Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to treat non-stdlib packages that are available by default in [all] venvs ? #80

Closed
Nour-Mws opened this issue Jan 23, 2023 · 3 comments
Closed

How to treat non-stdlib packages that are available by default in [all] venvs ? #80

Nour-Mws opened this issue Jan 23, 2023 · 3 comments
Labels
parsing-deps research-needed

Comments

@Nour-Mws
Copy link
Collaborator

This is actually 2 issues for the price of one :D

In one conversation in PR #70, it turned out that some packages are available in virtual environments / part of the Python distribution, while not belonging to stdlib.

We'd like to know:

  1. What are these packages (besides pkg_resources)?
  2. Do we need to treat those the same as stdlib (i.e. filter them out of parsed imports). FD's current behavior is to report them as imports (and subsequently to report them as missing if undeclared).

Original conversation
@mknorps:

pkg_resources is not considered STDLIB:

  • pkg_resources in locations:
    /home/maria/Tweag/FawltyDeps/fawltydeps/extract_dependencies.py:9

@jherland:

Searching for pkg_resources in the stdlib yields really only this page: https://docs.python.org/3/library/importlib.resources.html?highlight=pkg_resources which links to https://setuptools.pypa.io/en/latest/pkg_resources.html, showing that pkg_resources is part of setuptools, and that setuptool is not a part of the stdlib. Thus we should almost certainly add setuptools to our list of main dependencies. The reason it's gone under our radar is that setuptools (along with pip) is automatically installed into every(?) virtualenv...
@Nour-Mws Nour-Mws added this to the First prototype milestone Jan 23, 2023
@jherland
Copy link
Member

  • What are these packages (besides pkg_resources)?

(pkg_resources is part of setuptools)

Heres' what I get on my machine (NixOS, inside our dev shell) when using the venv module in stdlib for creating virtualenvs:

$ rm -rf foo && python3.7 -m venv foo && foo/bin/pip list
Error: Command '['/home/jherland/code/fawltydeps/foo/bin/python3.7', '-Im', 'ensurepip', '--upgrade', '--default-pip']' returned non-zero exit status 1.
$ rm -rf foo && python3.8 -m venv foo && foo/bin/pip list
Package    Version
---------- -------
pip        22.0.4
setuptools 56.0.0
WARNING: You are using pip version 22.0.4; however, version 22.3.1 is available.
You should consider upgrading via the '/home/jherland/code/fawltydeps/foo/bin/python3.8 -m pip install --upgrade pip' command.
$ rm -rf foo && python3.9 -m venv foo && foo/bin/pip list
Package    Version
---------- -------
pip        22.0.4
setuptools 58.1.0
WARNING: You are using pip version 22.0.4; however, version 22.3.1 is available.
You should consider upgrading via the '/home/jherland/code/fawltydeps/foo/bin/python3.9 -m pip install --upgrade pip' command.
$ rm -rf foo && python3.10 -m venv foo && foo/bin/pip list
Package    Version
---------- -------
pip        22.3.1
setuptools 65.5.0
$ rm -rf foo && python3.11 -m venv foo && foo/bin/pip list
Package    Version
---------- -------
pip        22.3.1
setuptools 65.5.0

So it seems pip and setuptools are the only ones installed by default on this particular setup. I'd be surprised if the venv stdlib module behaved differently on other distros, but there are other mechanisms for creating virtualenvs, most notably the virtualenv tool (which is seems that Poetry might be using, as I found it already present in our dev shell:

$ rm -rf foo && virtualenv foo && foo/bin/pip list
created virtual environment CPython3.10.9.final.0-64 in 99ms
  creator CPython3Posix(dest=/home/jherland/code/fawltydeps/foo, clear=False, no_vcs_ignore=False, global=False)
  seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/home/jherland/.local/share/virtualenv)
    added seed packages: pip==22.3.1, setuptools==65.6.3, wheel==0.38.4
  activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator
Package    Version
---------- -------
pip        22.3.1
setuptools 65.6.3
wheel      0.38.4

That one includes wheel as well.

In any case, I'm pretty sure we're not importing anything from pip or wheel in our code, only pkg_resources from setuptools.

@jherland
Copy link
Member

BTW, I came across this article (https://pradyunsg.me/blog/2023/01/21/thoughts-on-python-packaging/#pip-a-privileged-player) that, in a footnote, linked to python/cpython#101039: Apparently setuptools is no longer being installed by default in a venv, starting with Python 3.12. Good thing we found this now, instead of getting an ugly surprise when upgrading later.

@Nour-Mws Nour-Mws added the later label Jan 30, 2023
@Nour-Mws Nour-Mws removed this from the First prototype milestone Jan 30, 2023
@Nour-Mws Nour-Mws removed the later label Mar 16, 2023
@jherland
Copy link
Member

The opinion we have arrived at is that any undeclared non-stdlib dependency should be flagged, even if it's a package (like setuptools) that is available ~everywhere. There are so many different deployment scenarios for Python that there is always somewhere where this package might be missing. Declaring it is always the Right Thing™️ to do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
parsing-deps research-needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jherland @Nour-Mws