$30 off During Our Annual Pro Sale. View Details »

Entangled In Dependencies: Pipenv&Poetry

Entangled In Dependencies: Pipenv&Poetry

Python dependencies management: Pipenv and Poetry.

Alex Khaerov

March 26, 2019
Tweet

More Decks by Alex Khaerov

Other Decks in Technology

Transcript

  1. @hayorov Chainstack Multi-cloud and multi-blockchain Platform as a Service Alex

    Khaerov we ❤ company who I am @hayorov We are hiring: careers.chainstack.com
  2. @hayorov Problems With This • “The Cheeseshop” (PyPi) was merely

    an index of packages, not a sole package host. • Packages were often hosted elsewhere. • Ran on a single server in &, 
 while serving the entire Python community. • Its use wasn’t a fraction of what it is today, 
 so it wasn’t a problem.
  3. @hayorov More Obvious Issues • Very manual process - not

    good for automation. • Globally installed packages - impossible to have two versions of the same library installed. • People often just copied things into site-packages, manually. • Poor user experience.
  4. @hayorov Improvements! • Much better user experience for installation. •

    Most packages were installed from PyPi. • Easier to automate programatically. • , no easy_uninstall.
  5. @hayorov 2010 -> • Pip became the de-facto replacement for

    easy_install. • Virtualenv became common practice. • Pinned requirements.txt file passed around.
  6. @hayorov 2010 -> • Pip became the de-facto replacement for

    easy_install. • Virtualenv became common practice. • Pinned requirements.txt file passed around. Pip + Virtualenv + requirements.txt =
  7. @hayorov Other Communities • Node.js yarn || npm (lockfile) •

    PHP: Composer (lockfile) • Rust: Cargo (lockfile) • Ruby: Bundler (lockfile) • Python: Pip + Virtualenv (no lockfile?)
  8. @hayorov ✋ … requirements.txt • $ pip freeze > requirements.txt

    • Mismatch: “What you want installed” vs “what you need” installed. • A pre-flattened dependency tree is required in order to establish deterministic builds. • Tools like pip-tools were created to ease this pain.
  9. @hayorov Two Requirements Files $ cat req-to-freeze.txt Flask $ cat

    requirements.txt click ==6.7 Flask=0.12.2 itsdangerous ==0.24 Jinja2=2.10 MarkupSafe=1.0 Werkzeug=0.14.1
  10. @hayorov Pipfile: New Standard • Pipfile replaces requirements.txt. • TOML

    format, so easy to read/write manually. • Two groups: [packages] and [dev-packages]. • Will eventually land in Pip 19 has support for pyproject.toml
  11. @hayorov Resulting Pipfile.lock • JSON, so easily machine-parsable • Contains

    all transitive dependancies, pinned, with all acceptable hashes for each release. • Two groups: {
 “default”: …
 “develop”: …
 }
  12. @hayorov Pipenv Sales Pitch • Officially recommended tool from python.org.

    • Features: Pipfile/pipfile.lock today. • Automates away vrtualenv entirely. • Ensures deterministic build (inc. hash check verification). • Other useful tools: e.g. $ pipenv graph.
  13. @hayorov Downsides • Stability! Stability! Stability! • Pipenv is probably

    not the tool for building a library. • Pipenv update is really slow. • The dependency resolution will fail even if there is a solution. • Pipenv remote will not delete dependencies, only the package.
  14. @hayorov Poetry • v0.1.0 released in Feb, 2018 as the

    reaction to Pipenv issues. • Comes with exhaustive and fast dependency resolver. • Emphasis on semantic versioning and constraint specification (version “^1.4” instead of Pipenv “*”). • Easily build and package your projects: poetry publish.
  15. @hayorov Poetry • v0.1.0 released in Feb, 2018 as the

    reaction to Pipenv issues. • Comes with exhaustive and fast dependency resolver. • Emphasis on semantic versioning and constraint specification (version “^1.4” instead of Pipenv “*”). • Easily build and package your projects: poetry publish.
  16. @hayorov So Now What? • Start a new project with

    Poetry • Already with Pipenv? Stay on it! • Be patient and wait for native support in Pip and Python
 PEP518 Specifying Minimum Build System Requirements for Python Projects
 PEP517 A build-system independent format for source trees