fades icon indicating copy to clipboard operation
fades copied to clipboard
verified publisher icon PyAr

Non-PyPI packages are ignored by --check-updates

Open frafra opened this issue 6 years ago • 4 comments

Hi, Fades does not check if a package installed git+https is up-to-date even if --check-updates is used.

frafra avatar Oct 25 '19 08:10 frafra

Hello, thanks!

--check-updates is hitting pypi API to check versions. I'm not sure how we should track versions of packages installed from a git repo. Any ideas?

gilgamezh avatar Oct 26 '19 10:10 gilgamezh

It looks like there is no way to detect which revision has been cloned using pip.

Simple solution: cloning the whole repo every time and displaying a warning (like "please fix a commit/tag like this: ...")

Better solution: getting the commit ID first and alter the required dependency on-the-fly. Example (Bash-like syntax):

  1. Dependency required: git+https://github.com/PyAr/fades.git
  2. No reference detected (no @ref used), assuming ref="HEAD"
  3. Get commit ID: id=$(git ls-remote https://github.com/PyAr/fades.git $ref | cut -f1)
  4. Add the commit ID to the dependency: git+https://github.com/PyAr/fades.git@$id
  5. Resolve the dependency as usual

frafra avatar Oct 26 '19 10:10 frafra

Hello @frafra !

Thanks for taking the time to help us improve fades!

Yes, --check-update is suboptimal when we consider other repos other than PyPI. For example, we have the #338 issue opened for the case of local dependencies.

In that case of local depencies what is suggested in the issue is to verify if the project has changed by checking the ctime of the project's directory.

For the case of remote VCSs is quite more complicated. We not only support git but also other VCS systems. Furthermore, we don't "speak VCS" ourselves, as we just rely on pip to do its work.

Taking that into mind, it's super difficult to get the commit id of a remote repo. What if it's bzr or hg? What if the user doesn't have git installed (not really sure how pip installs it, and the trick is that we want to avoid caring about it!).

So, how can emulate desired behaviours taking that in consideration?

One proposal could be to always recreate the venv if --check-updates is involved when having VCS repos; that surely would be on the safe side, but it also will be very inefficient most of the times!

What do you think?

facundobatista avatar Oct 31 '19 01:10 facundobatista

Hi :) You are right, it would be better not to do something for git only. I had a look at poetry because it fixes versions for packages, even if they are taken from git, but they do not support other VCSes: https://github.com/sdispater/poetry/blob/7a372c75562e99355c59786b4d3f1b26b9124e50/poetry/puzzle/provider.py#L189-L190

I would say that your proposal can be a good one, but I would show a warning if the dependencies VCS dependencies have not been tagged; (using @reference) if they have tags, they can be just skipped.

frafra avatar Oct 31 '19 11:10 frafra