Created attachment 172455 [details]
patch from a git commit
Lock the devel/awscli dependency on devel/py-botocore and
net/py-s3transfer to a single, specific version. This follows the
upstream behavior, which develops and releases these projects in tandem.
portlint -C: OK
testport: OK (poudriere 11.0-BETA1 amd64, 10.3-RELEASE amd64)
TL:DR The dependency specs need to be changed to to ">=" in setup.py
Python upstreams often (blindly) pin their dependencies in their released packages, usually to help avoid users inadvertently installing (with pip) *potentially* incompatible versions.
Other projects sometimes use >=X.Y,<Z.0, which is a little better, but assumes API's are not broken within minor versions (which does happen).
Most Python projects understand that release packages and package/application deployment, where one wants to pin all dependencies by default, are two separate things, and use >= for their released (to PyPI) packages. These projects end up ahead of the curve, as they invariably end up knowing (if they're using CI) before releasing that a dependency of theirs breaks API, minimising the failure window for users.
These exact version dependencies are untenable within ports, as multiple concurrent versions of Python ports/packages are not available for users to install, only the latest version. With the current == lines, devel/awscli will fail if botocore is ever updated. Whether or not they're currently maintained by the same person or always updated together is immaterial.
It's very unlikely that there is always an *exact* and *only* dependence on a specific version of botocore. If there is, awscli should vendor the code.
For the project in question, its probably better for them to unpin those dependencies for development and release purposes, so that they can test (CI) their code against the latest version of them at all times.
I'd suggest opening an issue upstream and asking them to use >= (or at least >=, < X.0) as their default.
koobs: I understand and can relate to what you are saying, but I must admit that I'm a bit put off about what to do with this PR now. Is this PR dependent on the creation and/or resolution of an upstream issue? I'm unsure what's expected/required of me.
> TL:DR The dependency specs need to be changed to to ">=" in setup.py
Is a patch in the port good enough? And I then change the ports dependencies back to >=?
> If there is, awscli should vendor the code.
FWIW, They do. ;) The same person tagged and released both packages at the same time.
Or do you mean they should include a bundled copy?
(In reply to Bradley T. Hughes from comment #2)
- It's not dependent on resolving upstream
- Patching the setup.py and changing the *_DEPENDS lines back to >= is sufficient for now (in lieu of upstream changing it)
- 'vendoring' the code means bundling yes, and given they don't is why I'm confident awscli doesn't *actually* depend on an exact version of botocore, but instead just appears to be an overly restrictive safety belt for users.
Created attachment 172558 [details]
patch from a git commit
Updated to address comments and bump to the latest upstream version.
A commit references this bug:
Date: Sat Jul 16 18:47:41 UTC 2016
New revision: 418648
- Update devel/py-botocore to version 1.4.37
- Update devel/awscli to version 1.10.47
Submitted by: Bradley T. Hughes
Approved by: maintainer