[openstack-dev] Requests + urllib3 + distro packages

Robert Collins robertc at robertcollins.net
Fri Oct 9 18:31:48 UTC 2015

On 10 October 2015 at 03:57, Cory Benfield <cory at lukasa.co.uk> wrote:
>> On 9 Oct 2015, at 15:18, Jeremy Stanley <fungi at yuggoth.org> wrote:
>> On 2015-10-09 14:58:36 +0100 (+0100), Cory Benfield wrote:
>> [...]
>>> IMO, what OpenStack needs is a decision about where it’s getting
>>> its packages from, and then to refuse to mix the two.
>> I have yet to find a Python-based operating system installable in
>> whole via pip. There will always be _at_least_some_ packages you
>> install from your operating system's package management. What you
>> seem to be missing is that Linux distros are now shipping base
>> images which include their python-requests and python-urllib3
>> packages already pre-installed as dependencies of Python-based tools
>> they deem important to their users.
> Yeah, this has been an ongoing problem.
> For my part, Donald Stufft has informed me that if the distribution-provided requests package has the appropriate install_requires field in its setup.py, pip will respect that dependency.

It should but it won't :).


The first one means that if someone does 'pip install -U urllib3' and
an unbundled requests with appropriate pin on urllib3 is already
installed, that pip will happily upgrade urllib3, breaking requests,
without complaining. It is fixable (with correct metadata of course).

The second one means that if anything - another package, or the user
via direct mention or requirements/constraints files - specifies a
urllib3 dependency (of any sort) then the requests dependency will be
silently ignored.

Both of these will be solved in the medium future - we're now at the
point of having POC branches, and once we've finished with the
constraints rollout and PEP-426 marker polish will be moving onto the
resolver work.

> Given that requests has recently switched to not providing mid-cycle urllib3 versions, it should be entirely possible for downstream redistributors in Debian/Fedora to put that metadata into their packages when they unbundle requests. I’m chasing up with our downstream redistributors right now to ask them to start doing that.
> This should resolve the problem for systems where requests 2.7.0 or higher are being used. In other systems, this problem still exists and cannot be fixed by requests directly.

Well, if we get to a future where it is in-principle fixed, I'll be happy.


Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud

More information about the OpenStack-dev mailing list