<@U06A03HV1> <@U04S45AHA> (and others), thoughts o...
# developmenth
hundreds-father-404
08/04/2022, 7:57 PM@witty-crayon-22786 @enough-analyst-54434 (and others), thoughts on deprecating Poetry as a lockfile generator in 2.14, but with a longer deprecation cycle like don't remove till 2.16?
hundreds-father-404
08/04/2022, 7:59 PMThis pre-supposes that we don't want to support requirements.txt-style lockfiles in general moving forward, given:
1. they aren't secure because they don't lock down the URLs, only the hashes
2. their performance is worse w/ subsetting
But that is taking away a possibly valuable option for people.
Imo, it's probably fine to take it away. With JVM, we don't give you fallback options
hundreds-father-404
08/04/2022, 8:00 PMmy motivation for this question is that we have bug reports for Poetry like this https://github.com/pantsbuild/pants/issues/15171. I want to know if I can close it as won't fix
w
witty-crayon-22786
08/04/2022, 8:03 PMwitty-crayon-22786
08/04/2022, 8:05 PMmy gut says that that would be fine, but doing a survey of open blockers for using PEX lockfiles would probably be good.
h
hundreds-father-404
08/04/2022, 8:06 PMNote that this contrasts with an earlier idea I floated last month - Poetry 1.2 seems to make a lot of fixes, including allegedly the issue with transitive deps having bad env markers. So we discussed leaning more into Poetry and fixing all the broken windows
That still seems viable, although it will always have the performance hit compared to Pex
Only: limited dev resources. I suspect our time is better invested improving Pants itself. Maintenance cost would be an issue too, that it's complex having two code paths
hundreds-father-404
08/04/2022, 8:10 PMbut doing a survey of open blockers for using PEX lockfiles would probablyFrom what I've seen, none that we know of? John did a bunch of fixes for authentication. We do still need to wire up his work on local requirements, but Poetry didn't support that either, so it's not blocking dropping Poetry. Only blocks requiring lockfiles generally
e
enough-analyst-54434
08/04/2022, 8:24 PMI don't really have an opinion here beyond the usual, I'd like to break users less often than we do with deprecations. As to point 1 above, that is not a good argument. It has to be the case that a sha 256 hash provides most of the security. If that is broken, the whole world falls apart. The fact that an URL would have to be hijacked as well seems basically inconsequential.
h
hundreds-father-404
08/04/2022, 8:32 PMAs to point 1 above, that is not a good argument.Ack. I didn't think about the limitation that requirements.txt-style lock isn't a true lock until you pointed it out in blog post review 2 months ago. That's fine if it's a weak argument tho
e
enough-analyst-54434
08/04/2022, 8:33 PMThe evidence it's weak is that Poetry has presumably considered things carefully and jettisoned fixed URLs for decent reasons. We all have about that same brainpower, they can't be far wrong.
h
hundreds-father-404
08/04/2022, 8:34 PMthey do have URLs in
poetry.lockpoetry exportw
witty-crayon-22786
08/04/2022, 8:35 PMi didn’t really respond to
This pre-supposes that we don’t want to support requirements.txt-style lockfiles in general moving forwardbut: i’m not sure that that follows: it seems reasonable to say “the only built-in lockfile generator is PEX, but you can continue to generate your own lockfile manually for the long tail of weird cases including manual export from poetry”
➕ 1
e
enough-analyst-54434
08/04/2022, 8:35 PMAh, and us using export is a choice I presume? I don't now if they document their lock file format, but if they do, clearly it can map directly. If we actually wanted to support Poetry users well, we'd directly support Poetry locks, which can have different solutions than Pip.
h
hundreds-father-404
08/04/2022, 8:36 PMGreat point Stu!
e
enough-analyst-54434
08/04/2022, 8:37 PMBut, Stu's point requires we can translate the lockfile to something we can actually use. Right?
enough-analyst-54434
08/04/2022, 8:38 PMI guess you point out export may no longer be broken.
enough-analyst-54434
08/04/2022, 8:39 PMIt would be better to directly translate though if the Poetry lock format is stable or better documented, that would make subsetting just as fast.
h
hundreds-father-404
08/04/2022, 8:39 PMRight now, Pants knows how to consume Pex JSON locks & requirements.txt-style locks with
--hash[python].resolves_generate_lockfiles = falsehundreds-father-404
08/04/2022, 8:40 PMIt would be better to directly translate though if the Poetry lock format is stable or better documented, that would make subsetting just as fast.That is an option, but:
Only: limited dev resources. I suspect our time is better invested improving Pants itself. Maintenance cost would be an issue too, that it's complex having two code paths
e
enough-analyst-54434
08/04/2022, 8:41 PMOk, I find that hollow since we touted supporting Poetry folks, but certainly agreed there are only so many hours.
enough-analyst-54434
08/04/2022, 8:41 PMSupporting requirements.txt with --hash but not generating those for you SGTM.
👍 1
h
hundreds-father-404
08/04/2022, 8:42 PMI find that hollow since we touted supporting Poetry folksWell, sort of. We've never supported consuming your
poetry.lockpoetry exportpoetry export