content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Adopt a dependency management strategy for utility dependencies

Open rhmdnd opened this issue 4 years ago • 3 comments

Description of problem:

The utils/ directory has a bunch of useful python scripts for working with CaC content. Some of the scripts rely on libraries outside the python standard library. To make it easier to use, should we consider adopting a requirements.txt file utility dependencies?

SCAP Security Guide Version:

Operating System Version:

Steps to Reproduce:

  1. Try running any utility script with non-standard library dependency
$ python utils/duplicated_prodtypes.py -h
Traceback (most recent call last):
  File "/home/lbragstad/Projects/content/utils/duplicated_prodtypes.py", line 8, in <module>
    import ssg
ModuleNotFoundError: No module named 'ssg'

Actual Results:

Import failures depending on the scripts you're trying to use.

Expected Results:

Tools work as expected after installing requirements.

Additional Information/Debugging Steps:

We could update the documentation to reference requirements.txt during install process, or use tox to build a virtual environment with all the necessary dependencies for the utility scripts we rely on in CaC.

rhmdnd avatar Dec 09 '21 21:12 rhmdnd

I propose a third alternative which would work well for the use case of the utility scripts: https://github.com/pypa/pipenv

  • Pipfile.lock would be equivalent to pinning versions in requirements.txt, except less hassle to maintain
  • Unifying virtualenv and Python dependency management makes the project more approachable
  • No complexity with managing testenvs and the expected behavior of shell scripts as would be experienced with tox.

The biggest argument against this, of course, is:

  • It's outside of the default python ecosystem, and bringing another tool in to help above a requirements.txt might be confusing for people not used to it (this holds true for tox as well).

jharmison-redhat avatar Dec 09 '21 21:12 jharmison-redhat

That's a good point. I updated the issue to be more generic about dependency management.

I'm in favor of either approach. In my opinion, I feel like offering something to handle dependencies, even if it does add another tool to the project, makes it easier to use all the utility scripts.

rhmdnd avatar Dec 09 '21 21:12 rhmdnd

#10487 has been merged, to help with the Python side.

Mab879 avatar Jun 06 '23 17:06 Mab879