-
Notifications
You must be signed in to change notification settings - Fork 267
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revise requirements files again #982
Revise requirements files again #982
Conversation
1a47650
to
fdc85f8
Compare
@joshuagl, would you mind taking a quick look at this PR? |
Follows up on theupdateframework#978, which had the following problems: - too many requirements files (cc @trishankatdatadog ;) - used extra tooling around pip-compile that - didn't take into account requirement markers (see comments in requirements.txt in this commit), and - confused Dependabot, which expects the hashed requirements file in a certain format, as pip-compile would generate it without custom tooling (see theupdateframework#979). This commit restructures the requirements files as follows: - Merges requirements-tox.txt and requirements-test.txt. The separation was semantically correct but operationally irrelevant. - Removes the hashed requirements file, which doesn't add much security, especially with PEP 458 on the way (see python/peps#1306), but extra maintenance (see notes about requirements.txt in theupdateframework#978 and about Dependabot above) - Manually adds environment markers to requirements-pinned.txt (see comments in requirements.txt in this commit). Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
fdc85f8
to
730e4d8
Compare
TODO: - Add Dependabot badge - Compare to theupdateframework/python-tuf#982 and in-toto/in-toto#294 - Grep for renames - Create commits
This looks like a reasonable set of changes to me. It's not 100% clear to me from the message what about the prior requirements.txt was causing dependabot to choke, but I don't think that should block this merge. We seem to have equivalent functionality, modulo hashes in the requirements.txt, which is a small price to pay for our dependencies being automatically monitored and updated. |
Many thanks for the review, @joshuagl! You're right, my comments above don't shine much light on the why of the problem. That's mostly because I'm not so sure about it. One would probably have to delve into Dependabot's ruby scripts, which I don't want to. (The main reason for switching to Dependabot, was that I didn't want to troubleshoot Pyup.) From playing around a little bit, I saw that Dependabot has troubles updating a Given that we require some custom and manual tooling around pip-compile (see comments in requirements.txt), I decided to remove the hashed file, so Dependabot doesn't choke with the hashes, and we only have to half-manually maintain one requirements file (i.e. the pinned one). Also, while the purpose of the pinned requirements file seem quite convincing, that is auto-triggering tests against all latest dependencies whenever any of them is updated, the benefits of hashed requirements do less, at least in regards to the issues described above. I hope this clarifies my motivation. |
Thanks for taking the time to write that up @lukpueh. I agree with your motivation – switching to a more reliable dependency monitoring/updating tool. LGTM. |
Adopt docs for updating requirements-pinned.txt from based on their revision in tuf and sslib: - theupdateframework/python-tuf#982 - secure-systems-lab/securesystemslib#209 The update includes a transfer of the doc header + script/commands from requirements-pinned.txt to requirements.txt, and a thus resulting simplification of the commands. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Adopt docs for updating requirements-pinned.txt from based on their revision in tuf and sslib: - theupdateframework/python-tuf#982 - secure-systems-lab/securesystemslib#209 The update includes a transfer of the doc header + script/commands from requirements-pinned.txt to requirements.txt, and a thus resulting simplification of the commands. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Fixes issue #:
#978 follow-up
Description of the changes being introduced by the pull request:
Follows up on #978, which had the following problems:
This commit restructures the requirements files as follows:
Please verify and check that the pull request fulfills the following
requirements: