Conversation
342bc49
to
fa439e8
Compare
2134b5b
to
139281c
Compare
139281c
to
2d9e79d
Compare
2d9e79d
to
5d21368
Compare
See PR description for updates around changes and test plan |
5d21368
to
0361573
Compare
Temporarily moving this to draft until freedomofpress/securedrop-builder#248 is merged so that I can undo the small workaround and use the latest pip-tools when updating requirements for all environments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By using pip-compile with the --upgrade
flag, we will always upgrade all the dependencies. This is a departure from the current method of updating only the dependencies we need to update, and pinning the lowest version in *requirements.in. One such example (updating the dependencies identified here) can be found in https://github.com/freedomofpress/securedrop-proxy/compare/test-88
The rationale is that it makes updates less likely to break applications, because we only update the dependencies when required, and only update the dependencies that need to be updated. By carefully crafting requirements.in, we ensure that only the minimal amount of packages are updated when pip is compiled (partially due to requirement to review the production requirements, and building wheels in securedrop-debian-packaging
)
Because we probably want to use the same pip-compile commands across the board, if we do adopt this approach here, it may make sense to adopt it elsewhere. What are the advantages of upgrading all the dependencies each time we update the requirements file?
python3 -m venv .venv | ||
## Good idea to upgrade pip and wheel when you create a new virtual environment. | ||
## Or you could use the virtualenv command instead. | ||
.venv/bin/pip install --upgrade pip wheel |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will install pip and wheel without locking versions nor hashes, which has downsides:
- Since we don't pin versions, an update to pip or wheel can break
- We have no way of tracking or validating the integrity of the packages that are installed (we do install pip on L12)
Is there a reason this is required here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
venv
is a new makefile target to create a dev virtual environment that can install all the dependencies defined in dev-requirements.txt
. the reason to update wheel
here is to fix the following error when you create a virtual env for the proxy (perhaps this is why the venv
target was not included even though it is a standard across most of our projects):
error: invalid command 'bdist_wheel'
notice also how we do pip install --upgrade pip
when running make bandit
since this is dev only
Makefile
Outdated
pip-compile --allow-unsafe --generate-hashes --output-file dev-requirements.txt dev-requirements.in requirements.in | ||
@ pip install -U pip-tools | ||
pip-compile --generate-hashes --allow-unsafe --upgrade --output-file dev-requirements.txt dev-requirements.in requirements.in | ||
@ pip install pip-tools==5.0.0 # securedrop-debian-packaging#225 workaround |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should probably use pip-tools as pinned by the requirements file, in other words, use the requirements installed in the .venv
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is a workaround for the issue we've had for a while in our packaging code that makes it so we don't support pip-tools>5.0.0. the reason this PR is in draft mode is to remove this workaround, since I fixed the debian packaging logic here: freedomofpress/securedrop-builder#248 <-- this should be reviewed first.
So the PR proposes the following:
In the PR, you'll notice this is a new rule being proposed for dev-only. That's why we still run
Nothing has changed in
That is a securedrop-debian-packaging#225 workaround that will go away once our packaging bug is fixed (it's fixed in this PR: freedomofpress/securedrop-builder#248, which should be reviewed first). Once that is fixed, I will remove that simple workaround and will move this PR out of draft mode. |
Signed-off-by: Allie Crevier <allie@freedom.press>
0361573
to
610104d
Compare
As mentioned before, once freedomofpress/securedrop-builder#248 is merged this PR will be ready for review (I removed the workaround here that freedomofpress/securedrop-builder#248 directly fixed). So this is now ready for a final review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @creviera for the changes here, LGTM. As discussed, we will try using the --upgrade
flag on the dev requirements to update them more regularly.
Description
This PR proposes the following change:
.in
file, do not require a specific version unless there's reason to use a specific version. Doing so will help alleviate tedium when updating dependencies in the future. If you need to specify a version, lean towards using>=
.make update-pip-requirements
will now usepip-complie --upgrade
for dev dependenciesvenv
makefile targetupdate-pip-requirements
)Safety error
Test Plan
proxy.py
are non-functional changesmake venv
source .venv/bin/activate
make check
has no errorsmake update-pip-requirements
runs without error