Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix missing 'setuptools' requirement #121

Merged
merged 1 commit into from
Jul 27, 2019
Merged

Fix missing 'setuptools' requirement #121

merged 1 commit into from
Jul 27, 2019

Conversation

sinoroc
Copy link
Contributor

@sinoroc sinoroc commented Jul 17, 2019

The package 'pkg_resources' is part of the 'setuptools' project. The
project 'pip' (in its current version) vendors setuptools.

Since 'pipdeptree' currently uses pip's private internal API already,
we might as well use pip's vendored pkg_resources. This, of course,
might break if pip's internals change in a later version.

GitHub: #119

@sinoroc
Fix missing 'setuptools' requirement
f76ef35 
The package 'pkg_resources' is part of the 'setuptools' project. The
project 'pip' (in its current version) vendors setuptools.

Since 'pipdeptree' currently uses pip's private internal API already,
we might as well use pip's vendored pkg_resources. This, of course,
might break if pip's internals change in a later version.

GitHub: #119
@sinoroc
Copy link
Contributor Author

sinoroc commented Jul 17, 2019

It makes me a bit uneasy when I see code that relies on the internals (internal APIs, vendored libraries, etc.) of another project. It's really annoying that pip doesn't offer a stable public API. There are some other projects that can help though. setuptools / pkg_resources comes to mind obviously but there are also 'importlib_metadata', 'distlib', and some more I believe.

I had a quick look at getting rid of the dependency on 'pip' entirely. The first showstopper was the '--freeze' functionality. But this somehow seems redundant with pip's own freeze command. Maybe it's worth looking into it more seriously. Or alternatively get the pipdeptree features into pip directly.

@naiquevin
Copy link
Contributor

It makes me a bit uneasy when I see code that relies on the internals (internal APIs, vendored libraries, etc.) of another project. It's really annoying that pip doesn't offer a stable public API

Yeah, this tool relies on the pip internals but that's the only way it can do what pip does (and more). One improvement on this could be pip-shims [1,2] which I haven't had the time to look into. For now I have just accepted that we'd need to update code and release a new version if some thing changes in pip.

The other approach is to vendor pip and pkg_resources but I don't want to go down that path. This seems to a common problem with python's build/packaging tools, specially the low level ones such as pip and setuptools - they can't depend on other libraries because if pip is what helps install a package resolving all it's python dependencies, how would a user install pip itself if it has any python dependencies of it's own. Probably the reason why even pipenv has to vendor it's dependencies [3] (but I could be wrong here)

There are some other projects that can help though. setuptools / pkg_resources comes to mind obviously but there are also 'importlib_metadata', 'distlib', and some more I believe

pipdeptree aims to provide some additional functionality on top of what pip freeze provides. At present pip freeze uses pkg_resources to get installed distributions etc. In future that may change, and then pipdeptree might no longer be compatible with pip. So I am not in favour of using anything else directly.

I had a quick look at getting rid of the dependency on 'pip' entirely. The first showstopper was the '--freeze' functionality. But this somehow seems redundant with pip's own freeze command

This is not correct. With the --freeze flag in pipdeptree the output is still a tree of dependencies but it's also compatible with pip freeze (if you ignore the indents, which pip apparently does). So you can directly write it to requirements.txt file and pip can still work with it at the time of installing packages. The advantage is that by reading the requirements.txt file it's easy to visually figure out which ones are top-level packages and which ones are their sub-dependencies. You can even filter only the top-level packages using grep before writing the output to requirements.txt (an example of this is mentioned in the README [4])

1: https://pypi.org/project/pip-shims/
2: #106
3: https:/pypa/pipenv/tree/master/pipenv/vendor
4: https:/naiquevin/pipdeptree#using-pipdeptree-to-write-requirementstxt-file

@naiquevin naiquevin merged commit f76ef35 into tox-dev:master Jul 27, 2019
@sinoroc sinoroc deleted the fix-missing-setuptools branch August 20, 2019 21:04
@sinoroc
Copy link
Contributor Author

sinoroc commented Aug 18, 2020

Hey @naiquevin,

Out of this discussion, as some kind of challenge, I had started writing an alternative implementation that doesn't rely on pip's internal APIs, and eventually deptree came out of it. It relies on setuptools' pkg_resources package instead, whose API is public and stable.

Also I would link this pip feature request, since I think I had read somewhere here that you might be interested in integrating pipdeptree (or at least some parts of it) in pip proper.

Cheers!

@sinoroc sinoroc mentioned this pull request Aug 18, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sinoroc @naiquevin