[Zope-dev] Don't have "Zope 2" hard-specify its versions!

Tres Seaver tseaver at palladion.com
Sat Apr 11 13:32:51 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hanno Schlichting wrote:
> Chris Withers wrote:
>> Dieter Maurer wrote:
>>> Tres has earlier proposed a meta egg to represent "versions.cfg" in
>>> a setuptools only (non buildout) environment.
>>>
>>> A meta egg is an egg that only list dependencies and does not contain
>>> code of its own.
>> Indeed, so we'd need 2 eggs for Zope 2 :-(
>>
>> Something I bumped into recently:
>>
>> If the Zope 2 egg actually hard-specifies its dependencies, how do I 
>> upgrade any of those dependencies to newer versions that fix bugs i may 
>> have encountered/fixed?
> 
> You roll your own meta egg. You cannot override hard version
> specifications inside a setup.py.
> 
> In all other debates we seemed to agree on not over specifying
> requirements in setup.py files, I wonder why anybody still tries to
> follow this route.

Maybe because it makes for a predictable / reproducible installation?
After all, the 2.12a1 egg already released is now broken under
easy_isntall becasse it *doesn't* nail down its dependencies.

Predicatbility requires one of the following:

- - Run an index, and make people install from there rather than PyPI;
  at that point, you are a "distribution" maintainer, and can ensure
  consistency.  Users who trust you can "safely" upgrade at will,
  because you are responsible for ensuring that the eggs in the index
  work together.

- - Release a nailed-down egg (or the equivalent buildout.cfg /
  versions.cfg, and let people install from PyPI.  Upgrades are not
  really safe: you won't get borked by newly released eggs, but
  removed / re-uploaded eggs can still hose you.

- - Release some kind of monolith, generated from the same metadata
  as above.  Upgrades aren't really possible here:  you have to release
  a new version of the monolith.



> Let's see what other people who want to support easy_install do: They
> require you to use virtualenv and create a links page, which has all the
> dependencies in all the required versions on it:
> 
> http://pylonshq.com/download/0.9.7/
> http://www.turbogears.org/2.0/downloads/2.0final/
> http://dist.repoze.org/zope2/dev/
> http://dist.plone.org/release/3.3rc2/
> 
> In order to install from on of these you do for example:
> 
> easy_install -f http://pylonshq.com/download/0.9.7 Pylons

You want '-i' and the index URL, not '-f' and the "directory-containing-
tarballs" URL.

> and that's it. Some projects package up the multiple steps (including
> installing setuptools) into a little helper script.
> 
> As you might notice all that is required is a known URL and Apache
> serving a bunch of files directly.

Without supplying the '-i' ('--index-url') flag, you are still subject
to the variability of PyPI.


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJ4NRD+gerLs4ltQ4RAjepAKCRsCzEHTcOnPpqE53Cs8Q0+WSdxACfZ7Zq
LupGqM494WgV5QMAWl4X/HY=
=NCYV
-----END PGP SIGNATURE-----

More information about the Zope-Dev mailing list