search

PyAr / fades

fades is a system that automatically handles the virtualenvs in the cases normally found when writing scripts and simple programs, and even helps to administer big projects.
https://fades.readthedocs.io
GNU General Public License v3.0
214 stars 44 forks source link

Non-PyPI packages are ignored by --check-updates #380

Open frafra opened 4 years ago

frafra commented 4 years ago

Hi, Fades does not check if a package installed git+https is up-to-date even if --check-updates is used.

gilgamezh commented 4 years ago

Hello, thanks!

--check-updates is hitting pypi API to check versions. I'm not sure how we should track versions of packages installed from a git repo. Any ideas?

frafra commented 4 years ago

It looks like there is no way to detect which revision has been cloned using pip.

Simple solution: cloning the whole repo every time and displaying a warning (like "please fix a commit/tag like this: ...")

Better solution: getting the commit ID first and alter the required dependency on-the-fly. Example (Bash-like syntax):

  1. Dependency required: git+https://github.com/PyAr/fades.git
  2. No reference detected (no @ref used), assuming ref="HEAD"
  3. Get commit ID: id=$(git ls-remote https://github.com/PyAr/fades.git $ref | cut -f1)
  4. Add the commit ID to the dependency: git+https://github.com/PyAr/fades.git@$id
  5. Resolve the dependency as usual
facundobatista commented 4 years ago

Hello @frafra !

Thanks for taking the time to help us improve fades!

Yes, --check-update is suboptimal when we consider other repos other than PyPI. For example, we have the #338 issue opened for the case of local dependencies.

In that case of local depencies what is suggested in the issue is to verify if the project has changed by checking the ctime of the project's directory.

For the case of remote VCSs is quite more complicated. We not only support git but also other VCS systems. Furthermore, we don't "speak VCS" ourselves, as we just rely on pip to do its work.

Taking that into mind, it's super difficult to get the commit id of a remote repo. What if it's bzr or hg? What if the user doesn't have git installed (not really sure how pip installs it, and the trick is that we want to avoid caring about it!).

So, how can emulate desired behaviours taking that in consideration?

One proposal could be to always recreate the venv if --check-updates is involved when having VCS repos; that surely would be on the safe side, but it also will be very inefficient most of the times!

What do you think?

frafra commented 4 years ago

Hi :) You are right, it would be better not to do something for git only. I had a look at poetry because it fixes versions for packages, even if they are taken from git, but they do not support other VCSes: https://github.com/sdispater/poetry/blob/7a372c75562e99355c59786b4d3f1b26b9124e50/poetry/puzzle/provider.py#L189-L190

I would say that your proposal can be a good one, but I would show a warning if the dependencies VCS dependencies have not been tagged; (using @reference) if they have tags, they can be just skipped.