Select pre-release collections that are inevitable #81764
Conversation
webknjaz
force-pushed
the
bugfixes/inevitable-pre-releases-in-collection-dependency-tree
branch
from
fada668 to
7274714
Compare
ansibot
added
bug
There was a problem hiding this comment.
Do you have an example of pip working like this? I tried with a package I knew had a pre-release and wasn't able to see it use the pre-release. For example pip install 'pypsrp>=0.9.0' will not install the 1.0.0b1 release. Maybe it's because it's a beta of a major version bump but it would be good to see evidence that this is how Pip works.
To me it doesn't make too much sense to silently bring in a pre-release, it should be explicitly requested either by a pre-release requirement somewhere or with --pre in the cli args.
It doesn't and is declared a bug worth fixing which I've additionally confirmed with a Pip maintainer in a private chat: pypa/pip#11888 (comment). I'm going to make sure it's fixed in pip.
https://peps.python.org/pep-0440/#handling-of-pre-releases says it should work like this. And I agree — offering an obvious solution is better then erroring out. Also, It'd be weird if a transitive dependency can only be satisfied with pre-releases so it'd require But I agree that maybe it's worth printing out a warning when there's no I talked to @s-hertel on Slack and we agreed that this is how the resolver should behave. And not just because we've drawn a lot of inspiration from Pip and PEP 440 — it's just more intuitive. And I think this is the right thing to do. |
|
I don't wish to stand in the way of this, I just think that using a pre-release without an explicit opt in acknowledgement is not ideal. This is because pre-releases can contain half implemented or potentially bug prone code and IMO a user should be explicitly acknowledging they are fine with this either through an explicit requirement somewhere or some flag/setting.
While it does, it places it under the section
This to me says that it should allow this behaviour but not necessarily as the default, just a way to opt into it. The first example here seems to be covered by Personally I would wait to merge this behaviour until |
To be clear, I haven't looked at this in any depth. But we are in agreement that the current behavior does not match the PEP 440 (for multiple reasons). |
|
@jborean93 I'd rather not wait for pip since there's no timeline yet. I think I'd add a warning/error that would depend on a CLI argument but I'm convinced that letting the resolve return something over nothing is a more pleasant UX. Ultimately, the end-users are still responsible for getting their deps in order but in case of the transitive deps, they're dependent on the packagers' decisions and can't do anything about that. And if those packagers depend on pre-release ranges, they probably know what they're doing so I'd argue it's an explicit pre-release request. We still should make it obvious to the end-users, of course. |
bcoca
removed
the
needs_triage
@jborean93 I implemented this in aaa04eb. Erroring out pending. |
ansibot
added
the
needs_revision
@jborean93 this is implemented in |
webknjaz
force-pushed
the
bugfixes/inevitable-pre-releases-in-collection-dependency-tree
branch
from
38f1ccc to
648a74b
Compare
|
Ultimately I'm a +0 on this. I can see that this being compliant with PEP 440 but I don't think that people should be creating collections that depend on a pre-release version without them explicitly putting in the pre-release requirement. Having a version flag without a non-prerelease available seems like a package smell to me. |
ansibot
removed
the
needs_revision
This comment was marked as outdated.
This comment was marked as outdated.
ansibot
added
the
stale_ci
ansibot
added
the
needs_rebase
ansibot
added
the
stale_pr
webknjaz
force-pushed
the
bugfixes/inevitable-pre-releases-in-collection-dependency-tree
branch
from
648a74b to
cd11ecd
Compare
ansibot
removed
needs_rebase
ansibot
added
the
stale_ci
Previously, the resolvelib dependency resolver that we use for managing the collection installations, was set up to disregard pre-releases met in the dependnecy tree unless `--pre` was passed on the CLI by the end-user or the collection didn't have any stable releases published to Galaxy or an Authomation Hub instance. With this patch, our dependency resolver will start considering pre-releases that are the only way to satisfy requirements met in the dependnecy tree. Such as, when a dependency is requested restricted by a version range that doesn't match any stable releases but can be satisfied by pre-releases in that range. Though, such pre-releases would be disregarded if there are pre-installed collections that already satisfy the requested requirements. As with many of our previous design considerations, this one is inspired by the Python packaging ecosystem, pip and PEP 440. It is intended to align better with the natural end-user expectations, from the UX perspective.
This warning is only shown when the end-user doesn't explicitly request pre-release versions to be considered globally but the dependency resolver returns some despite that.
Prior to this patch, whenever the dependency resolver resorted to falling back to selecting pre-release collection candidates to satisfy the dependency tree requirements, the CLI program would print out a warning, listing such pre-release collections that ended up being a part of the dependency tree. This change allows the end-users to specify `--forbid-inevitable-pre-releases` command-line option that will turn the warning into an error. The pre-release candidates are still not being rejected early during the resolution but are returned in the tree, making it possible to display the list of pre-releases that are the only way to satisfy the dependency requirements.
webknjaz
force-pushed
the
bugfixes/inevitable-pre-releases-in-collection-dependency-tree
branch
from
cd11ecd to
8411c31
Compare
ansibot
removed
the
stale_ci
ansibot
added
the
stale_ci
Previously, the resolvelib dependency resolver that we use for managing the collection installations, was set up to disregard pre-releases met in the dependnecy tree unless
--prewas passed on the CLI by the end-user or the collection didn't have any stable releases published to Galaxy or an Authomation Hub instance.With this patch, our dependency resolver will start considering pre-releases that are the only way to satisfy requirements met in the dependnecy tree. Such as, when a dependency is requested restricted by a version range that doesn't match any stable releases but can be satisfied by pre-releases in that range. Though, such pre-releases would be disregarded if there are pre-installed collections that already satisfy the requested requirements.
As with many of our previous design considerations, this one is inspired by the Python packaging ecosystem, pip and PEP 440. It is intended to align better with the natural end-user expectations, from the UX perspective.
SUMMARY
$sbj.
ISSUE TYPE
ADDITIONAL INFORMATION
N/A