-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use str to pass versions to avoid debundling issue #9467
Conversation
I can see other places this crops up, too:
pip install -e . )
etc. etc. Basically, anything that deals with I ended up with this patch:
|
Eventually this is a downstream packaging issue, and your best chance to get a timely answer is to report these to the downstream packager (e.g. Debian). Pip can help as best we can, but there are close to infinite ways the downstream can break the interoperability. |
With that said, I’d be happy to review the above as a pull request! |
Sorry, if it wasn't clear, I was reviewing your patch in the context of being a downstream packager. It was a good starting point, but I needed to go further. Happy to file that as an MR |
I see, sorry for the confusion. This particular patch will probably soon be irralevant since we’re going to remove the code path to it soon (#9631). Your other changes look right to me though, and I’d be happy to merge them. |
I'm not gonna prevent someone from merging this or whatever; but I don't like this. :) I'd much prefer downstream redistributors who are patching pip be the ones that hold a patch for these cases; because the cause of the issue is something that they've done. |
I’m hoping the Alternatively though, maybe if not isinstance(version, (LegacyVersion, Version)):
- version = parse(version)
+ version = parse(str(version))
return version |
I understand your logic there. The blame attached with it isn't entirely deserved, though. Yes, we should probably get our setuptools in Debian debundled, too. However, in Debian, pip and setuptools don't have the same groups of maintainers, so I can't trivially fix both. But, back to practical matters: pip provides has a mechanism for debundling the dependencies. I know this isn't recommended by pip upstream, as it carries more risk of incompatibility. However, carrying it in pip upstream has the advantage of letting the mechanism be used by all distributions, in predictable ways, rather than everyone solving this with their own set of hacks. Even better would be running CI on |
I don't view it as a matter of blame, more a case that it's more likely that the people doing the debundling understand what and where needs patching than the people who don't debundle and don't test the debundled version. So ultimately by having the people doing the debundling carry the necessary patches, we get a better end user experience.
Equally, though, "someone" (the proverbial "someone" 🙂) could maintain a project that centralised the debundling patches in a distribution-independent way - it doesn't have to be the pip devs that do that.
But please remember, we don't actually want people to debundle. It adds extra maintenance effort on the pip team (even if that effort is just closing bugs saying "not our problem, go and complain to your distro"). See the documentation for the reasoning - but I assume you've probably already read this. Also, running with 🤷 I basically take the same view as @pradyunsg - I don't like spending pip developer effort on the debundling scenario, and I'd rather we didn't. I won't spend any of my time on it. But I'm not going to make a crusade of it - if other pip devs want to work on this, I'm not going to stop them. |
@stefanor I just saw your offer on the Python on Debian Gist! (I'd unsubscribed from that Gist, because... well, the heavy weights from various committees were involved and I'm a squirrel with no fancy titles :P) If weekends work for you, would you like to pick a slot on https://calendly.com/pradyunsg? If not, drop me a line on mail@pradyunsg.me and we can arrange something over email. :) |
I started typing a response here, and then it became very long, and then I realised that I should really involve more people and then (snip some thoughts), so... I've filed #9677. :) |
I recommend the following steps:
I don't see why Debian bureaucratic issues necessitates increasing the pip upstream workload, if it doesn't result in better code. And, speaking as a packager from a distro that devendors both, I wouldn't expect devendoring only one of them to work. You may also wish to consider inspiration from https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/python-setuptools#n28 More generally, this is a repeat of #5429, because setuptools and its .extern logic is strictly inferior to pip's So again, speaking from the distro side of things, I'd NACK this patch. However, I am not affiliated with pypa/pip, so take that with a grain of salt... |
Apparently the linked issue is not debian specific after all... It is, however, due to emulating those same conditions on arch. I would not consider it safe to install package "A" which depends on "B" from my distro, then install my own copy of "B", and still expect the distro copy of "A" to work. It could easily break. Not sure what the best solution to that is, though. |
I’m going to just merge this since the change it causes a regression is practically zero, and the benefit is there. |
thanks for sorting out the devendoring issues. Not sure if this bug report is the correct place, but there's another area why at least Debian and Ubuntu patch distutils and setuptools, and now also seen in #9617. The problem that I'm trying to address: Users of a Linux distro (users, not python developers) can break their system by calling sudo python3 setup.py install overriding packages installed with the distro package manager. The implemented solution (at least for Debian) is to have all modules installed by the distro package manager into a directory /usr/lib/python3/dist-packages, and to re-direct installations of "sudo python3 setup.py install" to /usr/local/lib/python3.9/dist-packages. Not only seen with Debian or Ubuntu, but also here: I'll reply on #9617 as well, but maybe there would be a better place to discuss about a safe "sudo pip install". |
Fix #9348.
SpecifierSet.contains
automatically parses a string intoVersion
, so we can just avoid usingparsed_version
here to avoid issues from a poorly-debundled downstream. The change is pretty cheap and straightforward, and I feel it’s easier to include the workaround so we can avoid the need to explain things when users inevitably report the issue here.