Entangled In Dependencies: Pipenv&Poetry

Entangled In Dependencies: Pipenv&Poetry

Python dependencies management: Pipenv and Poetry.

320f3b558c773592bba16c976d1b28d1?s=128

Alex Khaerov

March 26, 2019
Tweet

Transcript

  1. Pipenv & Poetry Entangled In Dependencies: by Alex Khaerov @hayorov

  2. @hayorov Hi!

  3. @hayorov we ❤ company who I am

  4. @hayorov Alex Khaerov we ❤ company who I am @hayorov

  5. @hayorov Chainstack Multi-cloud and multi-blockchain Platform as a Service Alex

    Khaerov we ❤ company who I am @hayorov
  6. @hayorov Chainstack Multi-cloud and multi-blockchain Platform as a Service Alex

    Khaerov we ❤ company who I am @hayorov
  7. @hayorov Chainstack Multi-cloud and multi-blockchain Platform as a Service Alex

    Khaerov we ❤ company who I am @hayorov We are hiring: careers.chainstack.com
  8. @hayorov easy_install requrements.txt pip virtualenv setup.py sdist wheels virtualenvwrapper pyenv

    conan flit bento hatch pants conda pipenv pip-tools poetry
  9. @hayorov easy_install requrements.txt pip virtualenv setup.py sdist wheels virtualenvwrapper pyenv

    conan flit bento hatch pants conda pipenv pip-tools poetry $
  10. @hayorov Who's That Pokémon? Who's That Pokémon? ??? ???

  11. @hayorov Dependency Manager for

  12. @hayorov Dependency Manager for composer

  13. @hayorov Dependency Manager for composer

  14. @hayorov Dependency Manager for composer conductor

  15. @hayorov Agenda The history Problem statement Modern era Hello Pipenv

    Pipenv Poetry So now what?
  16. @hayorov The Old Days

  17. @hayorov The Old Days Hey, what’s wrong with curl, tar

    and setup.py install?
  18. @hayorov Problems With This • “The Cheeseshop” (PyPi) was merely

    an index of packages, not a sole package host. • Packages were often hosted elsewhere. • Ran on a single server in &, 
 while serving the entire Python community. • Its use wasn’t a fraction of what it is today, 
 so it wasn’t a problem.
  19. @hayorov More Obvious Issues • Very manual process - not

    good for automation. • Globally installed packages - impossible to have two versions of the same library installed. • People often just copied things into site-packages, manually. • Poor user experience.
  20. @hayorov Next Iteration

  21. @hayorov Improvements! • Much better user experience for installation. •

    Most packages were installed from PyPi. • Easier to automate programatically. • , no easy_uninstall.
  22. @hayorov 2010 -> • Pip became the de-facto replacement for

    easy_install. • Virtualenv became common practice. • Pinned requirements.txt file passed around.
  23. @hayorov 2010 -> • Pip became the de-facto replacement for

    easy_install. • Virtualenv became common practice. • Pinned requirements.txt file passed around. Pip + Virtualenv + requirements.txt =
  24. @hayorov Other Communities • Node.js yarn || npm (lockfile) •

    PHP: Composer (lockfile) • Rust: Cargo (lockfile) • Ruby: Bundler (lockfile) • Python: Pip + Virtualenv (no lockfile?)
  25. @hayorov ✋ … requirements.txt • $ pip freeze > requirements.txt

    • Mismatch: “What you want installed” vs “what you need” installed. • A pre-flattened dependency tree is required in order to establish deterministic builds. • Tools like pip-tools were created to ease this pain.
  26. @hayorov Two Requirements Files $ cat req-to-freeze.txt Flask $ cat

    requirements.txt click ==6.7 Flask=0.12.2 itsdangerous ==0.24 Jinja2=2.10 MarkupSafe=1.0 Werkzeug=0.14.1
  27. @hayorov Pipfile: New Standard • Pipfile replaces requirements.txt. • TOML

    format, so easy to read/write manually. • Two groups: [packages] and [dev-packages]. • Will eventually land in Pip 19 has support for pyproject.toml
  28. @hayorov Resulting Pipfile.lock • JSON, so easily machine-parsable • Contains

    all transitive dependancies, pinned, with all acceptable hashes for each release. • Two groups: {
 “default”: …
 “develop”: …
 }
  29. @hayorov Pipenv Sales Pitch • Officially recommended tool from python.org.

    • Features: Pipfile/pipfile.lock today. • Automates away vrtualenv entirely. • Ensures deterministic build (inc. hash check verification). • Other useful tools: e.g. $ pipenv graph.
  30. @hayorov Downsides • Stability! Stability! Stability! • Pipenv is probably

    not the tool for building a library. • Pipenv update is really slow. • The dependency resolution will fail even if there is a solution. • Pipenv remote will not delete dependencies, only the package.
  31. @hayorov Poetry • v0.1.0 released in Feb, 2018 as the

    reaction to Pipenv issues. • Comes with exhaustive and fast dependency resolver. • Emphasis on semantic versioning and constraint specification (version “^1.4” instead of Pipenv “*”). • Easily build and package your projects: poetry publish.
  32. @hayorov Poetry • v0.1.0 released in Feb, 2018 as the

    reaction to Pipenv issues. • Comes with exhaustive and fast dependency resolver. • Emphasis on semantic versioning and constraint specification (version “^1.4” instead of Pipenv “*”). • Easily build and package your projects: poetry publish.
  33. @hayorov So Now What? • Start a new project with

    Poetry • Already with Pipenv? Stay on it! • Be patient and wait for native support in Pip and Python
 PEP518 Specifying Minimum Build System Requirements for Python Projects
 PEP517 A build-system independent format for source trees
  34. Thank you questions… @hayorov

  35. Thank you questions… Alex Khaerov @hayorov