FYI i thought about how we make devpi-server know about which project depends on which other projects. With that information we could do all kinds of good things:
- display depency info on the per-project web page or along with release files (this project depends on ProjectY and ProjectZ)
- display if all recent versions of deps are properly working and tested with a project's latest release
- could trigger server-side "dependency changed" events so that for example a tox run could be triggered for the new test configuration
- create pin-versioned requirement files that could be used with "pip install -r tested-requirements.txt", and/or possibly a UI like "devpi rinstall X" where it would query the latest set of dependencies for which tests passed, download all according files and then run "pip install --no-index FILE1 FILE2 [...]" which wouldn't require any more network access.
Question is how to best get the (closure) set of dependencies for a project. I cam currently pondering the following possibilities to obtain the information at server side:
- if the project has release files as wheels, look at wheel metadata which lists deps (requires just virtually unzipping a wheel and looking at safe metadata files)
- "devpi test" could run "setup.py egg_info" and send the requirements it finds to the server (requires login), additionally it should probably "pip list" all test dependencies in the respective tox environments and add them as well because if test dependencies change, tests should be re-run as well.
These two methods would not require any change in client-facing UI and allow us to get and display the dependencies information.
Any comments or thoughts on the matter welcome.