6713 Introduce supplemental package source

[b-kamphorst]

Pull Request Check List

Resolves: #6713
Relates to: #7658

• Added tests for changed code.
• Updated documentation for changed code.

[b-kamphorst]

This is still work in progress. In particular, the following items are on my TODO list:

• add tests to tests/test_factory (incl. adding fixtures)
• add tests to tests/commands/source/test_add.py
• add behaviour to source add
• update documentation poetry source add

For backwards compatibility I complemented the default and secondary keys for sources in pyproject.toml with supplemental and private. However it seems more maintainable to introduce a non-boolean key priority. How do you feel about the suggestion (and its relation to this PR)?

[neersighted]

I don't think integer priorities make sense as there are specific semantics beyond order that some of the flags indicate (e.g. default and private have meanings beyond the lookup order).

[b-kamphorst]

I don't think integer priorities make sense as there are specific semantics beyond order that some of the flags indicate (e.g. default and private have meanings beyond the lookup order).

I agree. I was thinking of literals; e.g.

[[tool.poetry.source]]
name = "foo"
url = "https://foo.bar/simple/"
type = "supplemental " # type = "primary" if unspecified

instead of

[[tool.poetry.source]]
name = "foo"
url = "https://foo.bar/simple/"
default = false
secondary = false
supplemental = true
private = false

Would that work?

[neersighted]

Ah, that makes more sense -- I read that as integer, but I see that you didn't explicitly state that.

I'm not necessarily opposed, but I think we would need to think about the design and how it would interact with older Poetry versions (maybe it's time to add a minimum-poetry-version gate?), as well as the potential indexed = true from #5442 and if we can easily validate the string-constants and provide helpful errors (I think our JSON schema lets us do this trivially).

[dimbleby]

Haven't got any further than starting to read the docs yet: but it looks as though private is not a good name here. Other types of source might be private, and private sources might not be private. The name is completely disconnected from the meaning of the word!

explicit maybe?

[dimbleby]

this reminds me that I still think it's a good idea to spell out what key use cases you're trying to cover here, and how this approach would meet them - #6713 (comment)

in particular two of the cases mentioned there exactly show what I mean about private vs "private"

• a private mirror from which I want to get everything is private but not private
• the pytorch repository from which folk want to get pytorch only is private but not private

[b-kamphorst]

Haven't got any further than starting to read the docs yet: but it looks as though private is not a good name here. Other types of source might be private, and private sources might not be private. The name is completely disconnected from the meaning of the word!

explicit maybe?

I quite like explicit, I'll rename if @neersighted agrees.

[b-kamphorst]

I've continued the effort through the cli and factory. I expect that there is some test to actually verify that the correct information ends up in pyproject.toml, but I have not found it yet. Feel free to point me in the right direction!

Feedback is welcome. Note that there are some open discussion that need to be concluded, e.g. #6879 (comment) and #6713 (comment).

[b-kamphorst]

Tests for poetry-plugin-export are failing (as in my previous MR). The obvious conflicts are in the code (here) and tests (here and here). These can easily be fixed, but we end up with a circular dependency (plugin will fail for current version of poetry, new poetry breaks plugin). Thoughts?

NTS: also add tests for Priority.EXPLICIT in poetry-plugin-export.

[radoering]

Is there a discussion somewhere why we should change the priority of default and primary?

I expect that there is some test to actually verify that the correct information ends up in pyproject.toml, but I have not found it yet.

I'd just deliberately introduce a bug, run the tests locally and see if some tests fail. If all tests pass, then there is no (sufficient) test. 😉

Note that there are some open discussion that need to be concluded, e.g. #6879 (comment) and #6713 (comment).

explicit maybe?

IMO, explicit is fine.

is supplemental behaviour actually breaking for secondary? If secondary sources are considered after all other (primary, default) sources, then the resolution behaviour should be identical (apart from making / timing of queries). If not, what am I missing?

With secondary, you can get an additional version of a package, which is not available in primary sources and resolution might choose exactly that version.

[neersighted]

Just checking in to say sorry for going AWOL; this takes more energy than I have the ability to contribute now due to other commitments. You're in good hands with @radoering and I'll try to provide input again when I am able.

[b-kamphorst]

Is there a discussion somewhere why we should change the priority of default and primary?

This is actually a bug. primary sources are supposed to behave as the pip --extra-index-url, which have priority over --index-url -- our default. However, it turns out that the bug fix is incompatible with the poetry-plugin-export (this line). The method RepositoryPool.get_priority will make it easy to change that line in a separate PR.

I propose to merge this PR in poetry without fixing the priority, then updating poetry-plugin-export to not depend on the order of repositories in pool.repositories but rather just verify the priority of a given repo, and then fix the bug in poetry.

I'd just deliberately introduce a bug, run the tests locally and see if some tests fail. If all tests pass, then there is no (sufficient) test. 😉

TODO on my side.

IMO, explicit is fine.

OK!

With secondary, you can get an additional version of a package, which is not available in primary sources and resolution might choose exactly that version.

Ah you are right. I got confused between the version pickers (there is one here and another here) and I mistakenly thought that one of them did not sort and as such would just pick the first returned version (which should be a non-secondary source when available).

[b-kamphorst]

Just checking in to say sorry for going AWOL; this takes more energy than I have the ability to contribute now due to other commitments. You're in good hands with @radoering and I'll try to provide input again when I am able.

No worries, I appreciate both of your feedback and hope that I can help poetry with this PR :)

[b-kamphorst]

I'd just deliberately introduce a bug, run the tests locally and see if some tests fail. If all tests pass, then there is no (sufficient) test. 😉

Done -- all works!

@radoering I think this PR is ready for another round of review. I'll probably have to remove the DEFAULT-PRIMARY-changing commits and you may prefer some other tidying up as well. Just let me know what you need for approval.

[radoering]

This is actually a bug. primary sources are supposed to behave as the pip --extra-index-url, which have priority over --index-url -- our default.

IMO that's not that clear. Actually, there is no warranted order of --extra-index-url and --index-url. IIUC, pip considers all sources equal and it's an implementation detail which source is chosen first. See pypa/pip#9610 (comment) for example. That's why I doubt whether we should change order at all.

I propose to merge this PR in poetry without fixing the priority

I absolutely agree on this point.

I'll try to do a review this week or next.

[radoering]

I haven't looked at the tests yet, but I think there are some implementation details that need to be worked out first.

Coming back to the default priority: I think the issue is that at the moment (state of current master) we are inconsistent between implementation and documentation:

implementation	documentation
If there is no explicit default, PyPI is only the default if there is no primary, otherwise it's secondary. default is the highest priority. In other words, implicit PyPI always comes after primary but is not always the default.	It's a bit difficult to find but it says that primary sources take precedence over PyPI and that the default source takes precedence over secondary sources. It does not clearly say but implies that if there is no explicit default, PyPI always is the default. If you combine everything, it seems primary sources should take precedence over the default source (even if it's not PyPI).

This inconsistence makes it difficult to decide if changes made in this PR are correct or not. I'm still not sure what to consider the source of truth. I think it's difficult to teach the current implemented behavior. Thus, it might make sense to consider the documentation as correct and change the implementation so that default is in between primary and secondary. If we consider changing the order a bugfix, we should do this in a separate PR (maybe even before this PR). I'll try to discuss this in the next maintainer meeting and give you some feedback.

[radoering]

Since priorities exclude each other, I think we shouldn't have five different settings and users wondering what happens if they combine several of them. Thus, I'd propose to only keep the existing settings and print a deprecation warning if they are set. Further, introduce a new enum type "priority" in the schema. The deprecated settings should only have an effect if priority is not set.

[b-kamphorst]

Well that was quite a headache, but educative as well. I look forward to your thoughts on the last two commits, which introduce the enum.

[radoering]

To keep existing behavior, the priority has to be SECONDARY if there are primary repositories. I think it makes sense to keep this behavior because otherwise you can't add sources with higher priority than PyPI without deactivating it. However, I'm not that sure anymore whether we should keep default before primary or change the order (in another PR). It probably makes most sense to wait for a decision before changing anything here.

[b-kamphorst]

Hi @radoering, do you have any updates on the requested behaviour of the PyPI repository?

[radoering]

Unfortunately, not yet. I wanted to discuss this topic in the maintainer meeting, which is scheduled every two weeks, but the last meeting was cancelled. Thus, I'll try in the next meeting.

[radoering]

See #6713 (comment) for the results of the discussion in our meeting. I'd like to hear your opinion on the two variants.

[radoering]

May you split the introduction of explicit into a separate PR as first step? I think that's the most uncontroversial part since it's not influenced by order or priority of any other repository. (Maybe, we can switch from flags to one setting as proposed in #6879 (comment) in this PR, too.)

Another reason I like to see explicit first is that I'm not quite convinced by #7430 and want to try an alternative approach that requires explicit.

[Secrus]

Is this still a valid PR since #7658 was merged? If not, please close.

[radoering]

#7658 was only part of this one. Introducing supplemental is still open. However, it might be easier to close this one and open a new PR? Further, it might make sense to wait for #7801 to avoid conflicts.

[radoering]

@b-kamphorst Since #7801 has been merged, we can go for supplemental now.

[b-kamphorst]

@b-kamphorst Since #7801 has been merged, we can go for supplemental now.

I've rebased the MR on master. Most looks fine to me, but surely a fresh review is welcome.

[github-actions]

Deploy preview for website ready!

✅ Preview
https://website-njpk7uaj6-python-poetry.vercel.app

Built with commit 4e99bff.
This pull request is being automatically deployed with vercel-action

[radoering]

Looks good. Just some minor nitpicks.

[github-actions]

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.