Do not pin dependencies to specific versions

[razius]

Because the packages in setup.py are really old and they use exact
version, when installing the package into a virtualenv it will end-up
downgrading already existing packages.

In the Python documentation it is also mentioned that it is not a best
practice to use install_requires to pin dependencies to specific versions.

See also:

• Bump requests to latest version #195
• Bump celery version #198
• https://packaging.python.org/discussions/install-requires-vs-requirements/#install-requires

[coveralls]

Coverage remained the same at 80.738% when pulling 8e522bf on unisport:master into 91da00a on snowplow:master.

[razius]

Looks like Python 3.3 has reached EOL and is no longer supported, should I drop the test for it and update docs?

https://www.python.org/download/releases/3.3.0/

[snowplowcla]

Thanks for your pull request. Is this your first contribution to a Snowplow open source project? Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://github.com/snowplow/snowplow/wiki/CLA to learn more and sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

[razius]

I signed it.

[snowplowcla]

@razius has signed the Software Grant and Corporate Contributor License Agreement

[BenFradet]

LGTM, I'll let @chuwy have a look

[asoltysik]

I think it would better to put upper bounds to be safe, but feel free to ignore this suggestion. For example Requests uses semver: http://docs.python-requests.org/en/master/dev/philosophy/#semantic-versioning

There is also ~= operator if you prefer it: https://www.python.org/dev/peps/pep-0440/#compatible-release

[razius]

Using the ~= will still downgrade if the minor version doesn't match so I'm not sure but an upper bound sounds like a very good idea.

What should the upper bound be? I can bump on our end to latest, try it out and put that as the upper bound.

[asoltysik]

For requests I think it's safe to put < 3.0.0 as they are using SemVer - for others I guess it depends what versioning scheme they are using?

[chuwy]

I'm also all for adding upper bounds. Of course we need to update the tracker more often, but last time unbounded dependencies caused a lot of pain as we simply didn't know what deps were used last time.

[alexanderdean]

+1 for upper bounds

[mhadam]

@razius If we can get upper bounds on all these, this should be ready for merging.

[razius]

@mhadam , I'll try to find some time this weekend.

[razius]

I see this was done in 91da00a.

[mhadam]

I see this was done in 91da00a.

I don't see any changes in setup.py, but maybe I'm missing something.

[razius]

@mhadam , wouldn't it be this ? 91da00a#diff-2eeaed663bd0d25b7e608891384b7298R77

[mhadam]

I think what we're aiming for is that install_requires has upper bounds like "greenlet>=0.4.10, <1.0.0" (this follows from the thread with @asoltysik above)

So all of these need >= for the versions and proper upper bounds, I think most if not all follow semver.

[mhadam]

closing this in favor of #209