New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modernization: introduce poetry as a packaging and dependency tool #654
Conversation
…tions workflow into tox.ini
… for darwin (regex: darwin, environment name: py-darwin)
This wasn't too tricky to introduce; it seems worth comparing this approach to |
I'm a bit confused by what I'm seeing here regarding Somewhat relevant and the reason I was looking at that file to begin with is I'd expect that you and hhursev would want to have the export so that people can optionally use poetry, but we still get all the nice hashing supply chain protection. |
The library's dependencies are moved into
I'd vote against using |
I think a potential use case for I'm just pointing out a potential use. I'm not opinionated on this. Could write some CI checks to make sure that someone isn't editing it without also changing the poetry files. |
@bfcarpio good points! Installation-wise: as I understand it, recent Development-wise: if we introduced continuous integration checks on the lockfile/dependencies per-pull-request, then developers could still use whatever tools they like, for the most part. An exception is that I definitely get the sense that I could be introducing complexity for goals that aren't worthwhile (I have the |
Note: I think it sits somewhere between the To explain:
Unlike the This might sound weird, but: I use (perhaps I'll attempt a draft pull request with it anyway though, to compare what it might look like) |
Sorry, a possible correction: PEP-517 support does allow Similarly: the lockfile is not used to pin dependency versions in the built/published package (either by In practical terms, those would mean that the lockfile is useful to provide visibility into the addition/removal of dependencies, and to improve development environment consistency, but it wouldn't provide consistency between developer-install and user-install environments. (I could be wrong here; continuing to learn) |
Yep, my mistake - the
|
Here's what I'm thinking currently:
Honestly I don't think we've had many problems development-wise on the project due to differing dependency versions. So, to refer back to the goal of #617 -- improving developer experience -- the remaining question is whether the point-in-time visibility that And my sense there is that any approach that attempts to commit the dependency set to source control is inherently going to be subject to the 'shifting sands' problem (dependency tree changes elsewhere in the stack), unless all versions are pinned to precise (integrity-hashed?) versions -- a valid albeit maintenance-heavy approach. Overall, I think a lockfile is the wrong place to attempt to gain that visibility - instead it'd be better to start with the versions of a dependency you're interested in, tail the release history for the top-level dependencies of those (within their semver match constraints), and then emit events to a stream when dependencies are added/removed/changed. But that's getting a bit off-topic. I don't think the |
The changes here layer on top of #650; they're opened as a separate pull request so that GitHub Actions linting and testing runs (those workflows are filtered to the
main
branch).To view only the changes between this and #650, visit: issue-617/tox-migration...issue-617/tox-plus-poetry
Relates to #617.