-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vendoring updates (Oct 2022) #11502
Vendoring updates (Oct 2022) #11502
Conversation
807efda
to
6218fd6
Compare
Well, this is only mildly annoying. setuptools has changes the dependency graph for pkg_resources at some point. :) |
6f4f866
to
c744fd6
Compare
Well, turns out, it's a bit more complicated than I'd hoped for -- https://github.com/pypa/setuptools/tree/2d4ebde71ce9daf914318f5ff29bcc39507b2cdf/pkg_resources/_vendor is a better source of truth than the requirements file in the parent directory. |
62bde35
to
4b6e5ea
Compare
OK, 3am. That's all I'm investing into this, on this morning. |
Well, this broke CI pretty badly. And it's a lot bigger than I'm comfortable with, so my first instinct is to reject it for 22.3, as we're too close to the release date for me to feel sure we've had the chance to iron out any issues. More detailed notes:
As a more general point, I'd much prefer to see this PR split into separate ones:
I would accept the first of these PRs, and we can then discuss the merits of the remaining ones individually. Sorry, @pradyunsg, I know this is not how the |
Oh, wow. I just looked at a recent pkg_resources. That's a 7-fold increase in size, and 86 files instead of 4. For what is, as far as I can tell, zero change in functionality for pip. Sorry, but I'd strongly prefer to pin to the old version, and make Python 3.12 a cutoff for no longer using setuptools at all. And honestly, I'd be inclined to retire the pkg_resources backend altogether and vendor importlib_resources, so we're completely rid of setuptools. But the latter is more risky, because (AIUI) the backends are subtly different in some cases... And it's not related to this issue. |
From the code:
So... it should be fine? I think the minor problem is that pkg_resources is imported to locate eggs, even when using importlib.metadata. |
With #11503, |
I'll split out setuptools and certifi from this PR, and file separate ones for them. I will note that I believe we ought to not skip certifi from the release though -- it's got updates to the certificates in addition to the (frustratingly necessary) code changes.
And... I'd prefer to have less invasive patches instead, sticking to the wording in our policy around vendoring:
Arguably, we're violating that for the certificate use case already -- my guess is that, downstream redistributors who would want to modify the certificates would much prefer the less invasive We ought to figure out a way to properly thread through the certificates in a follow up, that doesn't require patching our dependencies.
It always did -- that hasn't changed. brotli is a dependency that we can't vendor, due to binary dependencies, and we don't want to import it at runtime since it'd make that module uninstallable. What's changed is that the lines around the code we were patching have changed enough that the patch was failing to apply. This PR updates that patch to apply cleanly on the newer urllib3.
FWIW, that sorry is unnecessary. I was considering doing the same already (I didn't coz it was 3am and I had to get to work at 9am). All that will have to happen after my work day though -- Fridays are my open source days. :) |
I'm not sure what you mean by this. Fine to upgrade setuptools? Fine to not upgrade it? IMO, it's clearly fine to not upgrade it, as we haven't had any problems using the out of date version until now. It's less obviously fine to upgrade it, because there's always a certain amount of risk, and even if it was fine, we would be adding a bunch of code for no benefit. The original exclusing of setuptools was done by you in 1466e7c but I couldn't find a discussion of why this was done. |
No problem. Would it help if I prepared a PR with everything but the brotli/certifi/setuptools changes? |
Nah, it's fine -- it's easy enough to rebase this to remove those packages and cherry-pick them on a new branch off main. It's not much of a hassle, once I get in front of my personal laptop. :) |
Fine to not. I'll try and elaborate on what I'm thinking later (it's related moving off of |
Too late, I did it anyway - #11504 😉 Feel free to ignore it if you want to do the lot yourself. Anyway, I'll let you get back to work. |
4b6e5ea
to
4ab07c7
Compare
Eventually closes #11500
Beyond that... I have no clue if this is actually going to work -- we'll let CI tell us that. I'm off to sleep now tho -- it's past 2:30am and I would like to get to my day job on time.