[Zope3-dev] Dealing with external dependencies

Jim Fulton jim at zope.com
Wed Jul 18 18:43:18 EDT 2007 

On Jul 18, 2007, at 5:24 PM, Philipp von Weitershausen wrote:

> Up until now we've been a bit sloppy when it came to egg  
> dependencies. Not specifying a version number or range basically  
> means that the code in question assumes it will work with any  
> future version of its dependency. Admittedly, setuptools doesn't  
> exactly make it easy to say "I depend on ZODB 3.8.x". Jim has  
> proposed to add a syntax to setuptools to support this nicely but  
> it's not there yet. So I guess we'll have to wait for that.

Heads up: I've come to think that depending on major revisions/series  
isn't going to work.  I'll say more about that in a separate thread  
though.

> Things are a bit different with external dependencies (docutils,  
> mechanize, ClientForm, twisted, etc.), I think. They bear a higher  
> risk of breaking stuff for us in future releases, even if they're  
> just minor releases, because we don't control them and their  
> developers probably don't test their stuff with our code [1].

Yes.

> Back in the old days, we would do vendor imports or use revision  
> tags for the externals.

This was at the monolithic zope checkout level.


> This was basically the equivalent of depending on a specific, well- 
> known working version of the external package.

I'm not sure what you mean here.  The equivalent to what we did  
before is to depend on specific versions at the *application* level,  
by fixing a version in a application meta package or in a buildout.

> I propose to do the same for the external dependencies we have. So  
> far I only count docutils as an actual egg dependency because  
> mechanize, ClientForm and twisted are still packaged up in the egg  
> that uses them (we should change that, too). I will therefore  
> change zope.app.renderer to depend on docutils==0.4, unless there  
> are objections.

Depending on specific versions in library packages (as opposed to  
application packages or buildouts) is a recipe for disaster IMO.  As  
soon as 2 packages depend on different externals, then those 2  
packages won't be usable together.

In the long run, it might be better to only reuse packages that offer  
some backward compatibility promises. Depending on a specific version  
will make the dependent packages less reusable.


> [1] This problem has bitten us over at Grok because apparently  
> Ubuntu has decided to deploy docutils 0.4.1 which doesn't seem to  
> actually exist anywhere and therefore confuses zc.buildout. See  
> https://bugs.launchpad.net/grok/+bug/126742.

I'm fairly sure that this has nothing to do with version numbers.  I  
suspect instead that it has something to do with the fact that all  
distributions are now installed as "develop eggs" on ubuntu.  The  
locations of these eggs is actually site-packages. This sounds very  
wonky to me, but Phillip Eby says it is normal.  I'd be interested in  
following up on this offline or in a separate thread.

Jim

--
Jim Fulton			mailto:jim at zope.com		Python Powered!
CTO 				(540) 361-1714			http://www.python.org
Zope Corporation	http://www.zope.com		http://www.zope.org

More information about the Zope3-dev mailing list