adviser icon indicating copy to clipboard operation
adviser copied to clipboard

Published 20 hours ago verified publisher icon thoth-station

[8pt][SPIKE]Use backtracking for "latest" recommendation types

Open fridex opened this issue 2 years ago • 9 comments

Problem statement

Some requirements fail to be resolved from time to time even though a resolution for the given set of requirements exists. This is caused by the nature of the algorithm used when resolving "latest". It might be worth experimenting with other algorithms to have more deterministic resolution - the adviser could use backtracking if resolving "latest" versions of software packages similarly as pip does and leave the algorithm based on TD-learning solely when resolving other recommendation types. Otherwise, it might be worth checking if we can adjust the heuristics of the "latest" predictor for selecting a specific version.

fridex avatar Apr 29 '22 11:04 fridex

/sig stack-guidance

mayaCostantini avatar Apr 29 '22 12:04 mayaCostantini

/priority critical-urgent

goern avatar May 17 '22 06:05 goern

https://pip.pypa.io/en/stable/topics/dependency-resolution/

mayaCostantini avatar May 23 '22 12:05 mayaCostantini

/assign @mayaCostantini

mayaCostantini avatar May 25 '22 10:05 mayaCostantini

The documentation also has details on limitation https://pip.pypa.io/en/stable/topics/dependency-resolution/#possible-ways-to-reduce-backtracking

Maybe we would have to use them for a smooth resolution report.

harshad16 avatar Jul 18 '22 12:07 harshad16

/lifecycle active

mayaCostantini avatar Jul 21 '22 07:07 mayaCostantini

For anecdotal evindence, just adding a couple of instances where I think the advice provided with latest looks strange / unexpected:

  • Downgrading packages and introducing already-fixed CVEs: https://github.com/thoth-station/ps-cv/pull/45#pullrequestreview-1114477726
  • Downgrading from a released version to an older pre-release version: https://github.com/thoth-station/ps-cv/pull/43#pullrequestreview-1114491371
  • Downgrading to a 4+ years old version: https://github.com/thoth-station/python/pull/480#pullrequestreview-1114519190

codificat avatar Sep 20 '22 22:09 codificat

If we do decide to use backtracking, couldn't we use pip directly as it already does backtracking with latest versions? This makes me wonder what the benefit of adviser for someone who needs latest recommendations is. What benefit does latest advise offer over a simple pip install or pipenv install?

KPostOffice avatar Jan 24 '23 15:01 KPostOffice

Great question. The reason could be to have advise report containing information if there is additional CVE, security concern, or any other information related to the latest stack. As this kinda information is not available from pip or pipenv, users might have to go over a varied number of places to gather this information. Though it is valid on pip vs thamos on the latest the behavior is to get the latest package, if we don't have any information about the package version, then it is same as pip installed package, we should have consensus on this behaviour and which way to move towards.

harshad16 avatar Jan 25 '23 19:01 harshad16