[Distutils] Different purposes for Setuptools requirements versus Pip requirements (was: Maintaining a curated set of Python packages)

[Ben Finney]

Jeremy Stanley <fungi at yuggoth.org> writes:

> [the ‘pbr’ library] does allow you to basically abstract away most
> common configuration into declarative setup.cfg and requirements.txt
> files

Hmm. That description sounds like a mistaken conflation of two things
that should be distinct:

* Declaration in Setuptools metadata of what versions of dependencies
  this distribution is *compatible with*.

  This purpose is served by Distutils ‘install_requires’ (and
  ‘test_requires’, etc.). It is characterised by specifying a range of
  versions for each dependency, for allowing dependency resolvers to
  have options to choose from.

      foo >=1.2, <3.0

* Declaration in Pip metadata for what *exact version* of each
  dependency I want to deploy.

  This purpose is served by Pip ‘requires.txt’ input. It is
  characterised by pinning a *single* version of each dependency, for a
  deterministic, repeatable deployment.

      foo == 1.4.7

If we're saying ‘pbr’ encourages the use of a single set of declarations
for those quite different purposes, that sounds like an attractive
nuisance.

For those who haven't read it, see this post from Donald Stufft for why
those purposes need to be kept distinct:

    There’s a lot of misunderstanding between setup.py and
    requirements.txt and their roles. A lot of people have felt they are
    duplicated information and have even created tools to handle this
    “duplication”.

    <URL:https://caremad.io/posts/2013/07/setup-vs-requirement/>

-- 
 \       “Corporation, n. An ingenious device for obtaining individual |
  `\       profit without individual responsibility.” —Ambrose Bierce, |
_o__)                                   _The Devil's Dictionary_, 1906 |
Ben Finney