-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New resolver reports version conflict on github repo URL variations #9229
Comments
Simplified demo using a random real python repo and no dependency chaining:
|
I believe this is expected; two URLs with different log in information are treated as different sources since they are technically different URLs, and can return entirely different contents in theory. pip did not actually check this previously (even if the URLs entirely differ), and simply picked the first URL it seems and ignore the second one. The new resolver is stricter on this and require the URLs to be equivalent. |
Except that they didn't. Pip should know this because the conflict message appears after both are cloned.
Also I'm pretty sure that's not how github works? |
A clone is not sufficient, since Git’s clone is not reproducible. pip would need to actually build the package to tell whether two package contents are indeed the same, and even that has problems due to technicaly details, e.g. #5648. So pip opts the strictest route, and reject different URLs (ideally pip should not even clone, but that’s an implementation quirk that should be improved).
It is how GitHub works for humans now, but pip does not know that. pip does not contain information specific to a given index (and should not IMO); so the user needs to help it fill these gaps. |
Can you explain this part? If I clone both versions to adjacent locations, and then diff shows the cloned contents are identical, which is what's happening here, then the clones are the same even if by some quirk of the phase of the moon or neutrino interference they would result in different builds. What scenario is this protecting?
This puts a weird burden on unrelated distributed projects to agree to all coordinate to use the same URL format, which may not even be possible, in order to prevent something that seems in my ignorance to be slightly far fetched. |
IIUC the content of
And on the flip side, not having that burden on you means more burden to us, because we get to maintain the functionality that satisfies your convenience 🙂 |
Modification times or something else? Do you have a resource where I can learn about what kinds of changes we're talking about? I'm only able to find references for modification times or changes between different computers (seemingly not relevant here). |
(I feel like I should also add that the formulation where local and remote requirements.txt files used different URL format for the same project leads to the seemingly infinite install looping behavior already reported elsewhere. I didn't originally want to put it in this report because it's already on your radar, but now I'm second guessing that.) |
I think I just experienced a variation on this issue while re-building a singularity container of mine that starts by updating pip, then git clones a repo that contains a requirements.txt file and tries to use it:
My requirements.txt pulls libhts, which has libworkflows as a dependency, and also libworkflows directly. The indirect dependency is specified in the install_requires section of the setup.py of libhts, without a version, just the git repo address. The direct dependency is specified with a version constraint in requirements.txt. |
I'm trying to figure out how I could solve my issue with spurious incompatibilities between the same package installed via git but one via requirements.txt and the other via the install_requires section of a setup.py. I was wondering whether I would have to remove the git commit hash from the requirements.txt file or add it in the install_requires section of the setup.py of the package that depends on it. However, after reading https://packaging.python.org/discussions/install-requires-vs-requirements/, it seems that the recommended good practice is to pin specific versions in requirements.txt but not in the install_requires section of a setup.py. @uranusjr Is there a way I can follow the above recommendations, while being able to use the new resolver? |
From pip's perspective, any URL spec is pinning the requirement. So it does not really matter; by using a URL is |
Wouldn't it possible to modify pip so that it at least considers that when the urls just differ by presence / absence of a commit hash, the one without the commit hash should be considered as satisfied by the one with the commit hash? |
It is possible, but would require a feature request and substantial discussion, since the current behaviour (use the revision pointed by the default branch) is well-established and likely depended by many. Variants of a Python package are ultimately identified by their versions, and this mechanism is built into many areas of Python. PEP 508 URL is a mean to specify where pip should download things to satisfy a package version request. By giving semantics to a Git URL’s revision information, we’d essentially introduce an alternative versioning scheme parallel to the package’s version metadata, which would not play well with other parts of packaging. Not that the revision can’t be used as package version—Go’s packaging solution does basically that—but the scheme does not work well in Python packaging without substential designing to fit into the current version system. |
Thanks for the explanations. I'll probably just add commit hashes in setup.py, then. |
Are there anything left here? Feel free to close if you think this is resolved. |
This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further. |
Having some issues with pip conflicts where other ckan extensions have the same dependencies but without the .git part. This causes a version conflict. Joy! See here: pypa/pip#9229
We are still facing this issue, we have a requirements.txt file generated from a poetry lock file. As such, the requirements file contains all the requirements similar to the OP above since a requirements file generated from a lock would contain ALL requirements for all packages. So the requirements file generated from the lock contains:
but down the chain of requirements for
and all the sudden pip can't do anything because:
Please advice because I don't see how to get around this issue, this seems like a massive flaw in the new implementation of pip. For whoever it may help, pip being "strict" is an under statement. I solved it by reading my requirements character by character. They must match perfectly or nothing works. (Not a great update IMO). The error I was getting:
Note the |
Yes, because pip has no way to tell the two are actually the same repository. |
@uranusjr GitHub organization and repository names are not case-sensitive though when it comes to checking if there is a duplicate i.e. |
That's a github-specific rule. URLs in general may or may not be case sensitive, and pip has no way of knowing whether a particular VCS URL is cas sensitive or not. And before you ask, no, we're not going to hard-code github's rules - that way lies madness 🙁 |
Yeah, I can see that. Would be nice to be able to turn off strict mode or had it be done via a |
The resolver appears to treat
projectname @ git+https://[email protected]/org/repo.git
as different fromprojectname @ git+https://github.com/org/repo.git
even though they're the same thing and the only difference is the "git@" in the url. If something is required directly and indirectly (via another requirement) using slightly different but totally valid URL variations, pip fails with a version conflict error.pip install -r requirements.txt
on a requirements.txt containing:Where project-def has a requirements.txt containing the "git@" URL variant:
Produces
Removing the "user@" from the second requirements.txt avoids this, but it worked before the resolver upgrade and may require changes to packages upstream from the user.
Expected Behavior
Working URL variations for the same package should not affect version resolution.
Environment details
pip 20.3.1
macOS Mojave 10.14.6
Python 3.8.6
The text was updated successfully, but these errors were encountered: