Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deep freeze of backend dependencies #550

Open
1 of 4 tasks
psrok1 opened this issue Feb 18, 2022 · 1 comment
Open
1 of 4 tasks

Deep freeze of backend dependencies #550

psrok1 opened this issue Feb 18, 2022 · 1 comment
Labels
type:improvement Small improvement of existing feature zone:backend MWDB backend core related tasks

Comments

@psrok1
Copy link
Member

psrok1 commented Feb 18, 2022
edited
Loading

Feature Category

  • Correctness
  • User Interface / User Experience
  • Performance
  • Other (please explain)

Describe the problem

Inappropriate dependency pinning (especially packages that are dependencies of our dependencies) sometimes breaks installation of stable releases.

Examples:

Describe the solution you'd like

We should pin everything deeply in requirements.txt. Entries that are not direct dependencies of MWDB Core should be marked with a comment that describes which dependency relies on that entry. These entries should be updated along with version bump of related direct dependency.

e.g.

prance==0.21.8.0  # dependency of apispec

requirements.txt entries might be order-sersitive (I'm not sure, maybe it changed in newer pip versions) so pip freeze > requirements.txt is not enough, we should find a good tool to make these entries semi-automatically.
@psrok1 psrok1 added type:improvement Small improvement of existing feature zone:backend MWDB backend core related tasks labels Feb 18, 2022
@psrok1
Copy link
Member Author

psrok1 commented Feb 21, 2022

Some thoughts on locking dependencies:

  • Using locked dependencies should be optional in case of non-isolated environments to prevent introducing the dependency hell. That's why I'm against locking deeply all dependencies on setup.py level.
  • Locked dependencies might work well for Docker builds and CI builds and will make them more reproducible. These environments should be targeted by this issue.

One of considered solutions is using a packaging tool that supports dependency lock files:

  • pipenv virtualenv and package manager
  • Poetry package manager

But I'm not sure if I want to introduce another heavyweight solution to our workflow, so I would prefer to use something simple to do the job.

Proposed solution is:

  • create lock-requirements.txt that contains dependencies along with pinned versions of sub-dependencies.
  • use pipdeptree --freeze --local (pipdeptree -fl) to generate this file 
    apispec==3.3.1
Authlib==0.15.4
  cryptography==35.0.0
    cffi==1.14.6
      pycparser==2.20
bcrypt==3.1.4
  cffi==1.14.6
    pycparser==2.20
  six==1.16.0
beautifultable==1.0.1
  wcwidth==0.2.5
black==20.8b1
...
    I would also wrap it with extra script that chooses only these packages that are in the actual requirements.txt file
  • That file can be used in Dockerfile to install the exact version of all dependencies

Additional nice thing is that locked dependencies will be tracked by Dependabot, so we can better track for vulnerabilities that can be introduced by vulnerable packages installed in deployed images.

@psrok1 psrok1 linked a pull request Apr 5, 2022 that will close this issue
Use Poetry for dependency management #578
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:improvement Small improvement of existing feature zone:backend MWDB backend core related tasks
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use Poetry for dependency management CERT-Polska/mwdb-core
1 participant
@psrok1