[Distutils] Library instability on PyPI and impact on OpenStack
Reinout van Rees
reinout at vanrees.org
Thu Feb 28 17:40:51 CET 2013
On 28-02-13 16:39, Mark McLoughlin wrote:
> Generally speaking, when a project has a large list of dependencies on
> libraries outside of its control, it can take one of two approaches to
> those dependencies:
>
> 1) specify the minimum required version of each library and assume new
> releases of all your dependencies will be backwards compatible with
> previous versions.
> 2) specify exactly what version of each library to use, because you
> assume all of your dependencies are constantly changing their APIs
> and breaking your app
I use versions in two places:
- In my setup.py I note minimum versions. "xyz >= 1.2". In a rare case,
I can say "<2dev" or so.
- In my buildout configuration (or requirements.txt), I pin versions
exactly.
A bit of extra explanation on the last part: I have one basic set of
version pins (KGS, Known Good Set) that I use in most places, so not
every project needs to keep track of all versions.
Something like http://packages.lizardsystem.nl/kgs/1.30/versions.cfg
The minimum requirements keep your software working and keep yourself
from picking known wrong versions. The version pinning keeps everything
reliable.
(Note that you can get buildout to always print any new versions that it
picked, so it is easy to keep everything up-to-date regarding pins).
Reinout
--
Reinout van Rees http://reinout.vanrees.org/
reinout at vanrees.org http://www.nelen-schuurmans.nl/
"If you're not sure what to do, make something. -- Paul Graham"
More information about the Distutils-SIG
mailing list