Removing dependencies that are no longer required

[fgabolde]

I'd like a way to automatically remove obsolete dependencies, obsolete being defined as

• the distribution A was automatically pulled to satisfy another distribution B's requirements
• the distribution B has since been updated not to require A anymore, or has been unregistered/deleted from the repository
• the distribution A has no other reverse-dependencies
• the distribution A has not been pulled explicitly (no one ever did pinto pull A)

Kind of like what happens in Debian when you do apt-get autoremove.

Currently my workaround is to compare the output of pinto roots before and after removing B, but this only works if there are only a couple new roots (and if removing them doesn't create more roots, and so on).

My guess is that implementing this properly would require a change in the model, to store whether a given distribution was pulled explicitly.

[thaljef]

store whether a given distribution was pulled explicitly.

That idea has come up before, but I don't think it would solve the problem. Some dependencies are optional (determined at build-time) so you have to pull those explicitly. The Debian stuff works because all dependency information is static and known in advance.

The roots command is flawed and will probably go away. But you shouldn't rely on the Pinto to tell you what your app's dependencies are anyway. You should always have a separate canonical list of your top-level dependencies.

Still, I am a neat freak and I share your desire to clean cruft from the repository. I'm just not sure it can be done in a completely automated way.

[fgabolde]

That idea has come up before, but I don't think it would solve the problem. Some dependencies are optional (determined at build-time) so you have to pull those explicitly. The Debian stuff works because all dependency information is static and known in advance.

In the case of false negatives, I'm OK with having to remove them manually.

Debian also does this in some cases, see apt-mark.

The roots command is flawed and will probably go away. But you shouldn't rely on the Pinto to tell you what your app's dependencies are anyway. You should always have a separate canonical list of your top-level dependencies.

Well, sure, but then wouldn't Pinto's list of dependencies match the canonical list 100%? If I did have that list, surely my META.json would also contain it. The issue still exists with dependencies' dependencies, even assuming my own projects have a canonical list of prereqs (which I wish they did).

Still, I am a neat freak and I share your desire to clean cruft from the repository. I'm just not sure it can be done in a completely automated way.

Got it.

A while ago I wrote a tool (actually a web app) that centralizes this info but it doesn't talk to Pinto, it just reads a package index and the distribution tarballs. It makes the same assumptions as Pinto (I think) where you have to trust that the metadata is complete.

If I have the time (unlikely) I'll try to add support for detecting removable prereqs and see how often it gets it wrong. I'll ping you back if I get anywhere.