Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
taskcluster-client.py dependency pinning
7 views
Skip to first unread message
Aki Sasaki
Mar 12, 2019, 6:27:07 PM3/12/19
to tools-taskcluster
Hi all,
Currently taskcluster-client.py loosely pins its upstream dependencies, like
requests>=2.4.3,<3 . As long as upstream dependencies adhere to semantic
versioning, this should catch any breaking changes before they hit
downstream users.
In practice, we've found these pins prevent us from using new versions of
dependencies, and only sometimes help prevent downstream bustage. Because
treeherder and various releng repos use pyup to automatically update
dependencies, these pins add overhead on a weekly basis.
We're currently thinking about unpinning the dependencies in
taskcluster-client.py, and pushing that responsibility down to the users of
the library. This means we'll have more freedom to choose our dependency
versions, but we'll also have more responsibility to make sure those
dependency changes don't break us.
Are there any thoughts, concerns, or questions about this? If we agree, here
<https://github.com/taskcluster/taskcluster-client.py/pull/130> is the PR
to unpin deps in taskcluster-client.py.
Some previous threads on the matter are at
https://bugzilla.mozilla.org/show_bug.cgi?id=1531021#c7 and
https://github.com/taskcluster/taskcluster-client.py/issues/87#issuecomment-468519489
Currently taskcluster-client.py loosely pins its upstream dependencies, like
requests>=2.4.3,<3 . As long as upstream dependencies adhere to semantic
versioning, this should catch any breaking changes before they hit
downstream users.
In practice, we've found these pins prevent us from using new versions of
dependencies, and only sometimes help prevent downstream bustage. Because
treeherder and various releng repos use pyup to automatically update
dependencies, these pins add overhead on a weekly basis.
We're currently thinking about unpinning the dependencies in
taskcluster-client.py, and pushing that responsibility down to the users of
the library. This means we'll have more freedom to choose our dependency
versions, but we'll also have more responsibility to make sure those
dependency changes don't break us.
Are there any thoughts, concerns, or questions about this? If we agree, here
<https://github.com/taskcluster/taskcluster-client.py/pull/130> is the PR
to unpin deps in taskcluster-client.py.
Some previous threads on the matter are at
https://bugzilla.mozilla.org/show_bug.cgi?id=1531021#c7 and
https://github.com/taskcluster/taskcluster-client.py/issues/87#issuecomment-468519489
Aki Sasaki
Mar 21, 2019, 6:59:11 PM3/21/19
to tools-taskcluster
Following up: I landed the PR
<https://github.com/taskcluster/taskcluster-client.py/pull/130> and pushed
a taskcluster-client.py 7.0.1 release. Downstream users should have fewer
dependency pinning issues.
<https://github.com/taskcluster/taskcluster-client.py/pull/130> and pushed
a taskcluster-client.py 7.0.1 release. Downstream users should have fewer
dependency pinning issues.
0 new messages