Closed mplovepop closed 5 years ago
In my experience, I've only ever been hurt by having loose version dependencies. I know this has come up before, but can you point me to anything I can read to help me better understand why this is something the Python community is more comfortable with?
It's all just opinions, but I'm persuaded by an article I can't find now, and this stack overflow answer I can: https://stackoverflow.com/a/44938662
In short, pin applications, not libraries. Pinning library dependencies is a world of suffering when multiple libraries have different version dependencies. singer-python
is a library so should provide version specs if there are known bad ones, but otherwise it's the application's job to test and pin, e.g. with pip freeze
or pipenv
. If you want to provide a repeatable known-good set of dependent versions you can provide a requirements.txt
file. I think, in short, that dependency management kind of sucks in python!
Out of curiosity, is there a specific use case that's not working for you right now? Were you hoping to see pytz==2018.5
get pulled in automatically for some reason? Or is this more of a philosophical stance?
We discussed this internally and I think we're going to come down on the side of maintaining specificity in our version specs. Without a concrete use case we think it's better to make upgrading a manual step rather than assuming that version changes will be ok going forward. That's probably our Maven talking but still it does seem to be the kind of dependency management that makes the most sense to us.
Feel free to reopen this issue if you have a concrete use case to discuss.
https://github.com/singer-io/singer-python/blob/3ddbcc64ddb0763dc8e949afbd6de6eff75e9de7/setup.py#L12
For example,
pytz==2018.5
is out. It would be nice to change==
to>=
for version dependencies. I use pipenv to pin application versions but like to leave library versions looser.