Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New --no-build-isolation check in Pip 22.1 broke oldest-supported-numpy #11116

Closed
1 task done
rgommers opened this issue May 12, 2022 · 9 comments · Fixed by #11117
Closed
1 task done

New --no-build-isolation check in Pip 22.1 broke oldest-supported-numpy #11116

rgommers opened this issue May 12, 2022 · 9 comments · Fixed by #11117
Labels
type: bug A confirmed bug or unintended behavior

Comments

@rgommers
Copy link

rgommers commented May 12, 2022
edited by pradyunsg
Loading

Description

The change in gh-10886 to check for presence of build dependencies when building with --no-build-isolation broke users of oldest-supported-numpy (see scipy/oldest-supported-numpy#53).

For context, oldest-supported-numpy is a meta-package which ensures that the correct numpy version is installed at build time, handling platform and Python-version specific details so those don't have to be replicated in each package which depends on NumPy's C API. Also important: it is a PyPI-specific package; other packaging systems have different ways of dealing with NumPy ABI issues and do not necessarily use the same NumPy versions to build against as the NumPy team recommends as the default for wheels.

A use case like this does not seem to have been considered at all in gh-10886 or the issue for it (gh-9794). It doesn't make sense to have a metapackage like this installed in many cases, nor is it desired to force users to build with exactly one numpy version - in CI for example, it makes perfect sense to test with multiple versions; the only requirement is that the version at runtime is >= the version used at build time.

I don't see a good way to fix this up in either oldest-supported-numpy or in the pyproject.toml files from users of that package, and I think that therefore the change in Pip's behavior should be reverted.

Expected behavior

I expect the reproducer to result in a successful build of scikit-learn. Users must be able to specify oldest-supported-numpy in their build dependencies without the new check being triggered.

This is probably not the only use case that broke, but in case you really want to keep this check: an alternative could be to special-case oldest-supported-numpy inside the code performing the check; instead just check that a version of numpy is installed.

pip version

22.1

Python version

all

OS

all

How to Reproduce

Example for one of a number of packages that are affected:

pip install cython scipy 'setuptools<60'
git clone https://github.com/scikit-learn/scikit-learn
cd scikit-learn
pip install --no-build-isolation .

Output

Processing /Users/rgommers/code/tmp/scikit-learn
ERROR: Some build dependencies for file:///Users/rgommers/code/tmp/scikit-learn are missing: 'oldest-supported-numpy'.

Code of Conduct
@rgommers rgommers added S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior labels May 12, 2022
@rgommers
Copy link
Author

Cc @q0w, @pradyunsg as author and reviewer of gh-10886

@q0w
Copy link
Contributor

q0w commented May 12, 2022

Maybe add new flag to validate build deps?

@rgommers
Copy link
Author

Maybe add new flag to validate build deps?

It sounds reasonable to do this as opt-in to me. Note that pypa/build has it as opt-out (--skip-dependency-check) and I've found a need to use that on multiple occasions as well. These checks are only applicable in a subset of circumstances where you'd want to use a tool like Pip or build, so opt-in seems much preferred to me.

Side note (I'll expand on that elsewhere): there's a bigger conceptual issue here, which I only noticed once I started to use pyproject.toml on large projects with complex dependencies. That is that you really need two sets of hooks:

  1. Unpinned build dependencies for development, building wheels locally, conda packages, rpm's, etc.
  2. Pinned dependencies specifically for the sdist that you upload to PyPI as part of a release.

These two are very different, and there's no place to put two sets. Right now checks like the one under discussion here simply assume that (1) and (2) are the same.

@uranusjr
Copy link
Member

Hmm, I guess this applies to all metapackage approaches in general. We should probably make an opt-in or out mechanism (I’m leaning toward an opt-in personally).

Also more broadly, perhaps we should propose some sort of mechnism in packaging metadata to handle metapackages. This is sort of the opposite problem of detecting a specified extra—an extra is a requirement that is specified but can’t be detected, while a metapackage is something that can be specified but should not be considered at runtime. It may be possible to abstract both ideas into a special “virtual package” concept (I think this is Debian’s terminology?) or something.

@IAlibay IAlibay mentioned this issue May 12, 2022
Merged
5 tasks
@pradyunsg
Copy link
Member

Let’s change this to an opt-in. Looking back at this, I think that’s what we should have done when we implemented this.

@uranusjr
Copy link
Member

I think we should not validate by default, and add a flag to enable validation.

@q0w q0w mentioned this issue May 12, 2022
Merged
@mwcraig mwcraig mentioned this issue May 12, 2022
Merged
3 tasks
@lesteve lesteve mentioned this issue May 13, 2022
Closed
@tylerjereddy tylerjereddy mentioned this issue May 13, 2022
Closed
@tacaswell
Copy link

These two are very different, and there's no place to put two sets. Right now checks like the one under discussion here simply assume that (1) and (2) are the same.

I very much agree with this!

@neutrinoceros neutrinoceros mentioned this issue May 13, 2022
Merged
@pradyunsg pradyunsg mentioned this issue May 13, 2022
Open
1 task
rgommers added a commit to rgommers/scipy that referenced this issue May 13, 2022
@rgommers
CI: pin Pip to 22.0.4 to avoid issues with --no-build-isolation
67f673f 
This change can be reverted once Pip releases its next version with
a fix for pypa/pip#11116.

At the moment all our Azure builds are failing with errors like:
```
ERROR: Some build dependencies for file:///D:/a/1/s conflict with the backend dependencies:
numpy==1.21.4 is incompatible with numpy==1.18.5; python_version=='3.8' and (platform_machine!='arm64' or platform_system!='Darwin') and platform_machine!='aarch64' and platform_python_implementation != 'PyPy'.
```

[skip github]
@rgommers rgommers mentioned this issue May 13, 2022
Merged
@henryiii
Copy link
Contributor

FYI (from another thread), build has had this from the beginning (or at least a long time), and uses:

  --skip-dependency-check, -x
                        do not check that build dependencies are installed
  --no-isolation, -n    do not isolate the build in a virtual environment

So pipx run build -nx is how you disable isolation and skip the dependency check. Other use cases include cmake and ninja on Conda-forge (the packages there don't install the PyPI packages), and in something like Pyodide where you are locked to a single local version and package authors pin to old versions (including things like numpy - old pins are not requires if you build the whole stack).

@jakirkham
Copy link
Contributor

Yeah for validation in some of these cases, we are not terribly concerned with validation at build time, but do care at install time. Typically we are handling this by running things like pip check once things are in place (so after pip install and possibly other steps like bundling artifacts).

@joaander joaander mentioned this issue May 13, 2022
Merged
@henryiii henryiii mentioned this issue May 14, 2022
Open
@neutrinoceros neutrinoceros mentioned this issue May 15, 2022
Merged
tylerjereddy pushed a commit to tylerjereddy/scipy that referenced this issue May 15, 2022
@rgommers @tylerjereddy
CI: pin Pip to 22.0.4 to avoid issues with --no-build-isolation
0777849 
This change can be reverted once Pip releases its next version with
a fix for pypa/pip#11116.

At the moment all our Azure builds are failing with errors like:
```
ERROR: Some build dependencies for file:///D:/a/1/s conflict with the backend dependencies:
numpy==1.21.4 is incompatible with numpy==1.18.5; python_version=='3.8' and (platform_machine!='arm64' or platform_system!='Darwin') and platform_machine!='aarch64' and platform_python_implementation != 'PyPy'.
```

[skip github]
@q0w q0w mentioned this issue May 16, 2022
Closed
1 task
@henryiii henryiii mentioned this issue May 16, 2022
Merged
@rabernat rabernat mentioned this issue May 17, 2022
Merged
5 tasks
@robdimsdale robdimsdale mentioned this issue May 18, 2022
Closed
@joaander joaander mentioned this issue May 18, 2022
Merged
5 tasks
@henryiii henryiii mentioned this issue May 19, 2022
Closed
inmantaci pushed a commit to inmanta/inmanta-core that referenced this issue May 23, 2022
@dependabot @inmantaci
Bump pip from 22.1 to 22.1.1 (PR #4283)
e6038ad 
Bumps [pip](https://github.com/pypa/pip) from 22.1 to 22.1.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>22.1.1 (2022-05-20)</h1>
<h2>Bug Fixes</h2>
<ul>
<li>Properly filter out optional dependencies (i.e. extras) when checking build environment distributions. (<code>[#11112](pypa/pip#11112) &lt;https://github.com/pypa/pip/issues/11112&gt;</code>_)</li>
<li>Change the build environment dependency checking to be opt-in. (<code>[#11116](pypa/pip#11116) &lt;https://github.com/pypa/pip/issues/11116&gt;</code>_)</li>
<li>Allow using a pre-release version to satisfy a build requirement. This helps
manually populated build environments to more accurately detect build-time
requirement conflicts. (<code>[#11123](pypa/pip#11123) &lt;https://github.com/pypa/pip/issues/11123&gt;</code>_)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/ca2d9f41931a449b8c1b27d02031199d91af93e7"><code>ca2d9f4</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/f20ab575b930b44ea524b0dbdb162f3cecfdf890"><code>f20ab57</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11124">#11124</a> from uranusjr/use-contain-for-checking</li>
<li><a href="https://github.com/pypa/pip/commit/f7c05a51241e3ea656f94f2d79d0afdcf2b0165f"><code>f7c05a5</code></a> Allow pre-release to satisfy build requirements</li>
<li><a href="https://github.com/pypa/pip/commit/30af8074bf83d41a9dacdcd13fb6ca982856032d"><code>30af807</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11117">#11117</a> from q0w/opt-check</li>
<li><a href="https://github.com/pypa/pip/commit/923cb5a197a742bf83797c2190118bdb0e276753"><code>923cb5a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11119">#11119</a> from pradyunsg/move-add_requirement-to-legacy-resolver</li>
<li><a href="https://github.com/pypa/pip/commit/d673aa14284788ea12a789b34846353b7cb3d46f"><code>d673aa1</code></a> Move <code>RequirementSet.add_requirement</code> into <code>LegacyResolver</code></li>
<li><a href="https://github.com/pypa/pip/commit/3166157e406eeaa3e4a6e4db586b04122b411fe9"><code>3166157</code></a> Opt to check build dependencies</li>
<li><a href="https://github.com/pypa/pip/commit/0a982f6444a4e08f601d4b0744b25dd19697306a"><code>0a982f6</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11112">#11112</a> from pradyunsg/filter-out-build-env-extras</li>
<li><a href="https://github.com/pypa/pip/commit/bf090d37d18f27a60839063d02f607185a8d1164"><code>bf090d3</code></a> 📰</li>
<li><a href="https://github.com/pypa/pip/commit/d0c89a151c82a91161477cc9b385833efc18289a"><code>d0c89a1</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/10865">#10865</a> from pypa/pradyunsg-patch-1</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/22.1...22.1.1">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=22.1&new-version=22.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>
inmantaci pushed a commit to inmanta/inmanta-core that referenced this issue May 23, 2022
@dependabot @inmantaci
Bump pip from 22.1 to 22.1.1 (PR #4288)
5982a8e 
Bumps [pip](https://github.com/pypa/pip) from 22.1 to 22.1.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>22.1.1 (2022-05-20)</h1>
<h2>Bug Fixes</h2>
<ul>
<li>Properly filter out optional dependencies (i.e. extras) when checking build environment distributions. (<code>[#11112](pypa/pip#11112) &lt;https://github.com/pypa/pip/issues/11112&gt;</code>_)</li>
<li>Change the build environment dependency checking to be opt-in. (<code>[#11116](pypa/pip#11116) &lt;https://github.com/pypa/pip/issues/11116&gt;</code>_)</li>
<li>Allow using a pre-release version to satisfy a build requirement. This helps
manually populated build environments to more accurately detect build-time
requirement conflicts. (<code>[#11123](pypa/pip#11123) &lt;https://github.com/pypa/pip/issues/11123&gt;</code>_)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/ca2d9f41931a449b8c1b27d02031199d91af93e7"><code>ca2d9f4</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/f20ab575b930b44ea524b0dbdb162f3cecfdf890"><code>f20ab57</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11124">#11124</a> from uranusjr/use-contain-for-checking</li>
<li><a href="https://github.com/pypa/pip/commit/f7c05a51241e3ea656f94f2d79d0afdcf2b0165f"><code>f7c05a5</code></a> Allow pre-release to satisfy build requirements</li>
<li><a href="https://github.com/pypa/pip/commit/30af8074bf83d41a9dacdcd13fb6ca982856032d"><code>30af807</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11117">#11117</a> from q0w/opt-check</li>
<li><a href="https://github.com/pypa/pip/commit/923cb5a197a742bf83797c2190118bdb0e276753"><code>923cb5a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11119">#11119</a> from pradyunsg/move-add_requirement-to-legacy-resolver</li>
<li><a href="https://github.com/pypa/pip/commit/d673aa14284788ea12a789b34846353b7cb3d46f"><code>d673aa1</code></a> Move <code>RequirementSet.add_requirement</code> into <code>LegacyResolver</code></li>
<li><a href="https://github.com/pypa/pip/commit/3166157e406eeaa3e4a6e4db586b04122b411fe9"><code>3166157</code></a> Opt to check build dependencies</li>
<li><a href="https://github.com/pypa/pip/commit/0a982f6444a4e08f601d4b0744b25dd19697306a"><code>0a982f6</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11112">#11112</a> from pradyunsg/filter-out-build-env-extras</li>
<li><a href="https://github.com/pypa/pip/commit/bf090d37d18f27a60839063d02f607185a8d1164"><code>bf090d3</code></a> 📰</li>
<li><a href="https://github.com/pypa/pip/commit/d0c89a151c82a91161477cc9b385833efc18289a"><code>d0c89a1</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/10865">#10865</a> from pypa/pradyunsg-patch-1</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/22.1...22.1.1">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=22.1&new-version=22.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>
@Ericgig Ericgig mentioned this issue May 24, 2022
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 14, 2022
@pradyunsg pradyunsg removed the S: needs triage Issues/PRs that need to be triaged label Mar 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type: bug A confirmed bug or unintended behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Opt to check build dependencies q0w/pip
7 participants
@rgommers @tacaswell @uranusjr @jakirkham @pradyunsg @henryiii @q0w