[Zope3-dev] Re: Dealing with external dependencies

Tres Seaver tseaver at palladion.com
Thu Jul 19 13:36:16 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Philipp von Weitershausen wrote:

> On 19 Jul 2007, at 00:43 , Jim Fulton wrote:

>> Depending on specific versions in library packages (as opposed to  
>> application packages or buildouts) is a recipe for disaster IMO.   
>> As soon as 2 packages depend on different externals, then those 2  
>> packages won't be usable together.
> 
> Good point.

But not necessarily avoidable:  if version 3 of library A depends on a
feature provided by version 5 of library B, but version 7 of library C
is incompatible with versions of library B > 4, then those versions of A
and C really *are* incompatible;  that isn't an accidental clash.

Library authors need to *minimize* their own depdendencies if they want
to maximize their library's usefulness:  that means avoiding depending
on newer versions of libraries without *very( strong need (degrading
gracefully, if possible).

Another problem:  the folks who manage your dependencies may not be very
good at it:

  - They may remove old release versions, making it impossible to
    satisfy your dependency.

  - They may *replace* a release version (even more evil than removing
    it).

  - They may screw up SVN or CVS repository history (e.g., 'svn rename'
    will cause even a revision-specific external / checkout to break).

>> In the long run, it might be better to only reuse packages that  
>> offer some backward compatibility promises. Depending on a specific  
>> version will make the dependent packages less reusable.
> 
> That makes sense. So, coming back to the real world: we have two  
> issues at hand. One is docutils, one is zope.testbrowser which  
> depends on mechanize and ClientForm (Adam is working on that, CCing  
> him as well).
> 
> With docutils I understand that it makes much sense to do this at  
> application level. With mechanize and ClientForm I'm not so sure.  
> What I *do* know is that the current situation (packaging them  
> *inside* the zope.testbrowser egg) isn't ideal (same goes for  
> twisted, btw).

That situation is a "fork", which may be the lesser of evils, depending
on how things work out, especially in the face of poor upstream release
hygeine.

> Should the next zope.testbrowser simply depend on any version of  
> mechanize and ClientForm?
> 
>>> [1] This problem has bitten us over at Grok because apparently  
>>> Ubuntu has decided to deploy docutils 0.4.1 which doesn't seem to  
>>> actually exist anywhere and therefore confuses zc.buildout. See  
>>> https://bugs.launchpad.net/grok/+bug/126742.
>> I'm fairly sure that this has nothing to do with version numbers.   
>> I suspect instead that it has something to do with the fact that  
>> all distributions are now installed as "develop eggs" on ubuntu.   
>> The locations of these eggs is actually site-packages. This sounds  
>> very wonky to me, but Phillip Eby says it is normal.
> 
> It's actually necessary (to install these things as eggs) because  
> many packages nowadays depend on entry points. One could argue,  
> obviously, that their location (site-packages) isn't ideal...

System pythons be damned.


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGn6EQ+gerLs4ltQ4RAnJpAKCRI034pHc1a7MVLzblcS9Jegpn3QCfZgoW
lE838s0c37QPT7GOuXTDM0M=
=OW0w
-----END PGP SIGNATURE-----

More information about the Zope3-dev mailing list