-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
An easy way to update packages versions #1153
Comments
One implementation thought: We could set up a GitHub Action workflow to run that tool on some cadence and open / close PRs based on test status. |
Good idea, note that this tool already exist and can be used at least as a base. It is described in the contributor documentation.
|
I think one of the best way to do it would be to use a tool like dependabot. However it does not support conda, and its Docker support will not help on our use cases. |
I think the idea of having a GitHub action to update the dependencies would be a good approach (and overcomes the limitations from dependabot). I would be happy to give this a go |
I think no one has been working on this issue for the past few months, so I say, give this a go, if you want to, it would be awesome :) |
Great - will get working on this and create a draft PR as soon as possible |
This is perhaps a silly question, but why pin the dependencies in the first place? Especially for scipy-notebook. I've been gaining more experience with conda-forge, and it seems like a good strategy is to leave most things unpinned. When something unexpected happens, it's probably because of some error in the upstream dependencies, which can (and should) be fixed in the respective feedstock. |
That's not a silly question at all. I see several positive things in pinning versions:
But we can't say this to our users, right? So sometimes we will have to fix some versions. |
@mathbunnyru, I used to think similarly, but my perspective has changed. I think reproducibility is ultimately the responsibility of the end user, and that is easily achieved by pinning a Docker build number. Moreover, the current practice of pinning major/minor version numbers doesn't provide exact reproducibility. For that you'd need not only the patch number but also the conda-forge build number. For exact reproducibility, I add the following command in my Dockerfile: I do agree with your 5. While I think it's a fact of life that upstream dependencies will change and break things, I can see how pinning makes things more tame. I'm not suggesting never to fix versions, just that fixing versions is overrated, and that |
The major.minor version pinning approach used here originated in the early days of conda-forge when it was extremely difficult to get a working build with the number of packages in these images. I think it's reasonable to experiment with an unpinned strategy today as long as users are informed about the change, there is a manifest of what actually got installed during a build (there is on the wiki), and active maintainers are ok with troubleshooting a potential decrease in build stability. |
In fact if we not only to do it for conda dependencies but also for other parts of the stack like Ubuntu upstream image. We should also change the build policy to switch to some kind of regular build (daily, weekly) vs build after a merge on the master branch. |
Late loyal user feedback on this. Whilst I completely understand the reasons behind un-pinning packages versions, I believe it may have been a good idea to at least keep the major component. So switching from Most packages use semantic versioning, so that would in theory always get the latest non-breaking changes (which I believe is what everyone tends to want). Personally I have been finding it very convenient to come here from time to time and check what changed (anything major?) via diff links like https://github.com/jupyter/docker-stacks/compare/b9f6ce795cfc..master.
Now that everything is going to be latest, visibility is lost. For user controlling their environment, the only way I see to check what change is to
This is a lot more cumbersome to get the same information. Am I missing anything? Perhaps it would be good to automatically commit a lock file as part of new builds? Thank you for your great work on this repo! |
There are also wiki build manifests, but you will have to diff entire pages, which is also doable, but a bit more difficult, I suppose. |
Thank you that is useful. Yes I think a custom tool to diff build manifests might be my way to go moving forward. |
Having everything in a git repo would make diffing easier, but at least all the data is already there in the wiki, and it's probably not worth the time at this point. |
|
Yes that's what I ended up doing 👍. Below is an excerpt of some doc I wrote (for I am using vscode to produce rich diffs, though How to select a new image
|
The wiki clone stores the various versions of manifests in separate files, which is a git antipattern. One can do diffs by hand as in @slmg's solution, but you're not actually leveraging git except as a filestore. Ideally you'd have a single Given that one can do the diffs by hand, I don't personally have enough motivation to arrange the manifests into a true git repo. But I think it would be nice. Because you could for example use GitHub as an interface for browsing the diffs without having to work in a local clone. |
It would be nice. Though would it not make it hard to keep track of the original commit id from this repo? How could we determine which version to compare if only one It would work fine if manifests were committed to this repo, with the commit hash used to tag images. Which would enable to fall back to a simple visit to https://github.com/jupyter/docker-stacks/compare/current..new But as you mentioned that sounds like a a lot of work for little benefits, and the current process allows to get the relevant info without too much efforts. It's much better than my first thought of pulling GBs locally just to fiddle with |
I think the best solution is to have both things - both |
@mathbunnyru great point! And that would probably be trivial to implement. Unfortunately it seems that GitHub doesn't allow one to browse the files or view blame in a wiki repo. (It doesn't work to visit https://github.com/jupyter/docker-stacks.wiki/blob/master/Home.md.) I wonder if it be difficult to mirror the wiki as a normal browsable GitHub repo? |
I think that might be a bit too much :) |
I see a lot of commits just updating several packages.
It would be great to have a tool, which automatically finds all the versions which are old (with some blacklist maybe) and tries to update these versions and if tests pass, it will automatically commit the changes.
So we will always have latest (and greatest packages), and reduce a lot of manual work.
The text was updated successfully, but these errors were encountered: