-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch from pip to pipenv or Poetry. #1
Comments
Other packaging and env-management tools recommended during conversations with @hynek and @behnazh, are flit and asdf and pyenv. Also, note this comment for more references. Another recommended read in this context is the post setup.py vs requirements.txt and Python Application Dependency Management. |
Consider also the discussion on PEP 665: A file format to list Python dependencies for reproducibility of an application (and ensuing discussion). |
The PEP 665 makes a lot of sense. It also mentions how npm has solved the reproducibility problem by using package.json. But for the time being Poetry seems to be doing well enough in dependency management and reproducibility I think. |
Interesting conversation regarding |
Interesting indeed. I didn't find any solid reasoning in the thread for Flit though. In particular, I tend to disagree with this argument:
Welcoming any project without requiring justifications brings us to where we are now, which might be convenient for some developers but quite chaotic compared to npm. |
So, more conversations and I’m starting to agree with @hynek’s view: all we need is the pyproject.toml file to declare the dependencies within the There are more details in this Python Application Dependency Management blog post, the setuptools docs, and as an example we can take a look at structlog’s pyproject.toml — which is a package, not an application, though. And in Python’s Python Packaging User Guide we have:
|
Here’s another choice by the Stripe folks, and a discussion to consider: Remove Poetry and reinstate setup.py #583 I’d like to know @ob-stripe’s and @koobs’ thoughts on that subject (and this issue) now, two years after that decision, and their experiences since. |
I think you can test that yourself. Try installing pendulum (same author as Poetry, packaged w/ Poetry) into a Python 3.10 virtualenv. |
Another interesting thread: Should I be pinning my dependencies? TL;DR — if we’re building a package, don’t pin because the package needs to live amongst other packages and their dependencies; if we’re building an app, do pin and package accordingly (a somewhat neglected area of the Python ecosystem). |
Looking at the I like to look at this problem from all these perspectives:
As also recommended by Scorecard, checking in lock files to the repo can be used as a signature of the state of dependencies, which is essential for the first two concerns. It can, however, still not be perfect for the third issue. However, using dependency update tools, such as Dependabot can mitigate this problem when dependencies are guaranteed to be the latest, which also pass the CI tests. Or am I missing something? I personally use |
Interesting comment:
|
Today I stumbled over the hashin package which allows to add integrity hashes for packages, much like Node’s package-lock.json file. |
This conversation is growing lengthy, so I wanted to pick it up again with a few thoughts based on what we’ve learned over the past months about packaging Python projects. PR #74 adds Makefile support and commit 34b8953 adds an interesting feature to that Makefile support: PackagesIf a user builds a package then specify only direct package dependencies in ApplicationsIf a user builds an application then specify only direct package dependencies in Note that this does not address Also note that
Case in point 🤓 |
Closing this because we decided that the current approach of using |
Currently the package uses pip and Python’s setuptools as described in Packaging and distributing projects. However, problems with recursive dependency checks, deep version collisions, or cumbersome pinning make working with pip somewhat unreliable.
Consider switching to pipenv or Poetry instead…
The text was updated successfully, but these errors were encountered: