Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pip download behaves differently for editable and non-editable VCS requirements #9338

Closed
sbidoul opened this issue Dec 23, 2020 · 7 comments · Fixed by #9274
Closed

pip download behaves differently for editable and non-editable VCS requirements #9338

sbidoul opened this issue Dec 23, 2020 · 7 comments · Fixed by #9274
Labels
C: download About fetching data from PyPI and other sources C: vcs pip's interaction with version control systems like git, svn and bzr state: needs discussion This needs some more discussion

Comments

@sbidoul
Copy link
Member

sbidoul commented Dec 23, 2020

Environment

  • pip version: 20.3.3
  • Python version: irrelevant
  • OS: irrelevant

Description

Assume the following requirements.txt:

-e git+https://github.com/pypa/packaging#egg=packaging

pip download -r requirements.txt does a VCS export, hence does not include the .git directory in the resulting zip file.

Without -e, the same pip download command produces a zip file that contains the .git directory.

Analysis

This VCS export mechanism was presumably done as a performance optimization. However it has correctness issues if the build backend requires the VCS information to prepare metadata (#9337).

Possible approaches:

  1. Remove the VCS export pip feature: this will be correct but may create performance issues in some scenarios that rely on it (with the presence of a possibly large .git directory in the resulting zip file and a larger download), this is done in Remove VCS export feature #9274.
  2. Do a VCS clone for preparing metadata (as it is currently done for non-editable VCS requirements), then do a VCS export (2a) to prepare the zip file, possibly using the local clone as a source (2b), or using the build backend to create a sdist (2c). This will have some performance implications, but produce smaller archives as output (i.e. without the .git directory), and produce the same result with and without -e.
  3. Keep the discrepancy and do not fix pip download of editable VCS requirements fails if requirement needs VCS information to prepare metadata #9337, reintroduce the distinction between pip wheel and pip download in order to fix pip wheel -e git+https:// does a git export instead of git clone #9273.
@sbidoul sbidoul added the state: needs discussion This needs some more discussion label Dec 23, 2020
@sbidoul sbidoul added C: download About fetching data from PyPI and other sources C: vcs pip's interaction with version control systems like git, svn and bzr labels Dec 23, 2020
@sbidoul
Copy link
Member Author

sbidoul commented Dec 23, 2020

I'm inclined to release (1) and then implement one of the variants in (2) if the output zip size issue proves to be a problem in practice. I could live with (3) although it's not very clean.

@sbidoul
Copy link
Member Author

sbidoul commented Dec 24, 2020

Noting that variants (2a) and (2b) will still produce crippled zip files if the build backend relies on VCS information.

@uranusjr
Copy link
Member

I wonder if shallow clone would be useful here. If not, reverting is the right approach IMO. Yes, this is create a performance issue, but we have other approaches to fix that (in-place build etc.), and people really should use pre-built distributions if they care about performance IMO.

@sbidoul
Copy link
Member Author

sbidoul commented Dec 27, 2020

For reference, shallow clones were discussed in #2432 and were rejected.

@uranusjr
Copy link
Member

#2432 rejected shallow clones for pip install because it would break setuptools-scm. But for pip download, the worse case scenario is the user need an additional git fetch, which I feel is an acceptable middle ground.

@uranusjr
Copy link
Member

I want to add that I’m by no means particularly in favour of any approach. It is perfectly fine IMO to always git clone the whole thing. Feel free to choose the solution you feel is best 🙂

@sbidoul
Copy link
Member Author

sbidoul commented Dec 27, 2020

Even for download, shallow clones will create issues with setuptools_scm (variants of #9337). FWIW, my group resolved that particular performance issue with git-autoshare. I think if pip ever needs to support shallow clones, that would be via a per-requirement option or something in the URL fragment, which would apply to all commands.

bors bot referenced this issue in duckinator/emanate Jan 31, 2021
215: Update pip to 21.0.1 r=duckinator a=pyup-bot


This PR updates [pip](https://pypi.org/project/pip) from **20.3.3** to **21.0.1**.



<details>
  <summary>Changelog</summary>
  
  
   ### 21.0.1
   ```
   ===================

Bug Fixes
---------

- commands: debug: Use packaging.version.parse to compare between versions. (`9461 &lt;https://github.com/pypa/pip/issues/9461&gt;`_)
- New resolver: Download and prepare a distribution only at the last possible
  moment to avoid unnecessary network access when the same version is already
  installed locally. (`9516 &lt;https://github.com/pypa/pip/issues/9516&gt;`_)

Vendored Libraries
------------------

- Upgrade packaging to 20.9
   ```
   
  
  
   ### 21.0
   ```
   =================

Deprecations and Removals
-------------------------

- Drop support for Python 2. (`6148 &lt;https://github.com/pypa/pip/issues/6148&gt;`_)
- Remove support for legacy wheel cache entries that were created with pip
  versions older than 20.0. (`7502 &lt;https://github.com/pypa/pip/issues/7502&gt;`_)
- Remove support for VCS pseudo URLs editable requirements. It was emitting
  deprecation warning since version 20.0. (`7554 &lt;https://github.com/pypa/pip/issues/7554&gt;`_)
- Modernise the codebase after Python 2. (`8802 &lt;https://github.com/pypa/pip/issues/8802&gt;`_)
- Drop support for Python 3.5. (`9189 &lt;https://github.com/pypa/pip/issues/9189&gt;`_)
- Remove the VCS export feature that was used only with editable VCS
  requirements and had correctness issues. (`9338 &lt;https://github.com/pypa/pip/issues/9338&gt;`_)

Features
--------

- Add ``--ignore-requires-python`` support to pip download. (`1884 &lt;https://github.com/pypa/pip/issues/1884&gt;`_)
- New resolver: Error message shown when a wheel contains inconsistent metadata
  is made more helpful by including both values from the file name and internal
  metadata. (`9186 &lt;https://github.com/pypa/pip/issues/9186&gt;`_)

Bug Fixes
---------

- Fix a regression that made ``pip wheel`` do a VCS export instead of a VCS clone
  for editable requirements. This broke VCS requirements that need the VCS
  information to build correctly. (`9273 &lt;https://github.com/pypa/pip/issues/9273&gt;`_)
- Fix ``pip download`` of editable VCS requirements that need VCS information
  to build correctly. (`9337 &lt;https://github.com/pypa/pip/issues/9337&gt;`_)

Vendored Libraries
------------------

- Upgrade msgpack to 1.0.2.
- Upgrade requests to 2.25.1.

Improved Documentation
----------------------

- Render the unreleased pip version change notes on the news page in docs. (`9172 &lt;https://github.com/pypa/pip/issues/9172&gt;`_)
- Fix broken email link in docs feedback banners. (`9343 &lt;https://github.com/pypa/pip/issues/9343&gt;`_)


.. note

    You should *NOT* be adding new change log entries to this file, this
    file is managed by towncrier. You *may* edit previous change logs to
    fix problems like typo corrections or such.

    To add a new change log entry, please see
        https://pip.pypa.io/en/latest/development/contributing/#news-entries

.. towncrier release notes start
   ```
   
  
  
   ### 20.3.4
   ```
   ===================

Features
--------

- ``pip wheel`` now verifies the built wheel contains valid metadata, and can be
  installed by a subsequent ``pip install``. This can be disabled with
  ``--no-verify``. (`9206 &lt;https://github.com/pypa/pip/issues/9206&gt;`_)
- Improve presentation of XMLRPC errors in pip search. (`9315 &lt;https://github.com/pypa/pip/issues/9315&gt;`_)

Bug Fixes
---------

- Fixed hanging VCS subprocess calls when the VCS outputs a large amount of data
  on stderr. Restored logging of VCS errors that was inadvertently removed in pip
  20.2. (`8876 &lt;https://github.com/pypa/pip/issues/8876&gt;`_)
- Fix error when an existing incompatibility is unable to be applied to a backtracked state. (`9180 &lt;https://github.com/pypa/pip/issues/9180&gt;`_)
- New resolver: Discard a faulty distribution, instead of quitting outright.
  This implementation is taken from 20.2.2, with a fix that always makes the
  resolver iterate through candidates from indexes lazily, to avoid downloading
  candidates we do not need. (`9203 &lt;https://github.com/pypa/pip/issues/9203&gt;`_)
- New resolver: Discard a source distribution if it fails to generate metadata,
  instead of quitting outright. This implementation is taken from 20.2.2, with a
  fix that always makes the resolver iterate through candidates from indexes
  lazily, to avoid downloading candidates we do not need. (`9246 &lt;https://github.com/pypa/pip/issues/9246&gt;`_)

Vendored Libraries
------------------

- Upgrade resolvelib to 0.5.4.
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/pip
  - Changelog: https://pyup.io/changelogs/pip/
  - Homepage: https://pip.pypa.io/
</details>



Co-authored-by: pyup-bot <github-bot@pyup.io>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
C: download About fetching data from PyPI and other sources C: vcs pip's interaction with version control systems like git, svn and bzr state: needs discussion This needs some more discussion
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants