Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[requirements] relax pinning #997

Merged
merged 2 commits into from
Oct 17, 2019
Merged

[requirements] relax pinning #997

merged 2 commits into from
Oct 17, 2019

Conversation

josh-hadley
Copy link
Collaborator

Strict pinning with == in AFDKO's requirements.txt can result in downgrades to packages that are shared by other co-installed projects. Use of >= enforces only the minimum version specified and allows later versions.

Closes #408 .

@josh-hadley
[requirements] relax pinning
5983d7e 
Per @anthrotype on #408, strict pinning with `==` in AFDKO can result in downgrades to packages that are shared by other co-installed projects. Use of `>=` enforces only the minimum version specified.
@anthrotype
Copy link
Member

anthrotype commented Oct 16, 2019
edited
Loading

if you're not pinning exact versions anymore in requirements.txt, then there is no point in keeping that file. The setup.py's install_requires containing the same dependencies and minimum versions is sufficient.

I'm not sure if you're still using pyup bot or not, but I believe it will only update versions for requirements that have == version specifiers, and ignore those with >=.

Having a requirements.txt with fixed versions is still a good idea, because it ensures that your test runs are predictable and deterministic and do not depend on the time when you run them (e.g. it may be that some new version breaks something in your test suite, which would pass before and now no longer does, simply because a new version of a dep has been uploaded to PyPI).

The setup I settled on in my projects is this: setup.py install_requires are open-ended and are bumped up only when needed (e.g. you require some specific symbol that has been introduced in a newer version, or a bug was fixed, etc.); whereas the requirements.txt contains exactly pinned versions that are periodically kept up-to-date with latest versions (using pyup.io bot or similar).

If you really want to read the dependencies from the same source file for both requirements.txt and setup.py maybe you could resort to this hack. You keep requirements.txt as it is now, with exactly pinned versions. But then, when you read that file's content from the setup.py script, you replace all == with >= and then you'll have open-ended minimum version specifiers in install_requires and pinned exact versions in requirements.txt.
It's not that bad, actually.

@josh-hadley
[requirements] use scheme proposed by @antrhotype
9a3cb1c 
- use hard-pinning (==) in requirements.txt
- setup.py replaces '==' with '>=' during setup (for install_requires)
@josh-hadley
Copy link
Collaborator Author

@anthrotype I implemented the scheme you described. Please review and if this is suitable, please approve and we'll proceed to get it merged & released.

anthrotype
anthrotype approved these changes Oct 17, 2019
View reviewed changes
Copy link
Member

@anthrotype anthrotype left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks

@josh-hadley josh-hadley merged commit 40570d2 into develop Oct 17, 2019
@josh-hadley josh-hadley deleted the jh-change-requirements-pinning branch October 17, 2019 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anthrotype anthrotype anthrotype approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Installing may downgrade dependencies
2 participants
@josh-hadley @anthrotype