too strict install_requires dependencies

[blshkv]

Hello,

we are working on adding the tool in Gentoo (https://bugs.gentoo.org/572170) and noticed that the current requirement list is too strict.
https://github.com/mitmproxy/mitmproxy/blob/master/setup.py#L63

You have restricted ALL new versions just in case which is not much better than pining dependencies to specific versions

Please remove this restriction unless it is known that a package changes an API frequently.

Thank you.

[Kriechi]

Thanks @blshkv for reaching out to us! This is certainly a hot topic that we have discussed multiple times - and every release we reevaluate our decisions in this area.

We are trying to provide a stable and working mitmproxy package for our users. Unfortunately we had multiple occasions in the past where one of our dependencies changed their API or introduced bugs with minor and even bugfix-releases. Since this breaks not only the package in question, but also mitmproxy, we adopted an explicit version dependency requirement for all packages listed in our install_requires list. Only for certain packages that provide a good track record and adhere to semver principles, we have loosened the restriction and bind only to the explicit major release number.

Unless you can guarantee us that our dependencies never break compatibility with mitmproxy, we are continuing to restrict the version numbers we automatically accept. If you feel one of the packages should be a "blessed" dependency (i.e., semver + good track record), please feel free to send a PR that bumps the upper bound of our install_requires entry for this package.

[blshkv]

@Kriechi Thank you for your detailed explanation. That makes sense totally, especially if you had a bad experience in the past. One of Gentoo guys made a change to lose these dependencies in our ebuild and I decided to double check with you. We will stick with your approach then. Thanks again!