Don't install packages that could mess packaging up

[kennethreitz]

No description provided.

[cclauss]

Could this be streamlined?

def good_package(line):
	package_name = line.split('=')[0].split('<')[0].split('>')[0]
	return package_name not in BAD_PACKAGES

lines = [line for line in f if good_package(line)]

[kennethreitz]

I want to do as little parsing as possible, for fear of breaking anything with crazy requirements files.

[cclauss]

Understood... see other package names that begin with but do not end with six for instance https://pypi.python.org/pypi?%3Aaction=search&term=Six&submit=search

[kennethreitz]

I was planning to cross that bridge when I came to it, which I honestly doubt would happen any time soon. I'll see what I can do though.

[kennethreitz]

@cclauss i updated the code; integrated what you suggested and made a few improvements

[hone]

Should we have a message that tells people we're replacing stuff in their requirements.txt with things in the Python buildpack or overwriting their requirements.txt file at all.

Also, how does this affect pipenv?

[kennethreitz]

Pipenv has this functionality built-in.

I don't think a message is needed, but I could add one saying "Removing packaging libraries from requirements.txt".

[kennethreitz]

In my mind, if someone has any of these listed in their requirements.txt, it is accidental, not intentional.

[kennethreitz]

e.g. they don't understand what's going on. so, i don't want to overload them with information.

[hone]

@kennethreitz is there a place you could link them to that would help?

[kennethreitz]

No.

[kennethreitz]

This is a new problem, and one that is temporary and will go away soon (but we need to have this code for people using this version range of setuptools locally for the future).

It's not well-understood or documented anywhere that I know of.

[kennethreitz]

Waiting, waiting, waiting... for CI to pass.

[jayvdb]

missing EOL

[kennethreitz]

thanks!

[jayvdb]

version='pip-grep'

[kennethreitz]

thanks!

[jayvdb]

In my mind, if someone has any of these listed in their requirements.txt, it is accidental, not intentional.
e.g. they don't understand what's going on. so, i don't want to overload them with information.

The more usual explanation is they have put them in because they have minimum and maximum requirements.
setuptools installs pkg_resources which is the main mechanism people use for fetching plugins (implicit namespaces is the newer alternative).
And more importantly, because of the fact that pip doesnt have a proper resolver, sometimes it is necessary to mention one of these packages in requirements.txt so that pip follows a particular path in its resolution strategy. You remove one of them of requirements.txt, and pip behaves differently when resolving indirect dependencies many levels deep.
At the very least, there should be a note to say why the deploy is using different versions from the versions they see when they deploy the app somewhere else.

[kennethreitz]

Related: #393

[cclauss]

You can just do .split() with no parameters instead of .split(' ').split('\n') because it deals with all whitespaces. Given the for line in f, \n is not really an issue here.

[kennethreitz]

\n is included in each line

[jayvdb]

Buggy. c.f. #400

[edmorley]

This is a new problem, and one that is temporary and will go away soon

Was this to work around setuptools unvendoring their dependencies in v34.0.0 (which they've then reverted in v36.0.0) and relying on install_requires instead? (Which presumably could cause issues if the versions they required conflicted with those in requirements.txt?)

[kennethreitz]

@edmorley yes