pip check is case sensitive on distribution names

[vphilippon]

• Pip version: pip 9.0.1
• Python version: Python 2.7
• Operating system: Windows 10

Description:

When running pip check to find unmet dependencies, the check is case sensitive.
As an example, if a packages states it requires "pyyaml==3.11" (lowercase), pip check will not detect the missing dependency if PyYAML 3.12 is installed, as the distribution name is "PyYAML" (not all lowercase)

What I've run:

With this setup.py, to reproduce:

from setuptools import setup

setup(
    name='dummy-test',
    version='1.0.0',
    install_requires=['pyyaml==3.11']
)

Then:

$ pip install -e .
Obtaining file:///C:/Users/vphilippon/tests/test_check
Collecting pyyaml==3.11 (from dummy-test==1.0.0)
  Downloading PyYAML-3.11.zip (371kB)
    100% |################################| 378kB 1.6MB/s
Building wheels for collected packages: pyyaml
  Running setup.py bdist_wheel for pyyaml ... done
  Stored in directory: C:\Users\vphilippon\AppData\Local\pip\Cache\wheels\4a\bf\14\d79994d19a59d4f73efdafb8682961f582d45ed6b459420346
Successfully built pyyaml
Installing collected packages: pyyaml, dummy-test
  Running setup.py develop for dummy-test
Successfully installed dummy-test pyyaml-3.11

$ pip install pyyaml==3.12
Collecting pyyaml==3.12
  Using cached PyYAML-3.12-cp27-cp27m-win32.whl
Installing collected packages: pyyaml
Successfully installed pyyaml-3.12

$ pip check
No broken requirements found.

What I expected (obtained by changing to install_requires=['PyYAML==3.11']:

$ pip check
dummy-test 1.0.0 has requirement PyYAML==3.11, but you have PyYAML 3.12.

[pradyunsg]

Thanks for filing this issue @vphilippon! :)

This is because pip check is not normalising the names when comparing things.

I have a patch that fixes this over at #4820 (just added a test) but there's some more stuff there so, until if there's no clean way to handle #4086 that comes up in the short term (read: before pip 10), I'll make a more specific PR. :)

[vphilippon]

Thanks @pradyunsg for the info on the states of things.

While it may not look like it, this is a pretty major bug in my eyes.
It essentially means I cannot trust pip check to validate my environment anymore, and considering no dependency resolution is performed on the install, this is pretty bad.

I'll go ahead with a special demand here: Making a 9.0.2 release with a fix to this. I'll be happy to provide a patch targeting a 9.0.x branch if you (and the other maintainers) agree.

The main reason for my demand is that (as you can guess) I care a lot about having some dependency resolution, and I'm pretty sure pip-tools (the only thing that is close to dependency-resolution a the moment, AFAIK) will not be pip 10 compatible in the near future. If the fix for this is only available in pip 10, then I, as a dependency-resolution-issue-aware-user, will be either locked with a bugged pip check and a working pip-tools for dependency resolving, or a working pip check and a broken pip-tools.
I think that many other users (pretty much every pip-tools users) will be in the same boat.

Also, I've started to work on a minimal solution project to dependency resolution that does not depend on pip's internals (pipdepresolver, WIP, I'll improve the README soon:tm:), and it heavily depends on pip check, so this bug is a major issue there too.

I've noted that there are no previous "major release branch" in the repo, so I take it this is not something that was really done before. I'm also aware that this is additional work for the maintainers, who are working on getting pip 10 ready. Although, please consider the request. The fix looks pretty simple, not really any risk of introducing any additional bugs in pip 9.0.x.
Thanks for reading! ☕️

[pradyunsg]

I think that many other users (pretty much every pip-tools users) will be in the same boat.

Sure. I agree with you here.

it heavily depends on pip check

It'll probably be a better idea to have write a tool that does the dependency checking independent of pip; completely decoupled from it. As per my understanding, it's a feasible task to at least implement the same thing as pip check using just pkg_resources (from setuptools). I suggest you look into that approach for dependency checking, instead of depending on pip to overcome it's own flaws.

please consider the request.

FWIW, about a 9.0.2 -- some maintainer would have to do release work and there's a lot of other small issues that should be fixed in a 9.0.2 and finding those and rebasing them etc is probably too much effort. I don't think I can make such a release but won't mind someone doing it; I do think it's extremely unlikely though.

Thanks for reading!

:D

[vphilippon]

As per my understanding, it's a feasible task to at least implement the same thing as pip check using just pkg_resources (from setuptools).

I'll take a look at this, that could replace an actual 'pip check' call. My first goal is to have a stupidly simple tool that, even if extremely inefficient, will give a valid result that can serve as a test reference for better tools in the future. We can discuss this on the project of course. Thanks for the input.

About 9.0.2, I completely understand. My offer to help out if any maintainers wants to tackle this remains, both in bringing in the fix, as well as testing the would-be 9.0.2.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.