-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11.04.2009 19:32 Uhr, Tres Seaver wrote: > Hanno Schlichting wrote: >> Chris Withers wrote: >>> Dieter Maurer wrote: >>>> Tres has earlier proposed a meta egg to represent "versions.cfg" in >>>> a setuptools only (non buildout) environment. >>>> >>>> A meta egg is an egg that only list dependencies and does not contain >>>> code of its own. >>> Indeed, so we'd need 2 eggs for Zope 2 :-( >>> >>> Something I bumped into recently: >>> >>> If the Zope 2 egg actually hard-specifies its dependencies, how do I >>> upgrade any of those dependencies to newer versions that fix bugs i may >>> have encountered/fixed? >> You roll your own meta egg. You cannot override hard version >> specifications inside a setup.py. > >> In all other debates we seemed to agree on not over specifying >> requirements in setup.py files, I wonder why anybody still tries to >> follow this route. > > Maybe because it makes for a predictable / reproducible installation? > After all, the 2.12a1 egg already released is now broken under > easy_isntall becasse it *doesn't* nail down its dependencies. > > Predicatbility requires one of the following: > > - Run an index, and make people install from there rather than PyPI; > at that point, you are a "distribution" maintainer, and can ensure > consistency. Users who trust you can "safely" upgrade at will, > because you are responsible for ensuring that the eggs in the index > work together. > > - Release a nailed-down egg (or the equivalent buildout.cfg / > versions.cfg, and let people install from PyPI. Upgrades are not > really safe: you won't get borked by newly released eggs, but > removed / re-uploaded eggs can still hose you. > > - Release some kind of monolith, generated from the same metadata > as above. Upgrades aren't really possible here: you have to release > a new version of the monolith. > > > >> Let's see what other people who want to support easy_install do: They >> require you to use virtualenv and create a links page, which has all the >> dependencies in all the required versions on it: > >> http://pylonshq.com/download/0.9.7/ >> http://www.turbogears.org/2.0/downloads/2.0final/ >> http://dist.repoze.org/zope2/dev/ >> http://dist.plone.org/release/3.3rc2/ > >> In order to install from on of these you do for example: > >> easy_install -f http://pylonshq.com/download/0.9.7 Pylons > > You want '-i' and the index URL, not '-f' and the "directory-containing- > tarballs" URL. > >> and that's it. Some projects package up the multiple steps (including >> installing setuptools) into a little helper script. > >> As you might notice all that is required is a known URL and Apache >> serving a bunch of files directly. > > Without supplying the '-i' ('--index-url') flag, you are still subject > to the variability of PyPI.
A dedicated index is a clean solution (I have not figure out or understand how this is accomplished for Zope 3). Another low hanging fruit is releasing Zope 2 as 2 packages (one with unpinned versions (for buildout) and one with fully pinned versions). I am trying out this approach for the next a2 release. Andreas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkniFb8ACgkQCJIWIbr9KYwKWACdEa+VpOliCYnd8M1BLvVFJyHe 70wAoM8XlOrP7PBY0Bxqpf5Lev4GHVSh =FBm9 -----END PGP SIGNATURE-----
begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. & Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )