Re: [Distutils] "just use debian"

Tue, 30 Sep 2008 09:37:28 -0700 

Chris Withers wrote:

Tarek Ziadé wrote:

Tarek Ziade wrote:
For KGS I agree that this is a big work, but there's the need to work at a 
higher level that in your package
Why? You really need to explain to me why the dependency information in each 
of the packages isn't enough?



Because you can keep up with the dependencies changes, removed, or 
introduced

by a package you depend on.


Why can this not be expressed in the dependency information in the package?



I tried this briefly for a while when Setuptools first came out, and I 
found it completely unmaintainable.



Say I have a package that represents an application.  We'll call it 
FooBlog.  I release version 1.0.  It uses the Turplango web framework 
(1.5 at the time of release) and the Storchalmy ORM (0.4), and Turplango 
uses HardJSON (1.2.1).



I want my version 1.0 to keep working.  So, I figure I'll add the 
dependencies:


  Turplango==1.5
  Storchalmy==0.4


Then HardJSON 2.0 is released, and Turplango only required 
HardJSON>=1.2, so new installations start installing HardJSON 2.0.  But 
my app happens not to be compatible with that library, and so it's 
broken.  OK... so, I could add HardJSON==1.2.1 in my requirements.



But then a small bug fix, HardJSON 1.2.2 comes out, that fixes a 
security bug.  Turplango releases version 1.5.1 that requires 
HardJSON>=1.2.2.  I now have have to update FooBlog to require both 
Turplango==1.5.1 and HardJSON==1.2.2.



Later on, I decide that Turplango 1.6 fixes some important bugs, and I 
want to try it with my app.  I can install Turplango 1.6, but I can't 
start my app because I'll get a version conflict.  So to even experiment 
with a new version of the app, I have to check out FooBlog, update 
setup.py, reinstall (setup.py develop) the package, and then I can start 
using it.  But if I've made other hard requirements of packages like 
HardJSON, I'll have to update all those too.



So... that's the kind of thing I encountered with just a couple 
dependencies, but in practice it was much worse because there were a lot 
more than 3 libraries involved.  I now think it is best to only use 
version requirements to express known conflicts.  For future versions of 
packages you can't really know if they will cause conflicts until they 
are released.



--
Ian Bicking : [EMAIL PROTECTED] : http://blog.ianbicking.org
_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig





























					Reply via email to