New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
too strict install_requires dependencies #3447
Comments
Thanks @blshkv for reaching out to us! This is certainly a hot topic that we have discussed multiple times - and every release we reevaluate our decisions in this area. We are trying to provide a stable and working mitmproxy package for our users. Unfortunately we had multiple occasions in the past where one of our dependencies changed their API or introduced bugs with minor and even bugfix-releases. Since this breaks not only the package in question, but also mitmproxy, we adopted an explicit version dependency requirement for all packages listed in our install_requires list. Only for certain packages that provide a good track record and adhere to semver principles, we have loosened the restriction and bind only to the explicit major release number. Unless you can guarantee us that our dependencies never break compatibility with mitmproxy, we are continuing to restrict the version numbers we automatically accept. If you feel one of the packages should be a "blessed" dependency (i.e., semver + good track record), please feel free to send a PR that bumps the upper bound of our install_requires entry for this package. |
@Kriechi Thank you for your detailed explanation. That makes sense totally, especially if you had a bad experience in the past. One of Gentoo guys made a change to lose these dependencies in our ebuild and I decided to double check with you. We will stick with your approach then. Thanks again! |
Hello,
we are working on adding the tool in Gentoo (https://bugs.gentoo.org/572170) and noticed that the current requirement list is too strict.
https://github.com/mitmproxy/mitmproxy/blob/master/setup.py#L63
You have restricted ALL new versions just in case which is not much better than pining dependencies to specific versions
Please remove this restriction unless it is known that a package changes an API frequently.
Thank you.
The text was updated successfully, but these errors were encountered: