Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Poetry needs a reproducible install for itself #4689

Closed
2 tasks done
awilkins opened this issue Oct 29, 2021 · 4 comments
Closed
2 tasks done

[Feature] Poetry needs a reproducible install for itself #4689

awilkins opened this issue Oct 29, 2021 · 4 comments
Labels
kind/feature Feature requests/implementations

Comments

@awilkins
Copy link

  • I have searched the issues of this repo and believe that this is not a duplicate.
  • I have searched the documentation and believe that my question is not covered.

Feature Request

When installed, Poetry installs the latest available versions of packages in it's dependency graph.

This has lead to multiple occasions where even when installing a specific version of the Poetry client, differences in the installed libraries have lead to an inconsistent experience.

It's quite ironic for a tool which promotes reproducible builds through the use of a lockfile that it should suffer from breakages caused by installing itself via pip.

Given the purpose of Poetry (and poetry-core), it's very likely to be installed and used in a CI pipeline, where stability and reliability are strong concerns. I humbly submit that installing Poetry and poetry-core should be a reproducible act for a given version number.

Suggest that this may be achievable by (preferring the first)

  • Having a poetry build mode that outputs a setup.py with frozen dependency specifications based on the lock file
    • and using this mode for subsequent releases of poetry and poetry-core
  • Using the output of pip freeze for install-poetry.py instead of
        if self._git:
            specification = "git+" + version
        elif self._path:
            specification = version
        else:
            specification = f"poetry=={version}"

        subprocess.run(
            [str(python), "-m", "pip", "install", specification],
@awilkins awilkins added kind/feature Feature requests/implementations status/triage This issue needs to be triaged labels Oct 29, 2021
@finswimmer
Copy link
Member

Hello @awilkins,

the recommended installation method for poetry is the install-poetry.py or get-poetry.py install script. Both make use of the lock file.

fin swimmer

@awilkins
Copy link
Author

awilkins commented Oct 29, 2021
edited
Loading

Both make use of the lock file.

I pulled install-poetry.py today. I think this is the relevant function.

    def install_poetry(self, version: str, env_path: Path) -> None:
        self._overwrite(
            "Installing {} ({}): {}".format(
                colorize("info", "Poetry"),
                colorize("b", version),
                colorize("comment", "Installing Poetry"),
            )
        )

        if WINDOWS:
            python = env_path.joinpath("Scripts/python.exe")
        else:
            python = env_path.joinpath("bin/python")

        if self._git:
            specification = "git+" + version
        elif self._path:
            specification = version
        else:
            specification = f"poetry=={version}"

        subprocess.run(
            [str(python), "-m", "pip", "install", specification],
            stdout=subprocess.PIPE,
            stderr=subprocess.STDOUT,
            check=True,
        )

Could you point out where it makes use of the lockfile here, because I'm not seeing it? Is this the wrong routine?

@finswimmer
Copy link
Member

Ah, sorry. Looks like a was to fast with my answer (shouldn't answer during my vacation 😄)

Pinning of the dependency was done by vendoring when using the get-poetry. py script.

With the new installer script we do not vendor the dependencies anymore. Taking the lock file into account is also not possible during installation, because this would require to have poetry installed.

@tom-bowles
Copy link

We deploy our poetry-developed applications by first installing a requirements.txt that we generate from the lock file using poetry export. Then we install the wheel. This gives us dependencies that match the lock file without requiring poetry on the deployment machine.

I am in the process of writing a custom install script for the users I support that does the same thing for poetry itself, because we have no choice but to pin both poetry and poetry-core due to a series of releases that are severely broken on Windows (please could somebody give my one-line PR #4682 some love?). Until I complete this custom script, our poetry installation process is to:

  • Use install-poetry.py with the --version parameter to install version 1.1.6
  • Use pip3.exe from in poetry's venv to --force-reinstall poetry-core to version 1.0.4

Requirements.txt based pinning of dependencies in the installer would be awesome. An alternative (not saying if it's necessarily better) would be to implement the feature discussed in #2778 and use it for poetry itself.

@python-poetry python-poetry locked and limited conversation to collaborators Oct 30, 2021
@abn abn closed this as completed Oct 30, 2021
@abn abn removed the status/triage This issue needs to be triaged label Mar 3, 2022

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
kind/feature Feature requests/implementations
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@abn @awilkins @finswimmer @tom-bowles