RFC: Adding a `pip check` command

[wil...@editd.com]

Hi all

I've opened a pull request on pip: https://github.com/pypa/pip/pull/1001 and I'd appreciate your thoughts, since I'm proposing a new top-level command.

I'd like to add a `pip check` command that verifies that all the current installed packages have all the dependencies they need. This command should verify that all required dependencies are present, and that those dependencies have compatible versions.

Rationale: it's very easy to write a requirements.pip file that installs packages with broken dependencies: https://github.com/pypa/pip/issues/775 -- this has occurred to me in practice. pip also doesn't warn you if you manually uninstall a dependency, or manually install an incompatible version of a package.

It might be nice to make pip stricter, but it would be extremely helpful to have some way to verify that the current state of installed packages is correct.

I hope this isn't too controversial a suggestion. I'd really appreciate any thoughts you have on this, or ways it could be improved.

Wilfred

[Sebastien Douche]

On Mon, Jun 24, 2013 at 12:56 PM, <wil...@editd.com> wrote:
> Hi all

Hi Wilfred

> Rationale: it's very easy to write a requirements.pip file that installs
> packages with broken dependencies: https://github.com/pypa/pip/issues/775 --
> this has occurred to me in practice. pip also doesn't warn you if you
> manually uninstall a dependency, or manually install an incompatible version
> of a package.

What not add the checking in the installation process too?

> It might be nice to make pip stricter, but it would be extremely helpful to
> have some way to verify that the current state of installed packages is
> correct.

+1


--
Sebastien Douche <sdo...@gmail.com>
Twitter: @sdouche / G+: +sdouche

[anatoly techtonik]

On Monday, June 24, 2013 1:56:23 PM UTC+3, wil...@editd.com wrote:

Hi all

I've opened a pull request on pip: https://github.com/pypa/pip/pull/1001 and I'd appreciate your thoughts, since I'm proposing a new top-level command.

I'd like to add a `pip check` command that verifies that all the current installed packages have all the dependencies they need. This command should verify that all required dependencies are present, and that those dependencies have compatible versions.

How should the output look like? Can you paste example with command line and output on real system?

Rationale: it's very easy to write a requirements.pip file that installs packages with broken dependencies: https://github.com/pypa/pip/issues/775 -- this has occurred to me in practice.

So, the exact thing that you really want to do (original use case) is to validate if given requirements.txt doesn't conflict with requirements for already installed packages. For that your command should accept `-r argument` IMHO.

pip also doesn't warn you if you manually uninstall a dependency, or manually install an incompatible version of a package.

Good catch. I think this should be fixed in `pip` first. Is there any ticket for that?

It might be nice to make pip stricter, but it would be extremely helpful to have some way to verify that the current state of installed packages is correct.

I hope this isn't too controversial a suggestion. I'd really appreciate any thoughts you have on this, or ways it could be improved.

I am +1 for 'pip check', but my (original use case) is different. I want it to check status of packages in requirements.txt:

 1. if listed package is installed (show 'not installed' or the version)

 2. if installed package satisfies requirement ([x] if yes, '   ' if not)

 3. if there is an updated version of the package (show new version if available, nothing if not, '----' if package is not installed from PyPI)

  $ pip check -r requirements.txt

  |package 1 |  0.1a |   [x]  |  ----  |

  |package 2 |          |        |  0.1 |

  |pkg 3        |  2.3   |        |        |

If columns are too excessive for someone, the output should be turnable on/off with command line switches.

-- 

anatoly t. 

[Wilfred Hughes]

Realised I missed this email, sorry for the delay.

> How should the output look like? Can you paste example with command line and output on real system?

$ pip install flask==0.10.1
$ pip install jinja2==2.3

$ pip check
Flask 0.10.1 has requirement Jinja2>=2.4, but you have Jinja2 2.3.

> So, the exact thing that you really want to do (original use case) is to validate if given requirements.txt doesn't conflict with requirements for already installed packages.

I just want to verify that my environments are in a consistent state. Verifying a requirements.txt is much more complex.

Consider the following packages:

A v1.0 depends on B v1.0+

B v1.0 depends on C v1.0

B v2.0 depends on C v2.0

Now consider the following requirements.txt:

A==1.0

C>1.0

To verify these requirements are feasible, we'd have to look at all the possible versions of B that could satisfy A in order to find a version that works with the requirement for C. This is much more complex, and I believe pip does not do this checking anywhere.

Checking the currently installed packages is a much simpler task, as we only need to consider the dependencies as they are currently installed.

> Good catch. I think [manual install/uninstall breaking packages] should be fixed in `pip` first. Is there any ticket for that?

It would be good to fix this too. Inconsistent environments already exist in the wild, I thought the first step would be help users fix their environments. I'm not sure if the maintainers are interested in merging this feature though, or if there are any additional changes I need to make.

Wilfred

[anatoly techtonik]

On Friday, December 13, 2013 9:04:52 PM UTC+3, Wilfred Hughes wrote:

Realised I missed this email, sorry for the delay.

No problem. That means the question is still actual over time.

> How should the output look like? Can you paste example with command line and output on real system?

$ pip install flask==0.10.1
$ pip install jinja2==2.3

$ pip check
Flask 0.10.1 has requirement Jinja2>=2.4, but you have Jinja2 2.3.

Two comments:

1. If I understand this use case correctly, it is a bug in pip - it should not give users ability to break their installation without a force flag.

2. The message is human friendly, but it should also be machine parseable, may worth to write a spec,

 

> So, the exact thing that you really want to do (original use case) is to validate if given requirements.txt doesn't conflict with requirements for already installed packages.

I just want to verify that my environments are in a consistent state. Verifying a requirements.txt is much more complex.

Before "burning" `pip check` for your use case, do you think that verifying requirements.txt is also a useful scenario?

 

Consider the following packages:

A v1.0 depends on B v1.0+

B v1.0 depends on C v1.0

B v2.0 depends on C v2.0

Now consider the following requirements.txt:

A==1.0

C>1.0

To verify these requirements are feasible, we'd have to look at all the possible versions of B that could satisfy A in order to find a version that works with the requirement for C. This is much more complex, and I believe pip does not do this checking anywhere.

I am sure this problem was approached a dozen times for every package manager. Somebody just needs to sum up existing knowledge and port solvers from C to Python.

Checking the currently installed packages is a much simpler task, as we only need to consider the dependencies as they are currently installed.

> Good catch. I think [manual install/uninstall breaking packages] should be fixed in `pip` first. Is there any ticket for that?

It would be good to fix this too. Inconsistent environments already exist in the wild, I thought the first step would be help users fix their environments. I'm not sure if the maintainers are interested in merging this feature though, or if there are any additional changes I need to make.

I am interested in 'pip check' with the following functionality.

# check if requirements are satisfied in current environment

> pip check requirements requirements.txt

# list all packages with new Y.Z version from x.Y.Z

> pip check updates

# list all packages with newer versions

> pip check updates -a

# list all local packages with security issues (CVE check etc.)

> pip check updates -s

# check local repository? for consistency (your case)

> pip check consistency

There could be more.