[Zope3-dev] Dealing with external dependencies

[Philipp von Weitershausen]

Up until now we've been a bit sloppy when it came to egg dependencies. 
Not specifying a version number or range basically means that the code 
in question assumes it will work with any future version of its 
dependency. Admittedly, setuptools doesn't exactly make it easy to say 
"I depend on ZODB 3.8.x". Jim has proposed to add a syntax to setuptools 
to support this nicely but it's not there yet. So I guess we'll have to 
wait for that.

Things are a bit different with external dependencies (docutils, 
mechanize, ClientForm, twisted, etc.), I think. They bear a higher risk 
of breaking stuff for us in future releases, even if they're just minor 
releases, because we don't control them and their developers probably 
don't test their stuff with our code [1]. Back in the old days, we would 
do vendor imports or use revision tags for the externals. This was 
basically the equivalent of depending on a specific, well-known working 
version of the external package.

I propose to do the same for the external dependencies we have. So far I 
only count docutils as an actual egg dependency because mechanize, 
ClientForm and twisted are still packaged up in the egg that uses them 
(we should change that, too). I will therefore change zope.app.renderer 
to depend on docutils==0.4, unless there are objections.



[1] This problem has bitten us over at Grok because apparently Ubuntu 
has decided to deploy docutils 0.4.1 which doesn't seem to actually 
exist anywhere and therefore confuses zc.buildout. See 
https://bugs.launchpad.net/grok/+bug/126742.

-- 
http://worldcookery.com -- Professional Zope documentation and training