Hi, Dan and I had been doing most of the maintenance work for Pipenv recently, and as Dan mentioned, we have been working on some related projects that poke into pip internals significantly, so I feel I should voice some opinions. I have significantly less experience messing with pip than Dan, and might be able to offer a slightly different perspective.
Pipenv mainly interacts with pip for two things: install/uninstall/upgrade packages, and to gain information about a package (what versions are available, what dependencies does a particular version has, etc.). For the former case, we are currently using it with subprocesses, and it is likely the intended way of interaction. I have to say, however, that the experience is not flawless. pip has a significant startup time, and does not offer chances for interaction once it is started on running, so we really don’t have a good way to, for example, provide installation progress bar for the user, unless we parse pip’s stdout directly. These are not essential to Pipenv’s functionality, however, so they are more like an annoyance rather than glaring problems. The other thing Pipenv uses pip for—getting package information—is more troubling (to me, personally). Pipenv has a slightly different need from pip regarding dependency resolution. pip can (and does) freely drop dependencies that does not match the current environment, but Pipenv needs to generate a lock file for an abstract platform that works for, say, both macOS and Windows. This means pip’s resolver is not useful for us, and we need to implement our own. Our own resolver, however, still needs to know about packages it gets, and we are left with two choices: a. try re-implement the same logic, or b. use pip internals to cobble something together. We tried to go for a. for a while, but as you’d easily imagine, our own implementation is buggy, cannot handle edge cases nearly as well, and fielded a lot of complaints along the lines of “I can do this in pip, why can’t I do the same in Pipenv”. One example is how package artifacts are discovered. At my own first glance, I thought to myself this wouldn’t be that hard—we have a simple API, and the naming conventions are there, so as long as we specify sources in Pipfile (we do), we should be able to discover them no problem. I couldn’t be more wrong. There are find_links, dependency_links, pip.conf for the user, for the machine, all sorts of things, and for everything quirk in pip we don’t replicate 100%, issues are filed urging use to fix it. In the end we gave up and use pip’s internal PackageFinder instead. This is a big problem going forward, and we are fully aware of that. The strategy we are taking at the moment is to try to limit the surface area of pip internals usage. Dan mentioned we have been building a resolver for Pipenv[1], and we took the chance to work toward centralising things interfacing with pip internals. Those are still internals, of course, but we now have a relatively good idea what we actually need from pip, and I’d be extremely happy if some parts of pip can come out as standalone with official blessing. The things I am particularly interested in (since they would be beneficial for Pipenv) are: * VcsSupport * PackageFinder * WheelBuilder (and everything that comes with it like the wheel cache, preparer, unpack_url, etc.) Sorry for the very long post, but I want to get everything out so it might be easier to paint a complete picture of the state we are currently in. [1]: https://github.com/sarugaku/passa <https://github.com/sarugaku/passa> Yours, TP -- Tzu-ping Chung (@uranusjr) uranu...@gmail.com https://uranusjr.com > On 21/8, 2018, at 00:00, distutils-sig-requ...@python.org wrote: > > Send Distutils-SIG mailing list submissions to > distutils-sig@python.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/ > or, via email, send a message with subject or body 'help' to > distutils-sig-requ...@python.org > > You can reach the person managing the list at > distutils-sig-ow...@python.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Distutils-SIG digest..."Today's Topics: > > 1. Re: pipenv and pip (Dan Ryan) > 2. Re: pipenv and pip (Dan Ryan) > > From: Dan Ryan <d...@danryan.co> > Subject: [Distutils] Re: pipenv and pip > Date: 20 August 2018 at 22:04:11 GMT+8 > To: Chris Jerdonek <chris.jerdo...@gmail.com> > Cc: distutils sig <distutils-sig@python.org> > > > The truth is that it’s basically impossible to gauge bugs in pip vs bugs in > our patches to it which are often a lot more likely — reproductions of edge > cases can be impossible but there are specific things I know we broke (like > parsing certain kinds of extras, previously) — mostly bugs land in pips issue > tracker before we report them or we will direct people there. We have like 2 > active maintainers and we are maintaining like 15 pipenv related projects so > we normally just point people at pip rather than file an issue. I am usually > on irc as well if needed, and I often ask for clarification there > > Dan Ryan // pipenv maintainer > gh: @techalchemy > >> On Aug 20, 2018, at 4:32 AM, Chris Jerdonek <chris.jerdo...@gmail.com> wrote: >> >> Thanks. Is the state of affairs as you described them what you're >> planning for the future as well, or do you anticipate any changes >> worthy of note? >> >> Also, are any of the bugs filed in pipenv's tracker due to bugs or >> rough spots in pip -- is there a way to find those, like by using a >> label? It would be good to be able to know about those so pip can >> improve and become more useful. It doesn't seem like any bugs have >> been filed in pip's tracker in the past year by any of pipenv's top >> contributors. That seems a bit surprising to me given pipenv's heavy >> reliance on pip (together with the fact that I know pip has its share >> of issues), or is there another way you have of communicating >> regarding things that interconnect with pip? >> >> Thanks, >> --Chris >> >> >> >>> On Mon, Aug 20, 2018 at 12:51 AM, Dan Ryan <d...@danryan.co> wrote: >>> Sure I can grab that— we patch pip because we use some internals to handle >>> resolution and we have some bugs around that currently. They aren’t >>> upstreamed because they aren’t actually present in pip, only in pipenv. >>> Pipenv crosses back and forth across the virtualenv boundary during the >>> process. Pipenv relies on piptools and vendors a patched version of pip to >>> ensure consistency as well as to provide a few hacks around querying the >>> index. We do have a bit of reimplementation around some kinds of logic, >>> with the largest overlap being in parsing of requirements. >>> >>> As we handle some resolution, which isn’t really something pip does, there >>> is no cli interface to achieve this. I maintain a library (as of last week) >>> which provides compatibility shims between pip versions 8-current. It is a >>> good idea to use the cli, but we already spend enough resources forking >>> subprocesses into the background that it is a lot more efficient to use the >>> internals, which I track quite closely. The preference toward cli >>> interaction is largely to allow internal api breakage which we don’t mind. >>> >>> For the most part, we have open channels of communication as necessary. We >>> rely as heavily as we can on pip, packaging, and setuptools to connect the >>> dots, retrieve package info, etc. >>> >>> Dan Ryan // pipenv maintainer >>> gh: @techalchemy >>> >>>> On Aug 20, 2018, at 2:41 AM, Chris Jerdonek <chris.jerdo...@gmail.com> >>>> wrote: >>>> >>>> Hi, >>>> >>>> Can someone explain to me the relationship between pipenv and pip, >>>> from the perspective of pipenv's maintainers? >>>> >>>> For example, does pipenv currently reimplement anything that pip tries >>>> to do, or does it simply call out to pip through the CLI or through >>>> its internal API's? Does it have any preferences or future plans in >>>> this regard? How about upstreaming to pip fixes or things that would >>>> help pipenv? >>>> >>>> I've been contributing to pip more lately, and I had a look at >>>> pipenv's repository for the first time today. >>>> https://github.com/pypa/pipenv >>>> >>>> Given that pip's code was recently made internal, I was a bit >>>> surprised to see that pipenv vendors and patches pip: >>>> https://github.com/pypa/pipenv/tree/master/pipenv/patched/notpip >>>> Before I had always assumed that pipenv used pip's CLI (because that's >>>> what pip says you should do). >>>> >>>> I also noticed that some bugs in pipenv's tracker seem closely related >>>> to pip's behavior, but I don't recall seeing any bugs or PR's in pip's >>>> tracker reported from pipenv maintainers. >>>> >>>> Without knowing a whole lot more than what I've stated, one concern I >>>> have is around fragmentation, duplication of work, and repeating >>>> mistakes (or introducing new ones) if a lot of work is going into >>>> pipenv without coordinating with pip. Is this in any way similar to >>>> the beginning of what happened with distutils, setuptools, and >>>> distribute that we are still recovering from? >>>> >>>> --Chris >>>> -- >>>> Distutils-SIG mailing list -- distutils-sig@python.org >>>> To unsubscribe send an email to distutils-sig-le...@python.org >>>> https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/ >>>> Message archived at >>>> https://mail.python.org/mm3/archives/list/distutils-sig@python.org/message/2QECNWSHNEW7UBB24M2K5BISYJY7GMZF/ > > > > From: Dan Ryan <d...@danryan.co> > Subject: [Distutils] Re: pipenv and pip > Date: 20 August 2018 at 22:09:23 GMT+8 > To: Paul Moore <p.f.mo...@gmail.com> > Cc: Distutils <distutils-sig@python.org> > > > How would I (said library) maintain compatibility? I’m pretty clever. The > shim library doesn’t actually do anything besides provide import paths. If I > shim something that didn’t exist, it shims None for any pip versions where it > doesn’t exist. So for example if you are running pip 9 and you import > RequirementTracker from the shims library you just import None > > Dan Ryan // pipenv maintainer > gh: @techalchemy > >> On Aug 20, 2018, at 8:15 AM, Paul Moore <p.f.mo...@gmail.com> wrote: >> >>> On Mon, 20 Aug 2018 at 12:25, Wes Turner <wes.tur...@gmail.com> wrote: >>> >>> On Monday, August 20, 2018, Paul Moore <p.f.mo...@gmail.com> wrote: >> >>>> I know "security by obscurity" doesn't work, but I'm happier if >>>> details of this library *aren't* widely known - it's not something I'd >>>> want to encourage people using, nor is it supported by pip, as it's >>>> basically a direct interface into pip's internal functions, papering >>>> over the name changes that we did in pip 10 specifically to dissuade >>>> people from doing this. >>> >>> >>> If someone was committing to identifying useful API methods, parameters, >>> and return values; >>> writing a ~PEP; >>> implementing said API; >>> and maintaining backwards compatible shims for some reason; >>> would something like `pip.api` be an appropriate namespace? >>> (now that we're on version 18 with a faster release cycle)? >> >> I'm not quite sure I know what you mean here. The key point is that >> pip 18.0 might have an internal function pip._internal.xxx, and in pip >> 18.1 there's no such function, and the functionality doesn't even >> exist any more. How would a 3rd party project maintain backwards >> compatible shims in the face of that? Agreed it's not likely in >> practice - but we're not going to guarantee it. >> >> To be honest I don't see the point of discussing pip's internal API. >> It's just that - internal. I'd rather discuss useful (general) >> packaging libraries, that tools can build on - pip can vendor those >> and act as (just) another consumer, rather than getting into debates >> about support and internal APIs. >> >> Paul >> -- >> Distutils-SIG mailing list -- distutils-sig@python.org >> To unsubscribe send an email to distutils-sig-le...@python.org >> https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/ >> Message archived at >> https://mail.python.org/mm3/archives/list/distutils-sig@python.org/message/7CCBE53AM72JYQVEW3PH7ODVRFZV4WXA/ > > > -- > Distutils-SIG mailing list -- distutils-sig@python.org > To unsubscribe send an email to distutils-sig-le...@python.org > https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/
-- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-le...@python.org https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/mm3/archives/list/distutils-sig@python.org/message/BUJQXQ6NLWF5XX6JTG7JFTZT6E5QSS5E/
