stash icon indicating copy to clipboard operation
stash copied to clipboard

Published 20 hours ago verified publisher icon ywangd

Should we add some sort of "blacklist" for pip packages?

Open bennr01 opened this issue 5 years ago • 3 comments

Hi everyone,

as most of the long-term watchers of this repo and/or the forum have probably noticed, we are getting a lot of repeated issues regarding pip, especially the installation of non-compatible pypi packages. Some examples are https://github.com/ywangd/stash/issues/358 and https://github.com/ywangd/stash/issues/371 . Should we add a blacklist to pip, which explicitly warns the user that these modules can not be installed (e.g. 'matplotlib' can not be installed, but is already preinstalled or mypy can not be installed, because it has c-code)? Also, should we add a --force argument to pip to bypass the blacklist?

What do you guys think?

bennr01 avatar May 21 '19 14:05 bennr01

If we were to discuss this, we should also consider having some sort of mechanism that allows pip to log (yet continue) if a dependency isn't able to be installed. This way, what is currently supported is there but the user knows about missing things as well. maybe --allow-broken-dependencies or --install-what-you-can? idk.

I've had times where I would want a library but it had some incompatible prerequisite.

To somewhat manually solve this, I would git clone the repo, remove that required package from the setup.py, and the install (along with what functionality I needed from that library) worked just fine.

Starting some sort of a ~/pip.conf with a "ignored_packages": ["mathplotlib", "mypy"], section like sublime text has or even just a ignored_packages.txt would be nice.

That way you would have a clearly defined place where you can add packages. Not all libraries break during install but do super screw up the execution environment if they get through so some persistent file that outright protects the system would be nice.

Those are my thoughts on it.

CodyKochmann avatar May 22 '19 13:05 CodyKochmann

@bennr01 perhaps there needs to be a separate py2 vs py3 blacklist? Or blacklist json should allow blacklisting on one or the other. For example: xmlrpc should be installed for python2, but never python3.

jsbain avatar Apr 26 '20 05:04 jsbain

@bennr01 perhaps there needs to be a separate py2 vs py3 blacklist? Or blacklist json should allow blacklisting on one or the other. For example: xmlrpc should be installed for python2, but never python3.

I believe adding another key to the blacklist would be preferable over a new blacklist. It is simply extremely rare that a package needs to be added depending on the python version. Normally, they either work on neither/both python version or set the requires_python value correctly.

bennr01 avatar Apr 27 '20 19:04 bennr01