Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Package Installation Reproducibility with Maven and Gradle plugins #446

Open
fniephaus opened this issue Oct 25, 2024 · 0 comments
Open
Assignees
Labels
enhancement New feature or request

Comments

@fniephaus
Copy link
Member

TL;DR

Improve the GraalPy Maven and Gradle plugins such that they can produce and consume a lock file that pins the versions of all the transitive dependencies of the Python packages manually specified in pom.xml or build.gradle. This will help prevent builds from breaking due to a new release of a Python package dependency.

Goals

Python packages often specify dependency versions as ranges rather than exact versions, for example, Matplotlib depends on numpy >= 1.23. For such a constraint, the GraalPy Maven and Gradle plugins will install the latest NumPy available. However, that means the installed NumPy version can change over time, potentially breaking the build or application code due to external factors outside the developers' control.
It is a recommended practice to manually freeze the dependencies using low-level tooling. The Maven and Gradle plugins should provide high-level tooling and workflow for this task. There should be commands to:

  • Create the lock file. The lock file should be checked in the version control system and once it exists, the build will install the dependencies according to the lock file.
  • Update the lock file when the explicit dependencies in the build script (pom.xml or build.gradle) are updated.

Non-Goals

It is not a goal to develop any custom lock file format or low-level tooling. Initially, the build plugins will delegate to pip freeze to create the lock file and pip install -r <lockfile> to install the dependencies.

@fniephaus fniephaus added the enhancement New feature or request label Oct 25, 2024
@fniephaus fniephaus moved this to In Progress in GraalPy Roadmap Oct 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: In Progress
Development

No branches or pull requests

2 participants