Follow

I feel like I mostly see hard version equality in Python module requirements.txt files. Am I mistaken? Or is there a good reason that >= isn't more common?

· · Web · 2 · 0 · 0

I kind of thing dependency management is such a mess that the == version requirement is a helpful nudge forcing the use of isolated virtual environments, but that seems suboptimal

Show thread

@xor I think the big thing is that pip doesn't have a lockfile. After a few times of getting burned by problems from new patch or minor versions (happened to me!) I figure people settle on that so they can at least ensure what they tested is what they deploy.

@xor I'm much less worried about the state of dependency management since adopting Guix. It is not ready for prime time in many areas (Python is actually one of its best) but it points so clearly towards the future that it's killed my despair about dependency management as a problem.

@xor >= can result in weird behavior for resolvers.

When you freeze dependencies (ala pip freeze pip.pypa.io/en/stable/referenc) you ensure that your build is reproducible and what you tested is what your end users are getting.

However! The == on dependencies is much less common for library applications, where "freezing" dependencies significantly reduces portability because then dependencies of many consumer applications become harder to satisfy.

@ehashman yeah, I've probably come across those library applications less often, and all that makes sense.

@ehashman for my use case (this is still that one crossword scraper, I know, I'm a broken record) it seems silly to require the very latest of each package, but I think it makes the most sense anyway

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!