[PATCH v2] requirements: Start using fixed versions

Stephen Finucane stephen at that.guru
Sat Sep 22 00:51:25 AEST 2018 

On Sat, 2018-09-22 at 00:19 +1000, Daniel Axtens wrote:
> Stephen Finucane <stephen at that.guru> writes:
> 
> > Given that 'tox' doesn't actually read any of these, there's no reason
> > to use ranges of requirements. Instead, use the latest and greatest for
> > live instances and rely on tox to validate behavior with older versions.
> 
> I don't really understand the motivation for this, but I am not
> primarily a python developer, so I'm going to assume it's standard
> practise in the Python world. (And I see the pyup bot constantly making
> PRs for this sort of stuff, so that makes me more confident that this is
> the case.) On that basis, given that v2 fixes Postgres, I have merged
> it.

I've only grasped this myself recently so I'll just dump my impression
of things here.

When it comes to deciding how to manage requirements, you've got to
assess the two types of software you might encounter.

 * libraries
 * applications

Libraries are consumed by other projects and should therefore aim to
support as wide a range of requirements as possible/practical. This
allows the library itself to be as widely used as possible.
Applications, on the other hand, are consumers of libraries and are
rarely consumed themselves. For that reason, they don't need this
flexibility.

Given that Patchwork is an application, we fall into the latter camp.
In an ideal world, this means we wouldn't need to support more than a
single version of each of our requirements, allowing us to test against
one set of dependencies and require those. However, we don't get to
dictate how our users install their dependencies, meaning we need to
support a broader range of dependencies to allow people to install from
PyPI, apt, dnf/yum, etc. That said, given that we validate this by way
of tox, we can use 'requirements.txt' as the source of "optimal" (read:
latest and greatest) requirements, while the 'deps' section in tox
defines the requirements for various other configurations.

Does that make sense?

Stephen

> Regards,
> Daniel
> 
> > 
> > The selenium dependency, which is no longer required since commit
> > bab2895f, is removed. The psycopg2 dependency is updated to use
> > psycopg2-binary, as this avoids the need for the libpg library and
> > removes a deprecation warning.
> > 
> > Signed-off-by: Stephen Finucane <stephen at that.guru>
> > ---
> > v2:
> > - Include psycopg2-binary in requirements-test.txt
> > - Include various django* requirements in requirements-dev.txt instead
> >   of simply including requirements-prod.txt, to prevent conflicts with
> >   psycopg2-binary dependencies
> > - Update dependencies to latest PATCH versions
> > ---
> >  requirements-dev.txt  |  8 ++++----
> >  requirements-prod.txt | 10 +++++-----
> >  requirements-test.txt |  7 +++----
> >  tox.ini               |  1 -
> >  4 files changed, 12 insertions(+), 14 deletions(-)
> > 
> > diff --git a/requirements-dev.txt b/requirements-dev.txt
> > index f4ad751a..70b747f5 100644
> > --- a/requirements-dev.txt
> > +++ b/requirements-dev.txt
> > @@ -1,5 +1,5 @@
> > -Django>=1.11,<2.1; python_version >= '3.4'
> > -Django>=1.11,<2.0; python_version < '3.0'
> > -djangorestframework>=3.4,<3.9
> > -django-filter>=1.0,<1.2
> > +Django==2.0.8; python_version >= '3.4'
> > +Django==1.11.15; python_version < '3.0'
> > +djangorestframework==3.8.2
> > +django-filter==1.1.0
> >  -r requirements-test.txt
> > diff --git a/requirements-prod.txt b/requirements-prod.txt
> > index e7a75354..efe6743c 100644
> > --- a/requirements-prod.txt
> > +++ b/requirements-prod.txt
> > @@ -1,6 +1,6 @@
> > -Django>=1.11,<2.1; python_version >= '3.4'
> > -Django>=1.11,<2.0; python_version < '3.0'
> > -djangorestframework>=3.4,<3.9
> > -django-filter>=1.0,<1.2
> > -psycopg2>=2.7,<2.8
> > +Django==2.0.8; python_version >= '3.4'
> > +Django==1.11.15; python_version < '3.0'
> > +djangorestframework==3.8.2
> > +django-filter==1.1.0
> > +psycopg2-binary==2.7.5
> >  sqlparse==0.2.4
> > diff --git a/requirements-test.txt b/requirements-test.txt
> > index 94dc3db7..295cceff 100644
> > --- a/requirements-test.txt
> > +++ b/requirements-test.txt
> > @@ -1,5 +1,4 @@
> > -mysqlclient>=1.3,<1.4
> > -psycopg2-binary>=2.7,<2.8
> > +mysqlclient==1.3.13
> > +psycopg2-binary==2.7.5
> >  django-debug-toolbar==1.9.1
> > -python-dateutil>2.0,<3.0
> > -selenium>=3.0,<4.0
> > +python-dateutil==2.7.3
> > diff --git a/tox.ini b/tox.ini
> > index 3684d716..3a783d26 100644
> > --- a/tox.ini
> > +++ b/tox.ini
> > @@ -19,7 +19,6 @@ setenv =
> >      py27: PYTHONWARNINGS = once
> >      py{34,36}:PYTHONWARNINGS = once,ignore::ImportWarning:backports
> >      py35:PYTHONWARNINGS = once,ignore::ResourceWarning:unittest.suite,ignore::ImportWarning:backports
> > -
> >  passenv =
> >      http_proxy HTTP_PROXY https_proxy HTTPS_PROXY no_proxy NO_PROXY
> >      PW_TEST_DB_TYPE PW_TEST_DB_USER PW_TEST_DB_PASS PW_TEST_DB_HOST
> > -- 
> > 2.17.1

More information about the Patchwork mailing list