Closed joshblum closed 6 years ago
I really have no idea if pinning packages is a good way to go.
@AndreaCensi I would recommend this blog post for a little more background http://nvie.com/posts/pin-your-packages/
Highlight:
The only way of making your builds deterministic, is if you pin every single package dependency (even the dependency’s dependencies).
It's good that #50 has been resolved, however there isn't a good way to prevent this from breaking on users production builds in the future. Users can also pin their own packages, however if it is done at the library level it prevents accidental breaks for users who are not pinning.
Here's my doubt.
Suppose you are building an app called MyApp that depends on PyContracts and OtherLib, and PyContracts and OtherLib both depend on ThirdLib.
MyApp --> {PyContracts, OtherLib} --> ThirdLib
Should PyContracts and OtherLib pin ThirdLib? What happens if they pin different versions?
On Wed, Sep 27, 2017 at 2:00 PM, Joshua Blum notifications@github.com wrote:
@AndreaCensi https://github.com/andreacensi I would recommend this blog post for a little more background http://nvie.com/posts/pin-your-packages/
Highlight:
The only way of making your builds deterministic, is if you pin every single package dependency (even the dependency’s dependencies).
It's good that #50 https://github.com/AndreaCensi/contracts/issues/50 has been resolved, however there isn't a good way to prevent this from breaking on users production builds in the future. Users can also pin their own packages, however if it is done at the library level it prevents accidental breaks for users who are not pinning.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AndreaCensi/contracts/pull/51#issuecomment-332498279, or mute the thread https://github.com/notifications/unsubscribe-auth/AAE8nBCAtzyiWZSfvJVrP8qgU5ZuDFXBks5smjjQgaJpZM4JhgAW .
Unfortunately this is a known bug with pip :( https://github.com/pypa/pip/issues/988 https://pip.pypa.io/en/stable/user_guide/#requirements-files (see item 2).
For the sake of deterministic builds I think that requirements should be pinned at the library level. Users should also handle this for their apps but often only pin the library itself (and not it's dependencies) which can result in production errors when an app's dependencies' dependencies are updated.
@AndreaCensi what do you think?
I suppose that it is worth trying this, and see if more people complain about the presence of the pinning than the people who complain about the lack of pinning.
I will accept the PR.
On Mon, Oct 2, 2017 at 5:56 PM, Joshua Blum notifications@github.com wrote:
@AndreaCensi https://github.com/andreacensi what do you think?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AndreaCensi/contracts/pull/51#issuecomment-333578474, or mute the thread https://github.com/notifications/unsubscribe-auth/AAE8nKnA-jRsvUvwAAtqCVPyFMMZCF8Eks5soQeWgaJpZM4JhgAW .
@AndreaCensi thanks!
This addresses issue #50 short term. In general I think it's best to pin packages to specific version so that dependent projects do not break during upgrades. Long term a fix for the
pycontracts
change would be best :)