On 06/04/2018 20:41, Chris Barker wrote:
> On Fri, Apr 6, 2018 at 1:47 AM, Chris Withers <
ch...@withers.org
> Right, but how do you may sure the .yml file matches what
> you actually have installed?
>
> it's guaranteed to match WHEN you do the export of course.
Right, I guess my point was that other tools are starting to take the
approach that it should never be possible for these files to be stale,
and that feels right to me.
> does pip or virtualenv really do that? It sure didn't before I gave up
> on virtualenv :-)
pipenv does, npm does, pretty sure rust does. The "spec + lock" file
pattern is one that makes more sense the more I think about it.
> I can see the logic, but I still think it's at the wrong point in your
> workflow. Saying "this is the official deployment environment" should be
> a pretty deliberate step.
I don't want to labour the point, but yes, that step would be when you
check the .lock file into your source control.
> Imagine multiple developers -- each manipulating their environments on
> the fly differently - seems ripe for confusion and error.
Yes, multiple developers installing different packages into a project is
a situation ripe for confusion and error, at least having that presented
to you as a merge conflict when you try to push a branch makes you aware
of it ;-)
> and if multiple developers then you have a two-way street:
>
> developer A makes changes to their environment -- the environment.yaml
> file updates itself.
>
> developer B makes different changes to their environment -- the
> environment.yaml file updates itself.
>
> The both merge into master
>
> now we have devA's environment, devB's environment, and a third merged
> version (which could be broken with merge conflicts...)
It's one project though? What would you like to have happen in this
situation, ignoring the implementation details I proposed?
> devs A and B do a pull.
>
> now the environment file is out of date with the developer's environment....
That is a good point, and one I don't have a good answer for...
> Does the environment somehow magically update itself???
...with a git post-pull hook it could, which might actually make sense.
> I'm not sure I've arrived at the "best" way to do it, but I currently
> use an conda_requirements.txt for development, that specifies only the
> top-level packages and not all pinned down (i.e. >=)
Apologies for the pedantry, but it might be important: "pinned down"
would be ==, as in your environment.yaml, invariants that *must* be met,
such as >=, I would expect to see in your conda_requirements.txt.
> and then a separate
> environment.yaml file to fully lock it down for the production environment.
This sounds a lot like what I'm proposing :-)
> This means that each developer on the project may not be using the exact
> same packages, but we can push a fully tested environment for deployment.
I'd hope you use your environment.yaml for CI testing before a deploy?
What do you do to ensure it isn't out of date? (I've had problems in the
past with files like this becoming stale and then a dependency ending up
floating in the deployment, picking up a new major release not seen in
CI and then causing bugs...)
> And having the developers have a bit more flexibility helps us keep
> dependencies up to date and catch the bugs that that introduces.
Interesting! I've found having all devs working off exactly the same
packages reduces bugs and confusion, but I would observe that it means
we tend to stick on older versions of packages for longer.
> but it is kinda ugly to keep all that in sync.
"picky lock" would be my proposal.
> Hmm -- we have actually put in some kludgy run time check code for
> versions of our in-house-under development deps.
>
> Maybe we should do the same for all deps, pulling from a single
> requirements file.
I think that's what I'm proposing, would you be interested in trying
picky once I've coded it up?
> "picky lock" would take options in an environment.yaml section
> (assuming conda ignores top-level keys it doesn't understand), and
> use them to massage the output of "conda env export" into an
> environment.lock.yaml that could be used to conda env create/update
> for reproducible builds.
>
> "picky check" would be the same as lock but would just whine if the
> environment.lock.yaml it generates doesn't match the one on disk.
>
>
> I'm still confused about what a "lock" is in this context, but I think
> you're going in the right direction.
Your "conda_requirements.txt" is my "environment.yaml"
Your "environment.yaml" is my "environment.lock.yaml".
> I've always wanted to do some kind of run-time checking -- run your
> test code, and see what's in sys.modules -- those are your deps. Mapping
> that to pip or conda packages is a different story, however...
Indeed!
cheers,
Chris