 like a month ago. No idea how it is on 15.0 or 16.0 but good to know, thanks. |
Feel free to ping me if this happens again, I'll investigate. |
I did run into the same issue with odoo.sh, that there was a library update, which caused the library to be incompatible with the odoo code. I do not see a good solution for odoo.sh users, yet. The fact is, that if we add OCA repos as submodules into odoo.sh, all requirements.txt are installed (even when the causing OCA module is not installed). In the past I had 2 issues with incompatible libraries. One was "pillow" which was updated by one of my own modules, and the second one was "lxml" which had a recent update, which made it incompatible. What do you think about to change the pre-commit job to not create a requirements.txt, but a oca-requirements.txt or repo-requirements.txt too bypass the auto install of odoo.sh? Do I understand correctly that the dependencies in external_dependencies in the manifest is installed, when the module is activated? In this case the requirements.txt wouldn't be needed at all. |
@CRogos if odoo.sh does not support this, that would be a good argument indeed. By chance can you share an installation log that causes problems on odoo.sh? Because if you |
No, external dependencies are intended to block module installation if any dependency is missing, but not to autoinstall them. |
I recently had several issues.
|
@CRogos thanks for posting those. For 1, 2, 4, yeah, welcome to dependency hell... these are painful and not easy to debug, and the best I can recommend to mitigate is #530 (comment). But for instance in case of 4, pikepdf requires For 3 (lxml), it could be an issue with your workflow, but it could well be also something like the pillow issue above where some indirect dependency requires a more recent version of lxml than the one preinstalled in your CI. |
@sbidoul thanks again for your input.
For 2+3 I have to think and test a little bit more. But there should be the option to added a upper boundary as soon as we find an incompatibility instead of removing it from the external_dependencies. |
Such dependency is already included in Odoo requirements using a pinned
version [1]. Adding here could cause to upgrade the library to an
incompatible version.
[1] https://github.com/odoo/odoo/blob/54e58b3e47ee/requirements.txt#L51