Bug 211073 - devel/awscli: update to 1.10.47, devel/py-botocore: update to 1.4.37
Summary: devel/awscli: update to 1.10.47, devel/py-botocore: update to 1.4.37
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Pawel Pekala
Keywords: needs-qa, patch
Depends on:
Reported: 2016-07-13 08:13 UTC by Bradley T. Hughes
Modified: 2016-07-18 06:53 UTC (History)
3 users (show)

See Also:
alexey: maintainer-feedback+

patch from a git commit (2.63 KB, patch)
2016-07-13 08:13 UTC, Bradley T. Hughes
no flags Details | Diff
patch from a git commit (3.54 KB, patch)
2016-07-15 16:12 UTC, Bradley T. Hughes
bhughes: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Bradley T. Hughes freebsd_committer 2016-07-13 08:13:11 UTC
Created attachment 172455 [details]
patch from a git commit

Lock the devel/awscli dependency on devel/py-botocore and
net/py-s3transfer to a single, specific version. This follows the
upstream behavior, which develops and releases these projects in tandem.
See https://github.com/aws/aws-cli/blob/1.10.46/setup.py#L9-L13

portlint -C: OK
testport: OK (poudriere 11.0-BETA1 amd64, 10.3-RELEASE amd64)
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2016-07-13 09:17:32 UTC
TL:DR The dependency specs need to be changed to to ">=" in setup.py

Python upstreams often (blindly) pin their dependencies in their released packages, usually to help avoid users inadvertently installing (with pip) *potentially* incompatible versions.

Other projects sometimes use >=X.Y,<Z.0, which is a little better, but assumes API's are not broken within minor versions (which does happen).

Most Python projects understand that release packages and package/application deployment, where one wants to pin all dependencies by default, are two separate things, and use >= for their released (to PyPI) packages. These projects end up ahead of the curve, as they invariably end up knowing (if they're using CI) before releasing that a dependency of theirs breaks API, minimising the failure window for users.

These exact version dependencies are untenable within ports, as multiple concurrent versions of Python ports/packages are not available for users to install, only the latest version. With the current == lines, devel/awscli will fail if botocore is ever updated. Whether or not they're currently maintained by the same person or always updated together is immaterial.

It's very unlikely that there is always an *exact* and *only* dependence on a specific version of botocore. If there is, awscli should vendor the code.

For the project in question, its probably better for them to unpin those dependencies for development and release purposes, so that they can test (CI) their code against the latest version of them at all times.

I'd suggest opening an issue upstream and asking them to use >= (or at least >=, < X.0) as their default.
Comment 2 Bradley T. Hughes freebsd_committer 2016-07-13 10:28:58 UTC
koobs: I understand and can relate to what you are saying, but I must admit that I'm a bit put off about what to do with this PR now. Is this PR dependent on the creation and/or resolution of an upstream issue? I'm unsure what's expected/required of me.

> TL:DR The dependency specs need to be changed to to ">=" in setup.py

Is a patch in the port good enough? And I then change the ports dependencies back to >=? 

> If there is, awscli should vendor the code.

FWIW, They do. ;) The same person tagged and released both packages at the same time. 


Or do you mean they should include a bundled copy?
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2016-07-14 07:08:19 UTC
(In reply to Bradley T. Hughes from comment #2)

- It's not dependent on resolving upstream
- Patching the setup.py and changing the *_DEPENDS lines back to >= is sufficient for now (in lieu of upstream changing it)
- 'vendoring' the code means bundling yes, and given they don't is why I'm confident awscli doesn't *actually* depend on an exact version of botocore, but instead just appears to be an overly restrictive safety belt for users.
Comment 4 Bradley T. Hughes freebsd_committer 2016-07-15 16:12:23 UTC
Created attachment 172558 [details]
patch from a git commit

Updated to address comments and bump to the latest upstream version.
Comment 5 commit-hook freebsd_committer 2016-07-16 18:48:15 UTC
A commit references this bug:

Author: pawel
Date: Sat Jul 16 18:47:41 UTC 2016
New revision: 418648
URL: https://svnweb.freebsd.org/changeset/ports/418648

  - Update devel/py-botocore to version 1.4.37
  - Update devel/awscli to version 1.10.47

  PR:		211073
  Submitted by:	Bradley T. Hughes
  Approved by:	maintainer

Comment 6 Bradley T. Hughes freebsd_committer 2016-07-18 06:53:12 UTC
Thanks! :)