On Monday, February 12, 2024 at 3:18:05 AM UTC-8 Dima Pasechnik wrote: > Pinning packages to a set of tested working versions is a standard practice, and as a matter of fact part of best practices to achieve stability in various deployment situations, reproducibility, etc. > > In the Python world, such pinning is done using requirements.txt, Pipfile.lock, and environment.yml files. > In the Sage distribution, we pin using package-version.txt and tiny requirements.txt files.
as well as install-requires.txt and spkg-configure.m4 - they also in some cases pin versions, strictly,or not. These files serve a different purpose. They declare acceptable version ranges. In pure Python packages, this exists as well, as you know. It is done in pyproject.toml "dependencies" (previously setup.cfg/py "install-requires"). Talking about these here is a distraction that does not serve the discussion of this topic. Now, at last, tell us what makes Sage so special that we must vendor sphinx and jupyter [...] Note that I have not expressed much of an opinion yet on your proposal. We'll get there. But as I have pointed out several times previously, you are using the word "vendoring" in a polemic and idiosyncratic way, which does not serve the discussion. More below. > A question to ask is what tooling is available to update the version pins, and what the cost of using the tools is. For a typical upgrade, by improving our tooling, we have reduced the work to just typing "./sage -package update-latest sphinx --commit". In the Sphinx upgrade, https://github.com/sagemath/sage/pull/37129/files (needs review), I ended up updating 25 packages, so I had to use a command like this 25 times. It's repetitive, maybe it takes 20 minutes total, but it's not remotely something that I would use the phrase "Sage has shot itself in the foot" for. The whole thing of a zillion vendored packages [...] 1. Sage does not "vendor". What is in build/pkgs is _metadata_. It's just text. Sage _pins_ versions of packages, so there is information on the version. 2. Also the large Sage source tarball does not "vendor". It is a shipment of a distribution. Distributions don't "vendor". It's the job of a distribution to ship its components. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/sage-devel/e2fd4a63-c029-4c1a-92eb-4a81c3ac6a16n%40googlegroups.com.
