search

AndreaCensi / contracts

PyContracts is a Python package that allows to declare constraints on function parameters and return values. Contracts can be specified using Python3 annotations, or inside a docstring. PyContracts supports a basic type system, variables binding, arithmetic constraints, and has several specialized contracts and an extension API.
http://andreacensi.github.io/contracts/
Other
398 stars 62 forks source link

Pin requirements to avoid breaking builds #51

Closed joshblum closed 6 years ago

joshblum commented 7 years ago

This addresses issue #50 short term. In general I think it's best to pin packages to specific version so that dependent projects do not break during upgrades. Long term a fix for the pycontracts change would be best :)

AndreaCensi commented 6 years ago

I really have no idea if pinning packages is a good way to go.

joshblum commented 6 years ago

@AndreaCensi I would recommend this blog post for a little more background http://nvie.com/posts/pin-your-packages/

Highlight:

The only way of making your builds deterministic, is if you pin every single package dependency (even the dependency’s dependencies).

It's good that #50 has been resolved, however there isn't a good way to prevent this from breaking on users production builds in the future. Users can also pin their own packages, however if it is done at the library level it prevents accidental breaks for users who are not pinning.

AndreaCensi commented 6 years ago

Here's my doubt.

Suppose you are building an app called MyApp that depends on PyContracts and OtherLib, and PyContracts and OtherLib both depend on ThirdLib.

 MyApp --> {PyContracts, OtherLib} --> ThirdLib

Should PyContracts and OtherLib pin ThirdLib? What happens if they pin different versions?

On Wed, Sep 27, 2017 at 2:00 PM, Joshua Blum notifications@github.com wrote:

@AndreaCensi https://github.com/andreacensi I would recommend this blog post for a little more background http://nvie.com/posts/pin-your-packages/

Highlight:

The only way of making your builds deterministic, is if you pin every single package dependency (even the dependency’s dependencies).

It's good that #50 https://github.com/AndreaCensi/contracts/issues/50 has been resolved, however there isn't a good way to prevent this from breaking on users production builds in the future. Users can also pin their own packages, however if it is done at the library level it prevents accidental breaks for users who are not pinning.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AndreaCensi/contracts/pull/51#issuecomment-332498279, or mute the thread https://github.com/notifications/unsubscribe-auth/AAE8nBCAtzyiWZSfvJVrP8qgU5ZuDFXBks5smjjQgaJpZM4JhgAW .

joshblum commented 6 years ago

Unfortunately this is a known bug with pip :( https://github.com/pypa/pip/issues/988 https://pip.pypa.io/en/stable/user_guide/#requirements-files (see item 2).

For the sake of deterministic builds I think that requirements should be pinned at the library level. Users should also handle this for their apps but often only pin the library itself (and not it's dependencies) which can result in production errors when an app's dependencies' dependencies are updated.

joshblum commented 6 years ago

@AndreaCensi what do you think?

AndreaCensi commented 6 years ago

I suppose that it is worth trying this, and see if more people complain about the presence of the pinning than the people who complain about the lack of pinning.

I will accept the PR.

On Mon, Oct 2, 2017 at 5:56 PM, Joshua Blum notifications@github.com wrote:

@AndreaCensi https://github.com/andreacensi what do you think?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AndreaCensi/contracts/pull/51#issuecomment-333578474, or mute the thread https://github.com/notifications/unsubscribe-auth/AAE8nKnA-jRsvUvwAAtqCVPyFMMZCF8Eks5soQeWgaJpZM4JhgAW .

joshblum commented 6 years ago

@AndreaCensi thanks!