Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reintroduce dependency optimization #626

Merged

Conversation

trottomv
Copy link
Contributor

@trottomv trottomv commented May 31, 2023

Fix #610

@woodruffw
Copy link
Member

Thanks for opening this! I'll have time to do a review in the coming days.

@woodruffw woodruffw self-requested a review May 31, 2023 17:36
@woodruffw woodruffw added the component:dep-sources Dependency sources label May 31, 2023
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks again for opening this!

This is a good start, but it's going to need a few changes before I think we can consider merging this.

In particular, my recommendation is to go back and look at the optimization's state at the time it was removed in #540 -- the re-addition of the optimization here should closely mirror that code, rather than being an independent reimplementation. That will save us a lot of heartburn and trouble down the road.

Comment on lines 330 to 336
parser.add_argument(
"--with-pip-compile",
action="store_true",
help="don't perform dependency installation in a temporary virtual env"
" if requirements files is builded with pip compile; requires --requirement argument",
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This implies that hashed requirements files always come from pip-compile, which isn't true.

Rather than adding a new flag here, let's revert the behavior that was removed with #540: the pre-existing --no-deps and --require-hashes flags should cause us to go down an optimized path.

@@ -44,6 +53,7 @@ def __init__(
index_url: str | None = None,
extra_index_urls: list[str] = [],
state: AuditState = AuditState(),
with_pip_compile: bool = False,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above: I don't think we want to imply that this is unique to pip-compile, since it wasn't before.

Comment on lines 138 to 146
parsed_packages = []
for filename in filenames:
requirements_file = RequirementsFile.from_file(filename)
requirements_dict = requirements_file.to_dict()["requirements"]
parsed_packages += [
(r["name"], r["specifier"][0].split("==")[1]) for r in requirements_dict
]
for name, version in parsed_packages:
yield ResolvedDependency(name=name, version=Version(version))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be hardened against URL-style requirements, parser errors, etc.

My suggestion would be to look at what was removed in #540, and reuse that to the greatest extent possible: it had a lot of "scar tissue" from different bugs reported over time.

@trottomv trottomv force-pushed the trottomv/reintroduce-dependecy-optimization branch 5 times, most recently from 21fe2e7 to 97b92cf Compare June 5, 2023 16:55
@trottomv
Copy link
Contributor Author

trottomv commented Jun 5, 2023

@woodruffw I've removed the "with_pip_compile" option and restored the preresolved dependencies collection as in #540

@woodruffw
Copy link
Member

Cool, thank you! I'll have time to review again in the coming days.

@pauloxnet
Copy link

It seems ok to me. Maybe you can update the Changelog file.

@trottomv trottomv force-pushed the trottomv/reintroduce-dependecy-optimization branch 2 times, most recently from c6a7693 to aeed974 Compare June 6, 2023 06:35
@trottomv trottomv force-pushed the trottomv/reintroduce-dependecy-optimization branch from aeed974 to 9674a34 Compare June 6, 2023 06:38
@woodruffw
Copy link
Member

Lint failure:

would reformat pip_audit/_dependency_source/interface.py
would reformat pip_audit/_dependency_source/requirement.py
would reformat test/dependency_source/test_requirement.py

Oh no! 💥 💔 💥
3 files would be reformatted, 48 files would be left u

You can use make reformat and make lint locally to catch these.

@pauloxnet
Copy link

LGTM

CHANGELOG.md Outdated Show resolved Hide resolved
@trottomv trottomv force-pushed the trottomv/reintroduce-dependecy-optimization branch from 6e0a42a to 8be732a Compare June 8, 2023 12:37
@trottomv trottomv force-pushed the trottomv/reintroduce-dependecy-optimization branch from 8be732a to 783779d Compare June 8, 2023 12:44
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM; I'll do some end-CLI testing this evening.

I'd like @tetsuo-cpp to also give this a review, since he wrote the original fast-path here.

@woodruffw woodruffw requested a review from tetsuo-cpp June 13, 2023 17:08
@tetsuo-cpp
Copy link
Contributor

Sorry for the delay @trottomv! I'll get to this tonight.

Copy link
Contributor

@tetsuo-cpp tetsuo-cpp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good!

@woodruffw Regarding my comment about the flag, I don't feel too strongly about it either way, it just wasn't what I was expecting. If that seems good to you, feel free to merge.

# If the user has supplied `--no-deps` or there are hashed requirements, we should assume
# that we have a fully resolved set of dependencies and we should waste time by invoking
# `pip`.
if self._no_deps or require_hashes:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@woodruffw I thought the plan was that we were going to give it some kind of scary name instead of having it activate as soon as we supply a hashed requirement since the fast path is less comprehensive than doing a real pip installation.

Copy link
Contributor Author

@trottomv trottomv Jun 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @tetsuo-cpp thanks a lot for your review.
I agree with you. In my humble opinion, invoking "preresolved dependency" based solely on the requirement presenting the hashes is a bit weak. My original idea was to add a new flag, and I explained it better in this comment on the issue. #610 (comment)

I see also your approval, feel free to merge, We can potentially continue the discussion to evaluate different solutions if necessary.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tetsuo-cpp You're right, I forgot about that -- IMO --disable-pip or similar would be appropriate.

The semantics there would be:

  • --disable-pip will cause an error unless we're in a requirements input mode
  • --disable-pip will cause an error unless the requirements are fully hashed or the user also passes --no-deps

Does that sound reasonable to you?

@trottomv I'd prefer to merge this as a single feature, so we'll probably want to settle the new flag before merging 🙂

Copy link
Contributor Author

@trottomv trottomv Jun 20, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem to me, if I can contribute, I'm happy to do so, time permitting.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@woodruffw Yep! Those flag names sound good to me.

@trottomv Sorry for the churn! I'm planning to push those change to your branch this afternoon and we can look at getting this released.

@tetsuo-cpp tetsuo-cpp self-assigned this Jun 22, 2023
@tetsuo-cpp
Copy link
Contributor

@woodruffw, I've made those changes now. Could you take a quick look at this?

@tetsuo-cpp tetsuo-cpp requested a review from woodruffw June 28, 2023 01:49
pip_audit/_cli.py Outdated Show resolved Hide resolved
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@woodruffw woodruffw enabled auto-merge (squash) June 28, 2023 16:45
@woodruffw
Copy link
Member

Thanks for all of the hard work here @trottomv! Merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component:dep-sources Dependency sources
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Reintroduce the preresolved dependency optimization
4 participants