SNOW-1891253: Unable to install with latest pyOpenSSL==25.0.0

[sodul]

Python version

Python 3.12.8 (main, Dec 3 2024, 15:33:39) [Clang 16.0.0 (clang-1600.0.26.4)]

Operating system and processor architecture

macOS-15.2-arm64-arm-64bit

Installed packages

Proprietary, sorry.

What did you do?

`pip install snowflake-connector-python pyOpenSSL==25.0.0`

We got this error:

  × No solution found when resolving dependencies:
  ╰─▶ Because snowflake-connector-python==3.12.4 depends on pyopenssl>=22.0.0,<25.0.0 and you require pyopenssl==25.0.0, we can conclude that your requirements and snowflake-connector-python==3.12.4
      are incompatible.
      And because you require snowflake-connector-python==3.12.4, we can conclude that your requirements are unsatisfiable.

What did you expect to see?

The installation should complete without error.

Can you set logging to DEBUG and collect the logs?

[sfc-gh-dszmolka]

hi , out of curiosity, which tool is this ?

regardless: #2160 for bumping the requirement upper boundary in PythonConnector

[sfc-gh-dszmolka]

change is merged and will be part of the next release of the connector

[sodul]

hi , out of curiosity, which tool is this ?

@sfc-gh-dszmolka Is the question for me? I'm not sure what "tool" you are referencing.

In our case we build a container pre-packaged with various python packages to run our CI/CD pipelines and as such we have a large set of third party dependencies which we try to keep compatible with each other as they all get imported inside the same in-house python process.

Several of the 3rd party packages we need to import have unnecessarily strict dependency requirements which make it unnecessarily difficult to install everything, and worse makes it near impossible to respond to CVEs in a timely manner. For example if pyOpenSSL had a critical CVE that is only addressed in v25, the strict upper limit would make it impossible to address.

The change to pyOpenSSL>=22.0.0,<26.0.0 means that this issue will happen again with pyOpenSSL 26. I strongly recommend to drop the <26.0.0 upper bound unless there is a known compatibility problem.

[sfc-gh-dszmolka]

thank you for the explanation! personally, i have no information on why originally pyopenssl was introduced with an upper boundary couple year back, but I believe there must have been a good reason for it. for the <26, it means you should be good until 2026 and given the message in the README we'll probably review during this year if pyopenssl is the best for the library moving forward or the team'll favour another dependency instead.

edit found the commit which added the upper boundary in v2.1.0 (6 years back) 7c2653f
Prior to that, we indeed used a >= without upper boundary, so it was only added after a certain issue to which i don't have access.

back to this issue; you can already access it by installing the connector from main or of course with the next release which i'll update here once it's out

[sodul]

Yes, one of the core issues is that pypi.org does not allow to amend existing versions with updated compatibility issues. This is actually bad since the only way is to create a new post-1, post-2 version and to back out the version with the original dependency list. There are ongoing conversations around this by the mpypi.org maintainers but no long term fix.

Dependency management is hard.