Re: [openstack-dev] Requests + urllib3 + distro packages
> On 14 Oct 2015, at 23:23, Thomas Goirandwrote: > I do understand that you don't like being called this way, though this > is still the reality. Vendorizing still inflicting some major pain to a > lot of your users: > - This thread one of the demonstration of it. > - You having to contact downstream distros is another. > - The unbundling work inflicted to downstream package maintainers is a > 3rd another. > > So like it or not, it is a fact that it is difficult to work with > requests because of the way it is released upstream. As I said earlier, I’m not getting drawn into a debate about vendorizing in this forum. The last one of these was sufficiently toxic that I’m simply unwilling to have the discussion here. If you really want to talk about this again, I’m happy to take it out of this mailing list to somewhere where fewer people are going to make the discussion personal. Note however that point 2 is not accurate. The main reason we have relationships with our downstream repackagers is for security release purposes. Per our security policy, we have exchanged GPG keys with them, and will make sure we contact them ahead of time so we can perform a synchronised release of security updates. In this instance we chose to use our relationship with our repackagers to get this change made, but it is not the main reason we communicate with them. (Also, they’re nice people!) >> has had a policy in place for six months >> that ensures that you can have the same result with pip and >> system packages. For six months we have only updated to versions >> of urllib3 that are actually released, and therefore that are >> definitely available from pip (and potentially available from >> the distribution). >> >> The reason this has not been working is because the distributions, >> when they unbundle us, have not been populating their setup.py to >> reflect the dependency: only their own metadata. We’ve been in >> contact with them, and this change is being made in the >> distributions we have relationships with. > > Though you could have avoid all of this pain if you were not bundling. > Isn't all of this make you re-think your vendorizing policy? Or still > not? I'm asking because I still didn't read your answer about the > important question: since you aren't using specially crafted versions of > urllib3 anymore, and now only using official releases, what's the reason > that keeps you vendorizing? Not trying to convince you here, just trying > to understand. Again, I’m not being drawn into this discussion here. Let me make one point, though. There are three people involved in a decision-making role on the requests project, and this is an important issue to every member of the team. This policy has been part of the requests project for a very long time, and we aren’t going to change it in a short space of time: I’m certainly not going to unilaterally do so. All I can promise you is that we continue to talk about this internally, and if we *unanimously* feel comfortable changing our policy we will do so. Until then, I’m happy to do my best to accommodate as many people as possible (which in this case I believe we have done). Cory signature.asc Description: Message signed with OpenPGP using GPGMail __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/15/2015 12:18 AM, Robert Collins wrote: On 15 October 2015 at 11:11, Thomas Goirandwrote: One major pain point is unfortunately something ridiculously easy to fix, but which nobody seems to care about: the long & short descriptions format. These are usually buried into the setup.py black magic, which by the way I feel is very unsafe (does PyPi actually execute "python setup.py" to find out about description texts? I hope they are running this in a sandbox...). Since everyone uses the fact that PyPi accepts RST format for the long description, there's nothing that can really easily fit the debian/control. Probably a rst2txt tool would help, but still, the long description would still be polluted with things like changelog, examples and such (damned, why people think it's the correct place to put that...). The only way I'd see to fix this situation, would be a PEP. This will probably take a decade to have everyone switching to a new correct way to write a long & short description... Perhaps Debian (1 thing) should change, rather than trying to change all the upstreams packaged in it (>20K) :) +1. Both README and PyPI are for users, and I personally find detailed descriptions (especially a couple of simple examples) on the PyPI page to be of so much value. -Rob __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/15/2015 12:18 AM, Robert Collins wrote: > On 15 October 2015 at 11:11, Thomas Goirandwrote: >> >> One major pain point is unfortunately something ridiculously easy to >> fix, but which nobody seems to care about: the long & short descriptions >> format. These are usually buried into the setup.py black magic, which by >> the way I feel is very unsafe (does PyPi actually execute "python >> setup.py" to find out about description texts? I hope they are running >> this in a sandbox...). >> >> Since everyone uses the fact that PyPi accepts RST format for the long >> description, there's nothing that can really easily fit the >> debian/control. Probably a rst2txt tool would help, but still, the long >> description would still be polluted with things like changelog, examples >> and such (damned, why people think it's the correct place to put that...). >> >> The only way I'd see to fix this situation, would be a PEP. This will >> probably take a decade to have everyone switching to a new correct way >> to write a long & short description... > > Perhaps Debian (1 thing) should change, rather than trying to change > all the upstreams packaged in it (>20K) :) > > -Rob Well, having the changlog (and other stuff) of packages merged into the long description is not helpful, not for Debian, nor for upstream Python packages. Thomas __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/15/2015 02:53 AM, Thomas Goirand wrote: On 10/15/2015 12:18 AM, Robert Collins wrote: On 15 October 2015 at 11:11, Thomas Goirandwrote: One major pain point is unfortunately something ridiculously easy to fix, but which nobody seems to care about: the long & short descriptions format. These are usually buried into the setup.py black magic, which by the way I feel is very unsafe (does PyPi actually execute "python setup.py" to find out about description texts? I hope they are running this in a sandbox...). You should go look at $package.egg-info/PKG-INFO in the source tarball. The short and long description are in that and it's a parseable format It's an RFC822 format information file - so the following python gets the short description inside of an unpacked shade tarball: import rfc822 a=rfc822.Message(open('shade.egg-info/PKG-INFO', 'r')) print a['summary'] I think this should solve your problem of getting the information. (you don't need python - rfc822 is pretty parseable by a human) Since everyone uses the fact that PyPi accepts RST format for the long description, there's nothing that can really easily fit the debian/control. Probably a rst2txt tool would help, but still, the long description would still be polluted with things like changelog, examples and such (damned, why people think it's the correct place to put that...). The reason they think that is because PyPI is a place where people go to download things, and often quick and easy examples of how the library works help people to decide if it's for them or not. The uses cases are different. The only way I'd see to fix this situation, would be a PEP. This will probably take a decade to have everyone switching to a new correct way to write a long & short description... Perhaps Debian (1 thing) should change, rather than trying to change all the upstreams packaged in it (>20K) :) -Rob Well, having the changlog (and other stuff) of packages merged into the long description is not helpful, not for Debian, nor for upstream Python packages. I actually have gotten multiple requests from people to get changelogs uploaded to PyPI (which involves appending to the long description) because it is helpful to them. . I think right now people find value in the information being there so I don't think this one is very winnable right now. Sorry ... In __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/15/2015 03:59 PM, Monty Taylor wrote: > On 10/15/2015 02:53 AM, Thomas Goirand wrote: >> Well, having the changlog (and other stuff) of packages merged into the >> long description is not helpful, not for Debian, nor for upstream Python >> packages. > > I actually have gotten multiple requests from people to get changelogs > uploaded to PyPI (which involves appending to the long description) > because it is helpful to them. . I think right now people find value in > the information being there so I don't think this one is very winnable > right now. Sorry ... It could be a win if PiPy was supporting other (more relevant) places where to put the information published on the site. Thomas __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/15/2015 12:08 PM, Cory Benfield wrote: >> On 14 Oct 2015, at 23:23, Thomas Goirandwrote: >> Though you could have avoid all of this pain if you were not bundling. >> Isn't all of this make you re-think your vendorizing policy? Or still >> not? I'm asking because I still didn't read your answer about the >> important question: since you aren't using specially crafted versions of >> urllib3 anymore, and now only using official releases, what's the reason >> that keeps you vendorizing? Not trying to convince you here, just trying >> to understand. > > Again, I’m not being drawn into this discussion here. > > Let me make one point, though. There are three people involved in a > decision-making role on the requests project, and this is an important > issue to every member of the team. This policy has been part of the > requests project for a very long time, and we aren’t going to change > it in a short space of time: I’m certainly not going to unilaterally > do so. All I can promise you is that we continue to talk about this > internally, and if we *unanimously* feel comfortable changing our policy > we will do so. Until then, I’m happy to do my best to accommodate as > many people as possible (which in this case I believe we have done). > > Cory Hi Cory, Thanks for the above. However, it is still frustrating to not understand your motivations, which was the only thing that pushed me to write these lines (ie: still not trying to convince you...). Thomas __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/15/2015 11:20 AM, Dmitry Tantsur wrote: > On 10/15/2015 12:18 AM, Robert Collins wrote: >> On 15 October 2015 at 11:11, Thomas Goirandwrote: >>> >>> One major pain point is unfortunately something ridiculously easy to >>> fix, but which nobody seems to care about: the long & short descriptions >>> format. These are usually buried into the setup.py black magic, which by >>> the way I feel is very unsafe (does PyPi actually execute "python >>> setup.py" to find out about description texts? I hope they are running >>> this in a sandbox...). >>> >>> Since everyone uses the fact that PyPi accepts RST format for the long >>> description, there's nothing that can really easily fit the >>> debian/control. Probably a rst2txt tool would help, but still, the long >>> description would still be polluted with things like changelog, examples >>> and such (damned, why people think it's the correct place to put >>> that...). >>> >>> The only way I'd see to fix this situation, would be a PEP. This will >>> probably take a decade to have everyone switching to a new correct way >>> to write a long & short description... >> >> Perhaps Debian (1 thing) should change, rather than trying to change >> all the upstreams packaged in it (>20K) :) > > +1. Both README and PyPI are for users, and I personally find detailed > descriptions (especially a couple of simple examples) on the PyPI page > to be of so much value. I do agree it is useful to have such thing in the PyPi pages. But it doesn't change my opinion that it'd be nice if this was not mixed with the long description in Python modules. Thomas __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/13/2015 09:41 AM, Cory Benfield wrote: > >> On 13 Oct 2015, at 07:42, Thomas Goirandwrote: >> In this particular case (ie: a difficult upstream which makes it >> impossible to have the same result with pip and system packages) > > I don’t know how carefully you’ve followed this email trail I did read carefully. > but the “difficult upstream” I do understand that you don't like being called this way, though this is still the reality. Vendorizing still inflicting some major pain to a lot of your users: - This thread one of the demonstration of it. - You having to contact downstream distros is another. - The unbundling work inflicted to downstream package maintainers is a 3rd another. So like it or not, it is a fact that it is difficult to work with requests because of the way it is released upstream. > has had a policy in place for six months > that ensures that you can have the same result with pip and > system packages. For six months we have only updated to versions > of urllib3 that are actually released, and therefore that are > definitely available from pip (and potentially available from > the distribution). > > The reason this has not been working is because the distributions, > when they unbundle us, have not been populating their setup.py to > reflect the dependency: only their own metadata. We’ve been in > contact with them, and this change is being made in the > distributions we have relationships with. Though you could have avoid all of this pain if you were not bundling. Isn't all of this make you re-think your vendorizing policy? Or still not? I'm asking because I still didn't read your answer about the important question: since you aren't using specially crafted versions of urllib3 anymore, and now only using official releases, what's the reason that keeps you vendorizing? Not trying to convince you here, just trying to understand. Cheers, Thomas Goirand (zigo) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/13/2015 06:04 PM, Joshua Harlow wrote: > Thomas Goirand wrote: >> On 10/13/2015 12:44 AM, Joshua Harlow wrote: >>> Anvil gets somewhat far on this, although its not supporting DEBs it >>> does build its best attempt at RPMs building them automatically and >>> turning git repos of projects into RPMs. >>> >>> http://anvil.readthedocs.org/en/latest/topics/summary.html (hopefully >>> the existence of this is not news to folks). >>> >>> A log of this in action (very verbose) is at: >>> >>> http://logs.openstack.org/40/225240/4/check/gate-anvil-rpms-dsvm-devstack-centos7/0eea2a9/console.html >>> >> >> Automation can only bring you so far. I also have automation which we >> could use for debs (see the pkgos-debpypi script from the >> openstack-pkg-tools package), however, there's always the need for >> manual reviews. I don't believe it ever will be possible to do full >> automation, as each Python package has specificities. Note that this is >> mainly an issue with Python modules, if it was PHP pear packages, it >> could be fully automated. So probably there's some PEP that we could >> start to ease this. If only everyone was using testr, pbr, defining >> copyright correctly and providing a parseable long and short >> description, it wouldn't be such an issue. > > Agreed, there will always be that damn 1% (ok its probably around 10%) > of weird pypi packages that will require hand-tuning, the hope (and I > think the reality) is that most actually don't require hand-tuning. One major pain point is unfortunately something ridiculously easy to fix, but which nobody seems to care about: the long & short descriptions format. These are usually buried into the setup.py black magic, which by the way I feel is very unsafe (does PyPi actually execute "python setup.py" to find out about description texts? I hope they are running this in a sandbox...). Since everyone uses the fact that PyPi accepts RST format for the long description, there's nothing that can really easily fit the debian/control. Probably a rst2txt tool would help, but still, the long description would still be polluted with things like changelog, examples and such (damned, why people think it's the correct place to put that...). The only way I'd see to fix this situation, would be a PEP. This will probably take a decade to have everyone switching to a new correct way to write a long & short description... Cheers, Thomas Goirand (zigo) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 15 October 2015 at 11:11, Thomas Goirandwrote: > > One major pain point is unfortunately something ridiculously easy to > fix, but which nobody seems to care about: the long & short descriptions > format. These are usually buried into the setup.py black magic, which by > the way I feel is very unsafe (does PyPi actually execute "python > setup.py" to find out about description texts? I hope they are running > this in a sandbox...). > > Since everyone uses the fact that PyPi accepts RST format for the long > description, there's nothing that can really easily fit the > debian/control. Probably a rst2txt tool would help, but still, the long > description would still be polluted with things like changelog, examples > and such (damned, why people think it's the correct place to put that...). > > The only way I'd see to fix this situation, would be a PEP. This will > probably take a decade to have everyone switching to a new correct way > to write a long & short description... Perhaps Debian (1 thing) should change, rather than trying to change all the upstreams packaged in it (>20K) :) -Rob -- Robert Collins Distinguished Technologist HP Converged Cloud __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/12/2015 03:58 PM, Jeremy Stanley wrote: > On 2015-10-12 15:40:48 +0200 (+0200), Thomas Goirand wrote: > [...] >> Has the infra team ever thought about doing that for (at least) all of >> the 3rd party libs we use? I'd love to work closer with the infra team >> to provide them with missing packages they would need, and I'm sure my >> RPM buddy Haikel would too. This also would help getting our >> openstack/{deb,rpm}- projects up to speed as well. > [...] > > Long ago there was an idea that we might somehow be able to > near-instantly package anything on PyPI and serve RPMs and DEBs of > it up to CI jobs, but doing that would be a pretty massive (and in > my opinion very error-prone) undertaking. > > Right now we can take advantage of the fact that the Python > ecosystem uploads new releases to PyPI as their primary distribution > channel. By using pip to install dependencies from PyPI in our CI > system, we can pretty instantly test compatibility of our software > with new releases of dependencies (much faster that they can get > properly packaged in distros), and easily test different versions by > proposing changes to the openstack/requirements repository. In this particular case (ie: a difficult upstream which makes it impossible to have the same result with pip and system packages), and for a package which has a rather stable API, we could make an exception. For the more general case, I'm not sure we are in such a hurry that we would need to have updates by the minute. I would accept to commit myself for a reasonable delay such as 48 hours max until a new dependency is packaged and available for the infra team to use NEW packages. For just updates, I'm convince it could be semi-automated (like for example a proposal bot). Cheers, Thomas Goirand (zigo) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
> On 13 Oct 2015, at 07:42, Thomas Goirandwrote: > In this particular case (ie: a difficult upstream which makes it > impossible to have the same result with pip and system packages) I don’t know how carefully you’ve followed this email trail, but the “difficult upstream” has had a policy in place for six months that ensures that you can have the same result with pip and system packages. For six months we have only updated to versions of urllib3 that are actually released, and therefore that are definitely available from pip (and potentially available from the distribution). The reason this has not been working is because the distributions, when they unbundle us, have not been populating their setup.py to reflect the dependency: only their own metadata. We’ve been in contact with them, and this change is being made in the distributions we have relationships with. Cory signature.asc Description: Message signed with OpenPGP using GPGMail __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/13/2015 12:44 AM, Joshua Harlow wrote: > Anvil gets somewhat far on this, although its not supporting DEBs it > does build its best attempt at RPMs building them automatically and > turning git repos of projects into RPMs. > > http://anvil.readthedocs.org/en/latest/topics/summary.html (hopefully > the existence of this is not news to folks). > > A log of this in action (very verbose) is at: > > http://logs.openstack.org/40/225240/4/check/gate-anvil-rpms-dsvm-devstack-centos7/0eea2a9/console.html Automation can only bring you so far. I also have automation which we could use for debs (see the pkgos-debpypi script from the openstack-pkg-tools package), however, there's always the need for manual reviews. I don't believe it ever will be possible to do full automation, as each Python package has specificities. Note that this is mainly an issue with Python modules, if it was PHP pear packages, it could be fully automated. So probably there's some PEP that we could start to ease this. If only everyone was using testr, pbr, defining copyright correctly and providing a parseable long and short description, it wouldn't be such an issue. Cheers, Thomas Goirand (zigo) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/08/2015 07:39 PM, Robert Collins wrote: > This is a bugbear that keeps cropping up and biting us. I'm hoping we > can figure out a permanent fix. > > The problem that occurs is the result of a few interacting things: > - requests has very very specific versions of urllib3 it works with. > So specific they aren't always released yet. > > - Linux vendors often unbundle urllib3 from requests and then apply > what patches were needed to their urllib3; while not updating their > requests package dependencies to reflect this. > > - we use urllib3 in some places and requests in others (but we don't > mix them up) > > - if for any reason we have a distro-altered requests + a > pip-installed urllib3, requests will [usually] break... see the 'not > always released yet' key thing above. > > Now, there are lots of places this last thing can happen; they all > depend on us having a dependency on requests that is compatible with > the version installed by the distro, but a urllib3 dependency that > triggers an upgrade of just urllib3. When constraints are in use, the > requests version has to match the distro requests version exactly, but > that will happen from time to time. > > e.g. > > - dvsm test jobs where the base image already has python-requests > installed in it > > - virtualenvs where system-site-packages are enabled > > > There are a few strategies that have been proposed to fix this. AIUI they are: > - make sure none of our testing environments include distro requests > packages. > > - make our requirements be tightly matched to what requests needs to > deal with the unbundling > > - teach pip how to identify and avoid this situation by always > upgrading requests (even if thats just a re-install of the version > from PyPI) when the installed requests is a distro installed version > **and** urllib3 is being modified. > > - get the distros to stop un-vendoring urllib3 > > > The first one addresses the situation for the CI gate but doesn't > avoid developers getting bitten on their local machines. And > installing any distro thing that uses requests would re-instate the > potential for breakage. So while its not harmful, I don't think its > sufficient to make this go away. > > The second is trivially insufficient - anytime requests vendored > urllib3 is not precisely identical to a released urllib3, it becomes > impossible to satisfy that via dependency version pinning - the only > way to satisfy it is with the urllib3 in the distro that has whatever > change was needed included. > > The third approach will require some negotiation I suspect - because > its aesthetically wrong: from an upstream perspective urllib3 is > independent of requests, and vice-versa, but from a distro perspective > they are tightly coupled, no variation permitted. > > The fourth approach meets the stone wall of 'but security' and 'no > redundancy permitted' - I don't have the energy to try and get through > the near-religious mindset I've encountered there before, though hey - > if Fedora and Debian and Ubuntu folk are all interested in figuring > out a sustainable way forward, that would be great: please don't feel > cut out, I'm just not expecting anything. > > If there are other approaches, great - please throw them up here. > > -Rob > At least for my packaging for Gentoo I haven't run into any issues here. We have multiple versions of both requests and urllib3 available and I can add a missing version if needed. -- Matthew Thode (prometheanfire) signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
Thomas Goirand wrote: On 10/13/2015 12:44 AM, Joshua Harlow wrote: Anvil gets somewhat far on this, although its not supporting DEBs it does build its best attempt at RPMs building them automatically and turning git repos of projects into RPMs. http://anvil.readthedocs.org/en/latest/topics/summary.html (hopefully the existence of this is not news to folks). A log of this in action (very verbose) is at: http://logs.openstack.org/40/225240/4/check/gate-anvil-rpms-dsvm-devstack-centos7/0eea2a9/console.html Automation can only bring you so far. I also have automation which we could use for debs (see the pkgos-debpypi script from the openstack-pkg-tools package), however, there's always the need for manual reviews. I don't believe it ever will be possible to do full automation, as each Python package has specificities. Note that this is mainly an issue with Python modules, if it was PHP pear packages, it could be fully automated. So probably there's some PEP that we could start to ease this. If only everyone was using testr, pbr, defining copyright correctly and providing a parseable long and short description, it wouldn't be such an issue. Agreed, there will always be that damn 1% (ok its probably around 10%) of weird pypi packages that will require hand-tuning, the hope (and I think the reality) is that most actually don't require hand-tuning. Maybe someday it will be down to 0% (one can hope). Cheers, Thomas Goirand (zigo) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
> On 12 Oct 2015, at 01:16, Robert Collinswrote: > To sum up the thread, it sounds to me like a viable way-forward is: > > - get distros to fixup their requests Python dependencies (and > hopefully they can update that in stable releases). > - fix the existing known bugs in pip where such accurate dependencies > are violated by some operations. Agreed. And we’re taking this pretty seriously at requests: we got in touch with our downstream unbundlers at Debian and Fedora asking them to make sure they populate setup.py correctly. Fedora has created updates for F21, F22, and F23: - https://bodhi.fedoraproject.org/updates/FEDORA-2015-20de3774f4 - https://bodhi.fedoraproject.org/updates/FEDORA-2015-1f580ccfa4 - https://bodhi.fedoraproject.org/updates/FEDORA-2015-d7c710a812 We’ve also heard positive noises from our Debian packager, though I don’t yet have a link to any change there. If Ubuntu has a separate downstream packager from Debian, we don’t have a relationship with them, so it’s harder for us to affect change there. This should mean that we’re only missing the pip fix. Cory signature.asc Description: Message signed with OpenPGP using GPGMail __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/12/2015 02:16 AM, Robert Collins wrote: > On 10 October 2015 at 02:58, Cory Benfieldwrote: >> >>> On 9 Oct 2015, at 14:40, William M Edmonds wrote: >>> >>> Cory Benfield writes: > The problem that occurs is the result of a few interacting things: > - requests has very very specific versions of urllib3 it works with. > So specific they aren't always released yet. This should no longer be true. Our downstream redistributors pointedout to us that this was making their lives harder than they needed to be, so it's now our policy to only update to actual release versions of urllib3. >>> >>> That's great... except that I'm confused as to why requests would continue >>> to repackage urllib3 if that's the case. Why not just prereq the version of >>> urllib3 that it needs? I thought the one and only answer to that question >>> had been so that requests could package non-standard versions. >>> >> >> That is not and was never the only reason for vendoring urllib3. However, >> and I cannot stress this enough, the decision to vendor urllib3 is *not >> going to be changed on this thread*. If and when it changes, it will be by >> consensus decision from the requests maintenance team, which we do not have >> at this time. >> >> Further, as I pointed out to Donald Stufft on IRC, if requests unbundled >> urllib3 *today* that would not fix the problem. The reason is that we’d >> specify our urllib3 dependency as: urllib3>=1.12,<1.13. This dependency note >> would still cause exactly the problem observed in this thread. > > Actually, that would fix the problem (in conjunction with a fix to > https://github.com/pypa/pip/issues/2687 - which is conceptually > trivial once 988 is fixed). > >> As you correctly identify in your subsequent email, William, the core >> problem is mixing of packages from distributions and PyPI. This happens with >> any tool with external dependencies: if you subsequently install a different >> version of a dependency using a packaging tool that is not aware of some of >> the dependency tree, it is entirely plausible that an incompatible version >> will be installed. It’s not hard to trigger this kind of thing on Ubuntu. >> IMO, what OpenStack needs is a decision about where it’s getting its >> packages from, and then to refuse to mix the two. > > We can't do that for all our downstreams. Further, Ubuntu preserve > dependency information - I think a key underlying issue is that they > don't fix up the dependency data for requests when they alter it. I've > filed https://bugs.launchpad.net/ubuntu/+source/python-requests/+bug/1505039 > to complement the one filed on Fedora earlier in this thread. Well, since Ubuntu uses the Debian package simply by syncing from Debian, I would suggest to file a bug against the Debian package instead [1]. > Obviously a trivial workaround is to always use virtualenvs and not > system-site-packages. or opposite way... always use system-site-packages! :) Has the infra team ever thought about doing that for (at least) all of the 3rd party libs we use? I'd love to work closer with the infra team to provide them with missing packages they would need, and I'm sure my RPM buddy Haikel would too. This also would help getting our openstack/{deb,rpm}- projects up to speed as well. > To sum up the thread, it sounds to me like a viable way-forward is: > > - get distros to fixup their requests Python dependencies (and > hopefully they can update that in stable releases). The maintainer for both urllib3 and requests is a single person, so I'm quite sure he is aware of the issue, and make sure that both packages are compatible. Otherwise, opening bugs in Debian [1] to have him fix it would obviously work. I don't believe that adding version upper-bounds in the deb package would solve anything, we just need to not make incompatible versions co-exist at a given moment in the distro. Cheers, Thomas Goirand (zigo) [1] https://www.debian.org/Bugs/Reporting (note: I know Robert knows how to file a bug in Debian, so this is obviously not for him that I'm giving this URL... :) ) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
Note: it's not my intention to restart a flame war about vendorizing of urllib3 in requests, however, I can't let you write wrong things, and the point of this message is only that, not discussing if requests should stop vendorizing (I've given up a long time ago any attempt to convince upstream about this...). On 10/09/2015 09:21 AM, Cory Benfield wrote: > Additionally, getting *all* of > Fedora/Debian/Ubuntu on board with not unbundling requests is about as likely > as hell freezing over. Debian + Ubuntu is only a single maintainer (Daniele Tricoli, plus the Debian Python Module Team), and he will (for very valid reasons) not want to do it. I support his decision. The issue here isn't downstream distros though, but an upstream who don't want to care about downstream. We're only trying to deal with this, let's not spread the propaganda that the issue is in downstream distros: it is *not*. On 10/09/2015 03:58 PM, Cory Benfield wrote: > As you correctly identify in your subsequent email, William, the > core problem is mixing of packages from distributions and PyPI. It's not. The core problem is vendorizing. It would work perfectly to do such mix-up otherwise (see below). On 10/09/2015 03:58 PM, Cory Benfield wrote: > This happens with any tool with external dependencies: if you > subsequently install a different version of a dependency using a > packaging tool that is not aware of some of the dependency tree, it > is entirely plausible that an incompatible version will be installed. > It’s not hard to trigger this kind of thing on Ubuntu. IMO, what > OpenStack needs is a decision about where it’s getting its packages > from, and then to refuse to mix the two. I regret to say it in a so direct way, but this is simply false. Pip install'ed packages very easily co-exist with system install'ed packages, because there's a central registry composed the a collection of egg-info files. Just, the virtualenv will have precedence over the system version. But if no package does vendorizing, mixing system packages and virtualenv with pip install works perfectly. There's only one issue with this: Python 3 and namespace. This is by the way one of the reason we removed the namespace from the Oslo libs, it didn't work well for Python 3 and namespace to run tests for distributions. Thomas Goirand (zigo) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/09/2015 02:39 AM, Robert Collins wrote: > - get the distros to stop un-vendoring urllib3 I'm not the package maintainer of requests, but I know that Barry Warsaw, the actual maintainer, will not want to do that. The other solutions which you didn't mention: 1- Stop using a vendorized version of requests, and fork that project to make it use dependencies at it should be from the start. 2- Convince upstream to stop vendorizing urllib3 and work more with upstream of urllib3 to have them release when they need it. 3- Always use the distro version of requests, never the one from venv While 1- is not realistic (unless someone volunteers), and we already tried 2- without luck, 3- can happen easily. BTW, the same applies for tablib which is in a even more horrible state that makes it impossible to package with Py3 support. But tablib could be removed from our (build-)dependency list, if someone cares about re-writing cliff-tablib, which IMO wouldn't be that much work. Doug, how many beers shall I offer you for that work? :) Just my 2 cents hopping to provide some contrib in this discussion, Cheers, Thomas Goirand (zigo) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/09/2015 03:39 PM, William M Edmonds wrote: > When you're using a distro, you're always going to have to worry about > someone pip installing something that conflicts with the rpm, no? The point of this thread is: no you don't. You do only if some (bad) upstream decide to vendorize. > Unless the distros have a way to put in protection against > this, preventing pip install of something that is already installed by RPM? Well, the point of pip is so that you can use it to install a package which may already be installed in the system, but you want another version, and then they both co-exist without an issue. I don't think we want to remove this feature (or at least, we'd need to have a kind of global switch for that if we were to implement it in pip). >> - make sure none of our testing environments include distro >> requests packages. > > It's not like requests is an unusual package for someone to have > installed from their distro in a base OS image. So when they take that > base OS and go to setup OpenStack, they'll be hitting this case, whether > we tested it or not. So while not testing this case seems nice from a > development perspective, it doesn't seem to fit real-world usage. I > don't think it would make operators very happy. This thread has nothing to do with operators. Operators typically install from distro packages only (unless they do like Helion does, which is pretty rare...) and wouldn't be affected by this problem. Cheers, Thomas Goirand (zigo) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 2015-10-12 15:40:48 +0200 (+0200), Thomas Goirand wrote: [...] > Has the infra team ever thought about doing that for (at least) all of > the 3rd party libs we use? I'd love to work closer with the infra team > to provide them with missing packages they would need, and I'm sure my > RPM buddy Haikel would too. This also would help getting our > openstack/{deb,rpm}- projects up to speed as well. [...] Long ago there was an idea that we might somehow be able to near-instantly package anything on PyPI and serve RPMs and DEBs of it up to CI jobs, but doing that would be a pretty massive (and in my opinion very error-prone) undertaking. Right now we can take advantage of the fact that the Python ecosystem uploads new releases to PyPI as their primary distribution channel. By using pip to install dependencies from PyPI in our CI system, we can pretty instantly test compatibility of our software with new releases of dependencies (much faster that they can get properly packaged in distros), and easily test different versions by proposing changes to the openstack/requirements repository. The only way I see this changing is if authors of Python libraries switch to packaging their own software for major distributions and have a pass to get them included by those distributions near-instantly. Also, distros would have to cease caring about reducing the number of concurrent versions of libraries they provide (and I posit that as soon as debian/sid ships a DEB for every version ever released for packages like python-requests and python-urllib3, apt-get will begin to exhibit similar dependency resolution challenges). -- Jeremy Stanley __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 13/10/15 02:05, Thomas Goirand wrote: BTW, the same applies for tablib which is in a even more horrible state that makes it impossible to package with Py3 support. But tablib could be removed from our (build-)dependency list, if someone cares about re-writing cliff-tablib, which IMO wouldn't be that much work. Doug, how many beers shall I offer you for that work? :) Regarding tablib, cliff has had its own table formatter for some time, and now has its own json and yaml formatters. I believe the only tablib formatter left is the HTML one, which likely wouldn't be missed if it was just dropped (or it could be simply reimplemented inside cliff). If the cliff deb depends on cliff-tablib I would recommend removing that dependency and just stop packaging cliff-tablib. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
Jeremy Stanley wrote: On 2015-10-12 15:40:48 +0200 (+0200), Thomas Goirand wrote: [...] Has the infra team ever thought about doing that for (at least) all of the 3rd party libs we use? I'd love to work closer with the infra team to provide them with missing packages they would need, and I'm sure my RPM buddy Haikel would too. This also would help getting our openstack/{deb,rpm}- projects up to speed as well. [...] Long ago there was an idea that we might somehow be able to near-instantly package anything on PyPI and serve RPMs and DEBs of it up to CI jobs, but doing that would be a pretty massive (and in my opinion very error-prone) undertaking. Anvil gets somewhat far on this, although its not supporting DEBs it does build its best attempt at RPMs building them automatically and turning git repos of projects into RPMs. http://anvil.readthedocs.org/en/latest/topics/summary.html (hopefully the existence of this is not news to folks). A log of this in action (very verbose) is at: http://logs.openstack.org/40/225240/4/check/gate-anvil-rpms-dsvm-devstack-centos7/0eea2a9/console.html Feel free to ask questions as to how this is being done on #openstack-anvil or find me on other channels... I believe it is also one of the goals of the rpm and packaging teams to do something similar, although that might be a ways off? Right now we can take advantage of the fact that the Python ecosystem uploads new releases to PyPI as their primary distribution channel. By using pip to install dependencies from PyPI in our CI system, we can pretty instantly test compatibility of our software with new releases of dependencies (much faster that they can get properly packaged in distros), and easily test different versions by proposing changes to the openstack/requirements repository. The only way I see this changing is if authors of Python libraries switch to packaging their own software for major distributions and have a pass to get them included by those distributions near-instantly. Also, distros would have to cease caring about reducing the number of concurrent versions of libraries they provide (and I posit that as soon as debian/sid ships a DEB for every version ever released for packages like python-requests and python-urllib3, apt-get will begin to exhibit similar dependency resolution challenges). __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10 October 2015 at 02:58, Cory Benfieldwrote: > >> On 9 Oct 2015, at 14:40, William M Edmonds wrote: >> >> Cory Benfield writes: >> > > The problem that occurs is the result of a few interacting things: >> > > - requests has very very specific versions of urllib3 it works with. >> > > So specific they aren't always released yet. >> > >> > This should no longer be true. Our downstream redistributors pointedout to >> > us >> > that this was making their lives harder than they needed to be, so it's >> > now >> > our policy to only update to actual release versions of urllib3. >> >> That's great... except that I'm confused as to why requests would continue >> to repackage urllib3 if that's the case. Why not just prereq the version of >> urllib3 that it needs? I thought the one and only answer to that question >> had been so that requests could package non-standard versions. >> > > That is not and was never the only reason for vendoring urllib3. However, and > I cannot stress this enough, the decision to vendor urllib3 is *not going to > be changed on this thread*. If and when it changes, it will be by consensus > decision from the requests maintenance team, which we do not have at this > time. > > Further, as I pointed out to Donald Stufft on IRC, if requests unbundled > urllib3 *today* that would not fix the problem. The reason is that we’d > specify our urllib3 dependency as: urllib3>=1.12,<1.13. This dependency note > would still cause exactly the problem observed in this thread. Actually, that would fix the problem (in conjunction with a fix to https://github.com/pypa/pip/issues/2687 - which is conceptually trivial once 988 is fixed). > As you correctly identify in your subsequent email, William, the core problem > is mixing of packages from distributions and PyPI. This happens with any tool > with external dependencies: if you subsequently install a different version > of a dependency using a packaging tool that is not aware of some of the > dependency tree, it is entirely plausible that an incompatible version will > be installed. It’s not hard to trigger this kind of thing on Ubuntu. IMO, > what OpenStack needs is a decision about where it’s getting its packages > from, and then to refuse to mix the two. We can't do that for all our downstreams. Further, Ubuntu preserve dependency information - I think a key underlying issue is that they don't fix up the dependency data for requests when they alter it. I've filed https://bugs.launchpad.net/ubuntu/+source/python-requests/+bug/1505039 to complement the one filed on Fedora earlier in this thread. *We* have the privilege of working directly with folk like libvirt that have been problematic in the past and getting those things addressed, so that we can run in a virtualenv happily. But we can't insist that user X who want to use some openstack library that uses requests but also some other thing (maybe some SWIG binding or something). So framing this as being driven by the mix is false: the thing that drives this is a combination - e.g. coming in part from defects in pip, and the existence of things that can't be installed in virtualenvs. Obviously a trivial workaround is to always use virtualenvs and not system-site-packages. To sum up the thread, it sounds to me like a viable way-forward is: - get distros to fixup their requests Python dependencies (and hopefully they can update that in stable releases). - fix the existing known bugs in pip where such accurate dependencies are violated by some operations. -Rob -- Robert Collins Distinguished Technologist HP Converged Cloud __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
Robert Collinswrites: > The problem that occurs is the result of a few interacting things: > - requests has very very specific versions of urllib3 it works with. > So specific they aren't always released yet. This should no longer be true. Our downstream redistributors pointed out to us that this was making their lives harder than they needed to be, so it's now our policy to only update to actual release versions of urllib3. > The second is trivially insufficient - anytime requests vendored > urllib3 is not precisely identical to a released urllib3, it becomes > impossible to satisfy that via dependency version pinning - the only > way to satisfy it is with the urllib3 in the distro that has whatever > change was needed included. Per my note above, if we restrict ourselves to relatively recent versions of requests (2.7.3+ IIRC) we should be fine. Of course, that doesn't mean we can actually do that... > The fourth approach meets the stone wall of 'but security' and 'no > redundancy permitted' - I don't have the energy to try and get through > the near-religious mindset I've encountered there before, though hey - > if Fedora and Debian and Ubuntu folk are all interested in figuring > out a sustainable way forward, that would be great: please don't feel > cut out, I'm just not expecting anything. It should be assumed that approach number four is a non-starter. This list has had that conversation before, which was a stunningly unpleasant experience for me and not one I want to repeat. Additionally, getting *all* of Fedora/Debian/Ubuntu on board with not unbundling requests is about as likely as hell freezing over. Cory __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 2015-10-09 14:58:36 +0100 (+0100), Cory Benfield wrote: [...] > IMO, what OpenStack needs is a decision about where it’s getting > its packages from, and then to refuse to mix the two. I have yet to find a Python-based operating system installable in whole via pip. There will always be _at_least_some_ packages you install from your operating system's package management. What you seem to be missing is that Linux distros are now shipping base images which include their python-requests and python-urllib3 packages already pre-installed as dependencies of Python-based tools they deem important to their users. To work around this in our test infrastructure we're effectively abandoning all hope of using distro-provided server images, and building our own from scratch to avoid the possibility that they may bring with them their own versions of any Python libraries whatsoever. We're at the point where we're basically maintaining our own derivative Linux distributions. The web of dependencies in OpenStack has reached a level of complexity where it's guaranteed to overlap with just about any pre-installed python-.* packages in a distro-supplied image. We're only now reaching the point where our Python dependencies actually all function within the context of a virtualenv without needing system-site-packages contamination, so the next logical step is probably to see if virtualenv isolation is possible for frameworks like DevStack (the QA team may already be trying to figure that out, I'm not sure). -- Jeremy Stanley __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
> On 9 Oct 2015, at 14:40, William M Edmondswrote: > > Cory Benfield writes: > > > The problem that occurs is the result of a few interacting things: > > > - requests has very very specific versions of urllib3 it works with. > > > So specific they aren't always released yet. > > > > This should no longer be true. Our downstream redistributors pointedout to > > us > > that this was making their lives harder than they needed to be, so it's now > > our policy to only update to actual release versions of urllib3. > > That's great... except that I'm confused as to why requests would continue to > repackage urllib3 if that's the case. Why not just prereq the version of > urllib3 that it needs? I thought the one and only answer to that question had > been so that requests could package non-standard versions. > That is not and was never the only reason for vendoring urllib3. However, and I cannot stress this enough, the decision to vendor urllib3 is *not going to be changed on this thread*. If and when it changes, it will be by consensus decision from the requests maintenance team, which we do not have at this time. Further, as I pointed out to Donald Stufft on IRC, if requests unbundled urllib3 *today* that would not fix the problem. The reason is that we’d specify our urllib3 dependency as: urllib3>=1.12,<1.13. This dependency note would still cause exactly the problem observed in this thread. As you correctly identify in your subsequent email, William, the core problem is mixing of packages from distributions and PyPI. This happens with any tool with external dependencies: if you subsequently install a different version of a dependency using a packaging tool that is not aware of some of the dependency tree, it is entirely plausible that an incompatible version will be installed. It’s not hard to trigger this kind of thing on Ubuntu. IMO, what OpenStack needs is a decision about where it’s getting its packages from, and then to refuse to mix the two. Cory signature.asc Description: Message signed with OpenPGP using GPGMail __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
Cory Benfieldwrites: > > The problem that occurs is the result of a few interacting things: > > - requests has very very specific versions of urllib3 it works with. > > So specific they aren't always released yet. > > This should no longer be true. Our downstream redistributors pointedout to us > that this was making their lives harder than they needed to be, so it's now > our policy to only update to actual release versions of urllib3. That's great... except that I'm confused as to why requests would continue to repackage urllib3 if that's the case. Why not just prereq the version of urllib3 that it needs? I thought the one and only answer to that question had been so that requests could package non-standard versions. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
Robert Collinswrites: > - Linux vendors often unbundle urllib3 from requests and then apply > what patches were needed to their urllib3; while not updating their > requests package dependencies to reflect this. I opened a bug on Fedora for them to update their requests package dependencies. See https://bugzilla.redhat.com/show_bug.cgi?id=1253823. Of course that may continue to be an issue on older versions and other distros. > - if for any reason we have a distro-altered requests + a > pip-installed urllib3, requests will [usually] break... see the 'not > always released yet' key thing above. > > Now, there are lots of places this last thing can happen; they all > depend on us having a dependency on requests that is compatible with > the version installed by the distro, but a urllib3 dependency that > triggers an upgrade of just urllib3. When constraints are in use, the > requests version has to match the distro requests version exactly, but > that will happen from time to time. When you're using a distro, you're always going to have to worry about someone pip installing something that conflicts with the rpm, no? That could be for any reason, could be completely unrelated to OpenStack dependencies. Unless the distros have a way to put in protection against this, preventing pip install of something that is already installed by RPM? > - make sure none of our testing environments include distro > requests packages. It's not like requests is an unusual package for someone to have installed from their distro in a base OS image. So when they take that base OS and go to setup OpenStack, they'll be hitting this case, whether we tested it or not. So while not testing this case seems nice from a development perspective, it doesn't seem to fit real-world usage. I don't think it would make operators very happy. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10 October 2015 at 03:57, Cory Benfieldwrote: > >> On 9 Oct 2015, at 15:18, Jeremy Stanley wrote: >> >> On 2015-10-09 14:58:36 +0100 (+0100), Cory Benfield wrote: >> [...] >>> IMO, what OpenStack needs is a decision about where it’s getting >>> its packages from, and then to refuse to mix the two. >> >> I have yet to find a Python-based operating system installable in >> whole via pip. There will always be _at_least_some_ packages you >> install from your operating system's package management. What you >> seem to be missing is that Linux distros are now shipping base >> images which include their python-requests and python-urllib3 >> packages already pre-installed as dependencies of Python-based tools >> they deem important to their users. >> > > Yeah, this has been an ongoing problem. > > For my part, Donald Stufft has informed me that if the distribution-provided > requests package has the appropriate install_requires field in its setup.py, > pip will respect that dependency. It should but it won't :). https://github.com/pypa/pip/issues/2687 and https://github.com/pypa/pip/issues/988 The first one means that if someone does 'pip install -U urllib3' and an unbundled requests with appropriate pin on urllib3 is already installed, that pip will happily upgrade urllib3, breaking requests, without complaining. It is fixable (with correct metadata of course). The second one means that if anything - another package, or the user via direct mention or requirements/constraints files - specifies a urllib3 dependency (of any sort) then the requests dependency will be silently ignored. Both of these will be solved in the medium future - we're now at the point of having POC branches, and once we've finished with the constraints rollout and PEP-426 marker polish will be moving onto the resolver work. > Given that requests has recently switched to not providing mid-cycle urllib3 > versions, it should be entirely possible for downstream redistributors in > Debian/Fedora to put that metadata into their packages when they unbundle > requests. I’m chasing up with our downstream redistributors right now to ask > them to start doing that. > > This should resolve the problem for systems where requests 2.7.0 or higher > are being used. In other systems, this problem still exists and cannot be > fixed by requests directly. Well, if we get to a future where it is in-principle fixed, I'll be happy. -Rob -- Robert Collins Distinguished Technologist HP Converged Cloud __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
For those who are interested in more of the historical aspect around this, https://github.com/kennethreitz/requests/issues/1811 https://github.com/kennethreitz/requests/pull/1812 My own thoughts are varied here, I get the angle of vendoring, but I don't get the resistance to unvendoring it (which it seems like quite a few people have asked for); if many people want it unvendored then this just ends up creating a bad taste in the mouth of many people (this is a bad thing to have happen in opensource and is how forks and such get created...). But as was stated, The decision to stop vendoring it likely won't be made here anyway ;) From: c...@lukasa.co.uk Date: Fri, 9 Oct 2015 14:58:36 +0100 To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] Requests + urllib3 + distro packages > On 9 Oct 2015, at 14:40, William M Edmonds wrote: > > Cory Benfield writes: >>> The problem that occurs is the result of a few interacting things: >>> - requests has very very specific versions of urllib3 it works with. >>> So specific they aren't always released yet. >> >> This should no longer be true. Our downstream redistributors pointedout to us >> that this was making their lives harder than they needed to be, so it's now >> our policy to only update to actual release versions of urllib3. > > That's great... except that I'm confused as to why requests would continue to > repackage urllib3 if that's the case. Why not just prereq the version of > urllib3 that it needs? I thought the one and only answer to that question had > been so that requests could package non-standard versions. > That is not and was never the only reason for vendoring urllib3. However, and I cannot stress this enough, the decision to vendor urllib3 is *not going to be changed on this thread*. If and when it changes, it will be by consensus decision from the requests maintenance team, which we do not have at this time. Further, as I pointed out to Donald Stufft on IRC, if requests unbundled urllib3 *today* that would not fix the problem. The reason is that we’d specify our urllib3 dependency as: urllib3>=1.12, __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
> On 9 Oct 2015, at 15:18, Jeremy Stanleywrote: > > On 2015-10-09 14:58:36 +0100 (+0100), Cory Benfield wrote: > [...] >> IMO, what OpenStack needs is a decision about where it’s getting >> its packages from, and then to refuse to mix the two. > > I have yet to find a Python-based operating system installable in > whole via pip. There will always be _at_least_some_ packages you > install from your operating system's package management. What you > seem to be missing is that Linux distros are now shipping base > images which include their python-requests and python-urllib3 > packages already pre-installed as dependencies of Python-based tools > they deem important to their users. > Yeah, this has been an ongoing problem. For my part, Donald Stufft has informed me that if the distribution-provided requests package has the appropriate install_requires field in its setup.py, pip will respect that dependency. Given that requests has recently switched to not providing mid-cycle urllib3 versions, it should be entirely possible for downstream redistributors in Debian/Fedora to put that metadata into their packages when they unbundle requests. I’m chasing up with our downstream redistributors right now to ask them to start doing that. This should resolve the problem for systems where requests 2.7.0 or higher are being used. In other systems, this problem still exists and cannot be fixed by requests directly. Cory signature.asc Description: Message signed with OpenPGP using GPGMail __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/08/2015 08:39 PM, Robert Collins wrote: This is a bugbear that keeps cropping up and biting us. I'm hoping we can figure out a permanent fix. The problem that occurs is the result of a few interacting things: - requests has very very specific versions of urllib3 it works with. So specific they aren't always released yet. - Linux vendors often unbundle urllib3 from requests and then apply what patches were needed to their urllib3; while not updating their requests package dependencies to reflect this. - we use urllib3 in some places and requests in others (but we don't mix them up) - if for any reason we have a distro-altered requests + a pip-installed urllib3, requests will [usually] break... see the 'not always released yet' key thing above. Now, there are lots of places this last thing can happen; they all depend on us having a dependency on requests that is compatible with the version installed by the distro, but a urllib3 dependency that triggers an upgrade of just urllib3. When constraints are in use, the requests version has to match the distro requests version exactly, but that will happen from time to time. e.g. - dvsm test jobs where the base image already has python-requests installed in it We're working hard to get to the point where this one goes away, fwiw. - virtualenvs where system-site-packages are enabled These make the easter bunny have sad. There are a few strategies that have been proposed to fix this. AIUI they are: - make sure none of our testing environments include distro requests packages. yes! - make our requirements be tightly matched to what requests needs to deal with the unbundling - teach pip how to identify and avoid this situation by always upgrading requests (even if thats just a re-install of the version from PyPI) when the installed requests is a distro installed version **and** urllib3 is being modified. - get the distros to stop un-vendoring urllib3 The first one addresses the situation for the CI gate but doesn't avoid developers getting bitten on their local machines. And installing any distro thing that uses requests would re-instate the potential for breakage. So while its not harmful, I don't think its sufficient to make this go away. The second is trivially insufficient - anytime requests vendored urllib3 is not precisely identical to a released urllib3, it becomes impossible to satisfy that via dependency version pinning - the only way to satisfy it is with the urllib3 in the distro that has whatever change was needed included. The third approach will require some negotiation I suspect - because its aesthetically wrong: from an upstream perspective urllib3 is independent of requests, and vice-versa, but from a distro perspective they are tightly coupled, no variation permitted. The fourth approach meets the stone wall of 'but security' and 'no redundancy permitted' - I don't have the energy to try and get through the near-religious mindset I've encountered there before, though hey - if Fedora and Debian and Ubuntu folk are all interested in figuring out a sustainable way forward, that would be great: please don't feel cut out, I'm just not expecting anything. If there are other approaches, great - please throw them up here. I've got nothing. I'll continue hacking on #1 just because GATE. But I agree, it's necessary but not sufficient. Thanks for the writeup. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Requests + urllib3 + distro packages
On 10/8/2015 7:57 PM, Monty Taylor wrote: On 10/08/2015 08:39 PM, Robert Collins wrote: This is a bugbear that keeps cropping up and biting us. I'm hoping we can figure out a permanent fix. The problem that occurs is the result of a few interacting things: - requests has very very specific versions of urllib3 it works with. So specific they aren't always released yet. - Linux vendors often unbundle urllib3 from requests and then apply what patches were needed to their urllib3; while not updating their requests package dependencies to reflect this. - we use urllib3 in some places and requests in others (but we don't mix them up) - if for any reason we have a distro-altered requests + a pip-installed urllib3, requests will [usually] break... see the 'not always released yet' key thing above. Now, there are lots of places this last thing can happen; they all depend on us having a dependency on requests that is compatible with the version installed by the distro, but a urllib3 dependency that triggers an upgrade of just urllib3. When constraints are in use, the requests version has to match the distro requests version exactly, but that will happen from time to time. e.g. - dvsm test jobs where the base image already has python-requests installed in it We're working hard to get to the point where this one goes away, fwiw. - virtualenvs where system-site-packages are enabled These make the easter bunny have sad. There are a few strategies that have been proposed to fix this. AIUI they are: - make sure none of our testing environments include distro requests packages. yes! - make our requirements be tightly matched to what requests needs to deal with the unbundling - teach pip how to identify and avoid this situation by always upgrading requests (even if thats just a re-install of the version from PyPI) when the installed requests is a distro installed version **and** urllib3 is being modified. - get the distros to stop un-vendoring urllib3 The first one addresses the situation for the CI gate but doesn't avoid developers getting bitten on their local machines. And installing any distro thing that uses requests would re-instate the potential for breakage. So while its not harmful, I don't think its sufficient to make this go away. The second is trivially insufficient - anytime requests vendored urllib3 is not precisely identical to a released urllib3, it becomes impossible to satisfy that via dependency version pinning - the only way to satisfy it is with the urllib3 in the distro that has whatever change was needed included. The third approach will require some negotiation I suspect - because its aesthetically wrong: from an upstream perspective urllib3 is independent of requests, and vice-versa, but from a distro perspective they are tightly coupled, no variation permitted. The fourth approach meets the stone wall of 'but security' and 'no redundancy permitted' - I don't have the energy to try and get through the near-religious mindset I've encountered there before, though hey - if Fedora and Debian and Ubuntu folk are all interested in figuring out a sustainable way forward, that would be great: please don't feel cut out, I'm just not expecting anything. If there are other approaches, great - please throw them up here. I've got nothing. I'll continue hacking on #1 just because GATE. But I agree, it's necessary but not sufficient. Thanks for the writeup. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev FYI, related change that is triggering the conversation: https://review.openstack.org/#/c/213310/ And there are related bugs in there with more details on other ways this fails for people outside the gate system. -- Thanks, Matt Riedemann __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] Requests + urllib3 + distro packages
This is a bugbear that keeps cropping up and biting us. I'm hoping we can figure out a permanent fix. The problem that occurs is the result of a few interacting things: - requests has very very specific versions of urllib3 it works with. So specific they aren't always released yet. - Linux vendors often unbundle urllib3 from requests and then apply what patches were needed to their urllib3; while not updating their requests package dependencies to reflect this. - we use urllib3 in some places and requests in others (but we don't mix them up) - if for any reason we have a distro-altered requests + a pip-installed urllib3, requests will [usually] break... see the 'not always released yet' key thing above. Now, there are lots of places this last thing can happen; they all depend on us having a dependency on requests that is compatible with the version installed by the distro, but a urllib3 dependency that triggers an upgrade of just urllib3. When constraints are in use, the requests version has to match the distro requests version exactly, but that will happen from time to time. e.g. - dvsm test jobs where the base image already has python-requests installed in it - virtualenvs where system-site-packages are enabled There are a few strategies that have been proposed to fix this. AIUI they are: - make sure none of our testing environments include distro requests packages. - make our requirements be tightly matched to what requests needs to deal with the unbundling - teach pip how to identify and avoid this situation by always upgrading requests (even if thats just a re-install of the version from PyPI) when the installed requests is a distro installed version **and** urllib3 is being modified. - get the distros to stop un-vendoring urllib3 The first one addresses the situation for the CI gate but doesn't avoid developers getting bitten on their local machines. And installing any distro thing that uses requests would re-instate the potential for breakage. So while its not harmful, I don't think its sufficient to make this go away. The second is trivially insufficient - anytime requests vendored urllib3 is not precisely identical to a released urllib3, it becomes impossible to satisfy that via dependency version pinning - the only way to satisfy it is with the urllib3 in the distro that has whatever change was needed included. The third approach will require some negotiation I suspect - because its aesthetically wrong: from an upstream perspective urllib3 is independent of requests, and vice-versa, but from a distro perspective they are tightly coupled, no variation permitted. The fourth approach meets the stone wall of 'but security' and 'no redundancy permitted' - I don't have the energy to try and get through the near-religious mindset I've encountered there before, though hey - if Fedora and Debian and Ubuntu folk are all interested in figuring out a sustainable way forward, that would be great: please don't feel cut out, I'm just not expecting anything. If there are other approaches, great - please throw them up here. -Rob -- Robert CollinsDistinguished Technologist HP Converged Cloud __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev