-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discussion: Using Poetry for dependency management #1278
Comments
Neat write-up, thanks for sharing your early thoughts, @kushaldas.
There's a |
First impressionsCouple highlights for me when looking into
Example sessionuser@dev:securedrop-client(use-poetry⚡) » poetry --version
Poetry version 1.1.7
user@dev:securedrop-client(use-poetry⚡) » poetry self update
You are using the latest version
user@dev:securedrop-client(use-poetry⚡) » poetry shell
Spawning shell within /home/user/.cache/pypoetry/virtualenvs/securedrop-client-p8SLegPY-py3.7
user@dev:securedrop-client(use-poetry⚡) » . /home/user/.cache/pypoetry/virtualenvs/securedrop-client-p8SLegPY-py3.7/bin/activate
(securedrop-client-p8SLegPY-py3.7) user@dev:securedrop-client(use-poetry⚡) » poetry install --no-dev
Updating dependencies
Resolving dependencies... (48.9s)
Writing lock file
Package operations: 20 installs, 0 updates, 0 removals
• Installing typing-extensions (3.10.0.0)
• Installing zipp (3.5.0)
• Installing certifi (2018.11.29)
• Installing charset-normalizer (2.0.4)
• Installing greenlet (1.1.1)
• Installing idna (2.10)
• Installing importlib-metadata (4.6.4)
• Installing markupsafe (1.1.1)
• Installing six (1.16.0)
• Installing urllib3 (1.26.6)
• Installing mako (1.1.4)
• Installing python-dateutil (2.8.2)
• Installing python-editor (1.0.4)
• Installing requests (2.26.0)
• Installing sqlalchemy (1.4.22)
• Installing alembic (1.6.5)
• Installing arrow (0.12.1)
• Installing chardet (3.0.4)
• Installing pathlib2 (2.3.6)
• Installing securedrop-sdk (0.3.0)
Installing the current project: securedrop-client (0.5.0)
(securedrop-client-p8SLegPY-py3.7) user@dev:securedrop-client(use-poetry⚡) » poetry env info
Virtualenv
Python: 3.7.3
Implementation: CPython
Path: /home/user/.cache/pypoetry/virtualenvs/securedrop-client-p8SLegPY-py3.7
Valid: True
System
Platform: linux
OS: posix
Python: /usr
(securedrop-client-p8SLegPY-py3.7) user@dev:securedrop-client(use-poetry⚡) » poetry build
Building securedrop-client (0.5.0)
- Building sdist
- Built securedrop-client-0.5.0.tar.gz
- Building wheel
- Built securedrop_client-0.5.0-py3-none-any.whl
(securedrop-client-p8SLegPY-py3.7) user@dev:securedrop-client(use-poetry⚡) » exit
user@dev:securedrop-client(use-poetry⚡) » |
I forgot to mention that you can check out my branch to test poetry with the client (I think it makes sense to use https://python-poetry.org/docs/dependency-specification/#caret-requirements for prod requirements (minus pyqt5 unfortunately since that version needs tighter restrictions due to using system qt) and https://python-poetry.org/docs/dependency-specification/#wildcard-requirements for dev-only dependencies to use the latest (by default). I really like poetry and would be happy to make more of an effort to get it working with our in-house packaging and CI scripts (which will take some effort as @kushaldas mentioned in the issue description), but, again, I think it makes the most sense to wait until the |
Looks like we can do the following to generate the desired requirement files:
|
All in all, there's developing consensus that poetry is a sufficiently ergonomic tool that we should consider adopting it. However, during group discussion, @zenmonkeykstop pointed out that there's a show-stopping security bug in the current prod release of poetry, and in fact it's been present for years. The bug means that the hashes in the lockfile are not actually checked: python-poetry/poetry#2422 That's egregious enough that we'll shelve evaluation for a while, at minimum until that issue is resolved in a prod release. |
-- the Since we only did a quick scan for blocking issues, I think we should do a more thorough scan once 1.2.0 is released to see if anything else remains a blocker. |
The latest poetry version now properly checks hashes (according to the linked bug report). |
Given the above, I'm sold. (If, of course, package hashes are properly checked, which I suppose we can find way to test... 💭). |
As an example of a simple |
We've since adopted poetry for dependency management. |
Poetry tool
In an already existing project, you can run
poetry init
to create thepyproject.toml
file and either choose the interactive mode, or update the file directly with the dependencies.This command will install all the dependencies and will also create the
poetry.lock
file.How to upgrade the dependencies?
One can choose the specific dependencies to upgrade.
To update all the dependencies together:
How do other projects manage dependencies?
flask-socketio = "5.0.1"
every thing is marked as*
, means always latest package.Related Python PEP
https://www.python.org/dev/peps/pep-0631/
Major work required to move
requirements.txt
file style, so we will have to update those.requirements.txt
file format andpip
to install the dependencies during Python package build.The text was updated successfully, but these errors were encountered: