Build packages with pinned dependencies from .lock file #2778
Comments
artslob
added
kind/feature
|
I'd think it is reasonable for a tool such as I assume that what you want as behavior is that each package listed in your Is that an accurate assessment? |
|
Well, no actually. What I want is that when package is builded it will require exact versions of all dependencies from lock file. These versions can be also extracted (vied) using Right now when package is builded it requires versions specified in pyproject.toml file. |
|
I'm certainly a fan of this idea, and made a similar comment regarding that "Applications are not distributed via wheels" argument on the original issue. |
|
@artslob @Tobotimus @tomzx A PR has been filed: #3341. Would you mind giving it a try, giving feedback on it, reviewing the code? Whatever helps to get things moving |
|
I will try to find some time to check it |
|
+1 to the suggestion @Tobotimus made ere and in #1307 (comment). This workflow perfectly supports apps that you might install, say via |
|
I have created poetry-lock-package to do exactly this. Having a cluster that provisions on demand we could provisiin the right versions without manual scripting and hosting of a requirements file (already had a private repo). I have created a feature request with the export plugin, but have not had any response there yet. |
neersighted
added
area/installer
|
Short of adding the So - either allowing the build artifacts to be dictated by the lock file (
The reason I slightly prefer this "strict mode" personally is that I don't believe as a consumer of the library or package that I should need to inspect both |
|
This feature is something I currently need, because of a workflow where we build wheels and publish those to a DataBricks runtime, where we then install them. I would like to have all the dependencies locked down. I wouldn't mind doing some work on this; implementing the functionality as described in this issue. Would that be welcomed? |
I've created https://pypi.org/project/poetry-lock-package/ to do this and I've been looking for support from the poetry team to incorporate this into poetry. I have not had any response yet. My guess is the best place for this is in the export plugin, which has been moved outside of the poetry code to here: https://github.com/python-poetry/poetry-export-plugin If you consider opening a pull request, I think it's best to check discord first and then create a PR for the export plugin. |
|
I will definitely check out your work, @bneijt ! That was already on my list, actually. Still, I think it's a great feature to be incorporated into poetry, so I would definitely be happy to contribute. EDIT: While the solution of @bneijt creates a second wheel, I'd propose keeping a single wheel, with adjusted metadata. So having this in the export plugin does not make sense to me. |
|
I created a poetry plugin that adds support for building wheel files via commandline using locked dependencies in poetry.lock, also adds support for data_files: https://github.com/spoorn/poeblix, https://pypi.org/project/poeblix/ |
|
Any update on this issue? |
|
I think we should try to work on a plugin or another project that will repackage the wheel file, if poetry team does not understand why it is an important feature |
|
This is something we are interested in implementing (it has been discussed extensively as 'locked wheels' among the team and with interested parties on Discord), and will require the 'lock file aware core' that @abn has been prototyping. However, there are simply lots of immediate problems to be solved, and limited bandwidth among the individuals capable of and motivated to seeing such an invasive refactor through. |
|
Could you elaborate on the extensive rework? I've been using this functionality as a separate one page script for more than a year now and I still think this could either be an extra part of the metadata of the project (as extra dependencies section with pinned/locked versions) or a feature in a plugin like the export plugin python-poetry/poetry-plugin-export#1 I'll try find the discord discussion to find out what the refactor is about, but if you could write a summary that would also be very helpful to document these concerns. |
|
@bneijt I found these two (not sure how up-to-date they are): |
|
A MVP of reading the lockfile and a maintainable design are not quite the same thing (especially as we have to figure out a way to deal with locked and unlocked builds and how projects opt in and out to this new behavior). It's not insurmountable, but it's not something trivial to merge either. |
finswimmer
added
area/build-system
|
In addition to @spoorn's poeblix, it looks like cloud-custodian/poetry-plugin-freeze is another plugin that attempts to solve this issue. |
After few hours of investigation of TFT-2072, the culprint
is the new Ansible 2.15 breaks STI.
We agreed on freezing to 2.14. We updated to to 2.15, because
we install the deps via pip, what has great but poetry does
not yet make it possible to freeze deps:
python-poetry/poetry#2778
This limits the requirements to ansible-core<2.15.
Resolves TFT-2072
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
After few hours of investigation of TFT-2072, the culprint
is the new Ansible 2.15 breaks STI.
We agreed on freezing to 2.14. We updated to to 2.15, because
we install the deps via pip, what has great but poetry does
not yet make it possible to freeze deps:
python-poetry/poetry#2778
This limits the requirements to ansible-core<2.15.
Resolves TFT-2072
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
After few hours of investigation of TFT-2072, the culprint
is the new Ansible 2.15 breaks STI.
We agreed on freezing to 2.14. We updated to to 2.15, because
we install the deps via pip, what has great but poetry does
not yet make it possible to freeze deps:
python-poetry/poetry#2778
This limits the requirements to ansible-core<2.15.
Resolves TFT-2072
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
After few hours of investigation of TFT-2072, the culprint
is the new Ansible 2.15 breaks STI.
We agreed on freezing to 2.14. We updated to to 2.15, because
we install the deps via pip, what has great but poetry does
not yet make it possible to freeze deps:
python-poetry/poetry#2778
This limits the requirements to ansible-core<2.15.
Resolves TFT-2072
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
|
I believe this is the appropriate issue to report this use case that would require that I can # set up pip indices
[[tool.poetry.source]]
name = "nvidia-pypi"
url = "https://pypi.nvidia.com"
priority = "explicit"
cuml-cu12 = {version = "~23.10", source = "nvidia-pypi", optional = true}When I install via I get the correct it installs https://pypi.org/project/cuml-cu12/ instead (the Unfortunately, I cannot provide a minimal example because it is internal code but I will try to extract an MWE and share here. |
|
In reply to the above, this ticket is about embedding the information that IMHO What I have been working with for a long time now is creating a separate package that contains all the lock file dependencies as python package dependencies, but it would be way cleaner if it was an option poetry could add to the package metadata as an optional dependency list instead. @hanslovsky There are multiple options for your current issue:
Hope any of those will help. |
|
A function like proposed here may had saved us from our production outage today. May i clarify our use case: We are using poetry to develop a python3 based CLI tool, which is quite important for an application we are running. Of course, this tool is also having some external dependencies from pypi. An maintainer put something like So normally, this is not a problem, since the Lockfile of poetry is pinning those implicit dependencies and gives us (paired with our usage of renovate bot and Unit Tests in CI pipelines) full transparency, which dependency update may cause problems. Due to the fact, that we are building the project using Saying that, we need to understand, that |
|
I think pipx run with the —spec feature can really play a good place in this subject. Potentially will will have 2 versions of the same app running at the same time, so you need to have 2 virtualenv. And distributing through pipy is really a must have. because distributing the wheel on pipy and a locked requirement on another way is really not manageable. I would like to have a locked « flavor » of my app distributed through pipy alongside my non-locked lib |
|
There are plugins that might be able to help (I have not tested them myself): |
|
Here is a general flow for build and install that I landed on. Build: poetry export -o requirements.txt
poetry build --format=wheelInstall: pip install -r requirements.txt
pip install --no-deps dist/*.whl
pip check |
|
You probably want to merge the pip install together, but the problem is still you cannot distribute the requirements.txt on pypi |
|
You can merge them. I split them to optimize for docker build caching. |
|
Are the development dependencies in the Also note that, as far as I know, it is possible to do something like this: |
|
|
Feature Request
As title says, this feature is about to
poetry buildbuild wheels and packages with pinned versions specified inpoetry.lockfile. Command can be something likepoetry build --locked.Its duplicate of closed #1307. Reason to close this issue was argument about libraries and applications (in short):
So I think its not actually true that applications should not use wheels and pypi for distribution, sometimes its reasonable to have package with pinned dependencies from lock file. Example of such use case can be some cli tools like https://github.com/ytdl-org/youtube-dl, so development team and end-user use same dependencies. Another example is some backend application that deployed on server by wheel package.
The text was updated successfully, but these errors were encountered: