acoustic-librarian-3937
02/24/2022, 4:31 PMERROR: Links are not allowed as constraints
means?happy-kitchen-89482
02/24/2022, 4:44 PMenough-analyst-54434
02/24/2022, 4:44 PMacoustic-librarian-3937
02/24/2022, 4:58 PMenough-analyst-54434
02/24/2022, 4:59 PMacoustic-librarian-3937
02/24/2022, 5:01 PMboto3 @ file:///Users/rmulcahy/Library/Caches/pypoetry/artifacts/ff/2e/6c/7b182c791dc935494d3a1b73699181129dcfb6f38eec4532ddc91e9901/boto3-1.20.42-py3-none-any.whl
enough-analyst-54434
02/24/2022, 5:03 PMacoustic-librarian-3937
02/24/2022, 5:12 PMpip freeze --all
enough-analyst-54434
02/24/2022, 5:13 PMacoustic-librarian-3937
02/24/2022, 5:13 PMenough-analyst-54434
02/24/2022, 5:13 PMpip freeze
just prints what is installed in your venv. That information can be used by: -r, --requirement <file> Install from the given requirements file. This option can be used multiple times.
but it can no longer always be used by -c, --constraint <file> Constrain versions using the given constraints file. This option can be used multiple times.
because a file path is not a version.acoustic-librarian-3937
02/24/2022, 5:15 PM#!/usr/bin/env bash
# <https://www.pantsbuild.org/docs/python-third-party-dependencies#tip-set-up-a-virtual-environment-optional>
# this script was modified to use `virtualenv` instead of `venv`
# this script was modified to check if `jq` is installed
set -euo pipefail
set -x
if ! command -v jq &> /dev/null
then
echo "jq could not be found"
exit
fi
# You can change these constants.
PYTHON_BIN=python3
VIRTUALENV=build-support/.venv
REQUIREMENTS_FILE=requirements.txt
CONSTRAINTS_FILE=constraints.txt
"${PYTHON_BIN}" -m virtualenv --version || "${PYTHON_BIN}" -m pip install virtualenv
"${PYTHON_BIN}" -m virtualenv "${VIRTUALENV}"
. "${VIRTUALENV}"/bin/activate
pip install --upgrade pip
# Install all our requirements.txt, and also any 3rdparty
# dependencies specified outside requirements.txt, e.g. via a
# handwritten python_requirement_library target.
pip install \
-r "${REQUIREMENTS_FILE}" \
-r <(./pants dependencies :: |
xargs ./pants filter --target-type=python_requirement |
xargs ./pants peek |
jq -r '.[]["requirements"][]')
echo "# Generated by build-support/generate_constraints.sh on $(date)" > "${CONSTRAINTS_FILE}"
pip freeze --all >> "${CONSTRAINTS_FILE}"
Should I modify this to generate my constraints file differently?enough-analyst-54434
02/24/2022, 5:18 PMacoustic-librarian-3937
02/24/2022, 5:21 PMhundreds-father-404
02/24/2022, 5:23 PM[python].resolves
feature that has several improvements over [python].requirement_constraints
. One of them is it installs the "lockfile" by using -r lock.txt
rather than -c constraints.txt
, which means that the file you have generated from pip freeze
will work. Upgrade to Pants 2.10.0rc1 and run ./pants help-advanced python
for more info
Now, you wouldn't be able to use Pants's generate-lockfiles
goal to generate the lockfile for you, which is what we intend when using this resolves feature. That's because it does not yet support VCS & local requirements. You'd need to set [python].invalid_lockfile_behavior = 'ignore'
, and continue to manually manage the lockfile with your current workflow
Your lockfile also could not have --hash
in it, which is to reduce risk of supply chain attacks. That's because of a pip limitation that if one entry has --hash
, everything must.
@enough-analyst-54434 has been leading a project to teach PEX to generate lockfiles a la pip. He's sketched out some thoughts on how to get Pex to support VCS/local requirements in a lockfile, which would be state-of-the-art https://github.com/pantsbuild/pex/issues/1556enough-analyst-54434
02/24/2022, 5:24 PMacoustic-librarian-3937
02/24/2022, 5:27 PMenough-analyst-54434
02/24/2022, 5:27 PMacoustic-librarian-3937
02/24/2022, 5:27 PMhundreds-father-404
02/24/2022, 5:30 PMremoving the entry entirelyOne quirk of constraints file is that it need not be exhaustive. Normally, that's a bad thing because it means you might have unpinned things -> less stability + more supply chain attack risk. But here, that can be to your advantage by working around the problem however it does mean that Pants can't make an important performance enhancement where it installs your constraints.txt once, and then extracts the relevant subset of deps when doing things like running tests. This is pretty important for most users to have better perf, otherwise Pants will do the correct-but-slow thing of resolving each unique combination of requirements your project uses as a distinct process
keeping the entry but w/o the URL stuffI think that means that Pants's performance optimization of first resolving your entire constraints.txt will not be able to work properly. But I'm not certain
I will also look into using v 2.10Cool, I recommend this the most. See https://www.pantsbuild.org/docs/upgrade-tips