[Bug 211073] devel/awscli: update to 1.10.46, devel/py-botocore: update to 1.4.36

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Jul 13 09:17:32 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211073

Kubilay Kocak <koobs at FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|patch-ready                 |needs-qa
                 CC|                            |python at FreeBSD.org
             Status|New                         |Open

--- Comment #1 from Kubilay Kocak <koobs at FreeBSD.org> ---
TL:DR The dependency specs need to be changed to to ">=" in setup.py

Python upstreams often (blindly) pin their dependencies in their released
packages, usually to help avoid users inadvertently installing (with pip)
*potentially* incompatible versions.

Other projects sometimes use >=X.Y,<Z.0, which is a little better, but assumes
API's are not broken within minor versions (which does happen).

Most Python projects understand that release packages and package/application
deployment, where one wants to pin all dependencies by default, are two
separate things, and use >= for their released (to PyPI) packages. These
projects end up ahead of the curve, as they invariably end up knowing (if
they're using CI) before releasing that a dependency of theirs breaks API,
minimising the failure window for users.

These exact version dependencies are untenable within ports, as multiple
concurrent versions of Python ports/packages are not available for users to
install, only the latest version. With the current == lines, devel/awscli will
fail if botocore is ever updated. Whether or not they're currently maintained
by the same person or always updated together is immaterial.

It's very unlikely that there is always an *exact* and *only* dependence on a
specific version of botocore. If there is, awscli should vendor the code.

For the project in question, its probably better for them to unpin those
dependencies for development and release purposes, so that they can test (CI)
their code against the latest version of them at all times.

I'd suggest opening an issue upstream and asking them to use >= (or at least
>=, < X.0) as their default.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list