Closed Nour-Mws closed 1 year ago
- What are these packages (besides
pkg_resources
)?
(pkg_resources
is part of setuptools)
Heres' what I get on my machine (NixOS, inside our dev shell) when using the venv
module in stdlib for creating virtualenvs:
$ rm -rf foo && python3.7 -m venv foo && foo/bin/pip list
Error: Command '['/home/jherland/code/fawltydeps/foo/bin/python3.7', '-Im', 'ensurepip', '--upgrade', '--default-pip']' returned non-zero exit status 1.
$ rm -rf foo && python3.8 -m venv foo && foo/bin/pip list
Package Version
---------- -------
pip 22.0.4
setuptools 56.0.0
WARNING: You are using pip version 22.0.4; however, version 22.3.1 is available.
You should consider upgrading via the '/home/jherland/code/fawltydeps/foo/bin/python3.8 -m pip install --upgrade pip' command.
$ rm -rf foo && python3.9 -m venv foo && foo/bin/pip list
Package Version
---------- -------
pip 22.0.4
setuptools 58.1.0
WARNING: You are using pip version 22.0.4; however, version 22.3.1 is available.
You should consider upgrading via the '/home/jherland/code/fawltydeps/foo/bin/python3.9 -m pip install --upgrade pip' command.
$ rm -rf foo && python3.10 -m venv foo && foo/bin/pip list
Package Version
---------- -------
pip 22.3.1
setuptools 65.5.0
$ rm -rf foo && python3.11 -m venv foo && foo/bin/pip list
Package Version
---------- -------
pip 22.3.1
setuptools 65.5.0
So it seems pip
and setuptools
are the only ones installed by default on this particular setup. I'd be surprised if the venv
stdlib module behaved differently on other distros, but there are other mechanisms for creating virtualenvs, most notably the virtualenv
tool (which is seems that Poetry might be using, as I found it already present in our dev shell:
$ rm -rf foo && virtualenv foo && foo/bin/pip list
created virtual environment CPython3.10.9.final.0-64 in 99ms
creator CPython3Posix(dest=/home/jherland/code/fawltydeps/foo, clear=False, no_vcs_ignore=False, global=False)
seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/home/jherland/.local/share/virtualenv)
added seed packages: pip==22.3.1, setuptools==65.6.3, wheel==0.38.4
activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator
Package Version
---------- -------
pip 22.3.1
setuptools 65.6.3
wheel 0.38.4
That one includes wheel
as well.
In any case, I'm pretty sure we're not importing anything from pip
or wheel
in our code, only pkg_resources
from setuptools
.
BTW, I came across this article (https://pradyunsg.me/blog/2023/01/21/thoughts-on-python-packaging/#pip-a-privileged-player) that, in a footnote, linked to https://github.com/python/cpython/pull/101039: Apparently setuptools is no longer being installed by default in a venv, starting with Python 3.12. Good thing we found this now, instead of getting an ugly surprise when upgrading later.
The opinion we have arrived at is that any undeclared non-stdlib dependency should be flagged, even if it's a package (like setuptools
) that is available ~everywhere. There are so many different deployment scenarios for Python that there is always somewhere where this package might be missing. Declaring it is always the Right Thing™️ to do.
This is actually 2 issues for the price of one :D
In one conversation in PR #70, it turned out that some packages are available in virtual environments / part of the Python distribution, while not belonging to stdlib.
We'd like to know:
pkg_resources
)?Original conversation @mknorps:
@jherland: