this post was submitted on 17 Jan 2025

12 points (80.0% liked)

Python

6568 readers

13 users here now

Welcome to the Python community on the programming.dev Lemmy instance!

📅 Events

Past

November 2023

PyCon Ireland 2023, 11-12th
PyData Tel Aviv 2023 14th

October 2023

PyConES Canarias 2023, 6-8th
DjangoCon US 2023, 16-20th (!django 💬)

July 2023

PyDelhi Meetup, 2nd
PyCon Israel, 4-5th
DFW Pythoneers, 6th
Django Girls Abraka, 6-7th
SciPy 2023 10-16th, Austin
IndyPy, 11th
Leipzig Python User Group, 11th
Austin Python, 12th
EuroPython 2023, 17-23rd
Austin Python: Evening of Coding, 18th
PyHEP.dev 2023 - "Python in HEP" Developer's Workshop, 25th

August 2023

PyLadies Dublin, 15th
EuroSciPy 2023, 14-18th

September 2023

PyData Amsterdam, 14-16th
PyCon UK, 22nd - 25th

🐍 Python project:

💓 Python Community:

#python IRC for general questions
#python-dev IRC for CPython developers
PySlackers Slack channel
Python Discord server
Python Weekly newsletters
Mailing lists
Forum

✨ Python Ecosystem:

🌌 Fediverse

Communities

#python on Mastodon
c/django on programming.dev
c/pythorhead on lemmy.dbzer0.com

Projects

Pythörhead: a Python library for interacting with Lemmy
Plemmy: a Python package for accessing the Lemmy API
pylemmy pylemmy enables simple access to Lemmy's API with Python
mastodon.py, a Python wrapper for the Mastodon API

Feeds

founded 2 years ago

MODERATORS

[email protected]

PEP 735 does dependency group solve anything? (peps.python.org)

submitted 1 week ago by [email protected] to c/[email protected]

27 comments fedilink hide all child comments

PEP 735 what is it's goal? Does it solve our dependency hell issue?

A deep dive and out comes this limitation

The mutual compatibility of Dependency Groups is not guaranteed.

-- https://peps.python.org/pep-0735/#lockfile-generation

Huh?! Why not?

mutual compatibility or go pound sand!

pip install -r requirements/dev.lock
pip install -r requirements/kit.lock -r requirements/manage.lock

The above code, purposefully, does not afford pip a fighting chance. If there are incompatibilities, it'll come out when trying randomized combinations.

Without a means to test for and guarantee mutual compatibility, end users will always find themselves in dependency hell.

Any combination of requirement files (or dependency groups), intended for the same venv, MUST always work!

What if this is scaled further, instead of one package, a chain of packages?!

you are viewing a single comment's thread
view the rest of the comments

[–] eager_eagle 2 points 1 week ago (3 children)

I didn't know about StrictYAML, we're really going in circles lol

TOML is already RW by Poetry, PDM, and uv.

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago) (2 children)

Yeah, but should it be (rw)?

If it's rw, it's a database, not a config file.

No software designer thinks ... postgreSQL, sqlite, mariadb, duckdb, .... nah TOML

Or at least yaml turns out to be not a strange suggestion

[–] FooBarrington 3 points 1 week ago (2 children)

You have a strange definition of "database". Almost every language I touch on a daily basis (JS, Rust, C#) uses their package meta file to declare dependencies as well, yet none of those languages treat it as a "database".

[–] [email protected] 1 points 1 week ago (2 children)

In this super specific case, the data that is being worked with is a many list of dict. A schema-less table. There would be frequent updates to this data. As package versions are upgraded, fixes are made, and security patches are added.

[–] eager_eagle 3 points 1 week ago (2 children)

It seems you're describing a lock file. No one is proposing to use or currently using pyproject.toml as a lock file. And even lock files have well defined schemas, not just an arbitrary JSON-like object.

[–] [email protected] 1 points 1 week ago

parsing lock files

There's a few edge cases on parsing dependency urls. So it's not completely black and white.

just have to read over to pip-compile-multi to see that. (i have high praise for that project don't get me wrong)

[–] [email protected] 1 points 1 week ago (1 children)

then i'm misunderstanding what data dependencies groups are supposed to be storing. Just the equivalent of requirements.in files and mapping that to a target? And no -c (constraints) support?!

Feels like tying one of hands behind our back.

[–] eager_eagle 1 points 1 week ago

see https://packaging.python.org/en/latest/specifications/dependency-groups/#dependency-groups

[–] FooBarrington 1 points 1 week ago (1 children)

It's not schemaless at all, it's a dictionary of string to string. Not that complex.

[–] [email protected] 1 points 1 week ago (1 children)

The strictyaml schema holds a pinch of nuance.

The value argument is automagically coersed to a str. Which is nice; since the field value can be either integer or str. And i want a str, not an int.

A Rust solution would be superior, but the Python API is reasonable; not bad at all.

[–] FooBarrington 2 points 1 week ago (1 children)

I'm not sure what you're talking about. My point was that dependency definitions in pyproject.toml aren't schemaless.

[–] [email protected] 0 points 1 week ago (1 children)

strict schema and a spec are not the same. package pyproject-validate can check if a pyproject.toml follows the spec, but not be using a strict schema.

A schema is similar to using Rust. Every element is strictly typed. Is that an int or a str is not enforced by a spec

If there was a strict schema, package pyproject-validate would be unnecessary

[–] FooBarrington 1 points 1 week ago* (last edited 1 week ago)

Wait. So there's a tool that allows you to validate pyproject.toml files (since this file can be extended by any tool), and that somehow proves that dependency declarations in pyproject.toml are schemaless? They literally use a JSON Schema for validating exactly this: https://validate-pyproject.readthedocs.io/en/latest/json-schemas.html

[–] [email protected] 1 points 1 week ago (1 children)

especially JS, some packages.json are super long. The sqlite author would blush looking at that

[–] FooBarrington 1 points 1 week ago (1 children)

Sure, but why is that a bad thing when you have lots of direct dependencies?

[–] [email protected] 1 points 2 days ago

As the quantity and relationships complexity increases so to does the need for management tools to deal with the chaos.

Most Python coders cope by keeping things overly simple. Avoiding complexity at all costs.

Do you fully embrace requirement file complexity or do you avoid it?

assume one venv
has no way to deal with unavoidable incompatibilities

Which maybe due to: a package becoming unmaintained or overly zealous limiting allowed versions

has no way to adapt to security vulnerabilities (e.g. CVE-2024-9287)
has no intelligent way to normalize both direct and transitive dependency versions across lock files

[–] eager_eagle 3 points 1 week ago (1 children)

it's a config file that should be readable and writeable by both humans and tools. So yeah, it makes sense.

And I don't lile yaml personally, so that's a plus to me. My pet peeve is never knowing what names before a colon are part of the schema and which ones are user-defined. Even with strictyaml, reading the nesting only through indentation is harder than in toml.

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago) (1 children)

You are not wrong, yaml can be confusing.

Recently got tripped up on sequence of mapping of mapping. Which is just a simple list of records.

But for the life of me, couldn't get a simple example working.

Ended up reversed the logic.

Instead of parsing a yaml str. Created the sample list of dict and asked strictyaml to produce the yaml str.

Turns out the record is indented four spaces, not two.

- file: "great_file_name_0.yml"
    key_0: "value 0"
- file: "great_file_name_1.yml"
    key_0: "value 0"

Something like ^^. That is a yaml database. It has records, a schema, and can be safely validated!

The strictyaml documentation covers ridiculously simple cases. There are no practical examples. So it was no help.

Parser kept complaining about duplicate keys.

[–] eager_eagle 2 points 1 week ago (1 children)

It has records, a schema, and can be safely validated!

uh... a database implies use of a database management system. I don't think saying that a YAML/TOML/JSON/whatever file is a database is very useful, as these files are usually created and modified without any guarantees.

It's not even about being incorrect, it's just not that useful.

[–] [email protected] 1 points 1 week ago

But it's treated 100% like a crappy CRUD database with no modern features or SQL

it's a file containing records with a strict schema. And nothing else

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago)

Highly suggest reading the strictyaml docs

The author lays out both

Why
Why not

Should be required reading for anyone dealing with config files, especially those encountering yaml.

Warning: After reading these, and confirming the examples yourself, seeing packages using pyyaml will come off as lessor

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago)

Not in circles, this is helping for me.

If you have strong support for a rw toml, would like to hear your arguments