On 2019-05-22 23:49:55 +0200 (+0200), Dirk Müller wrote: [...snip bits about pragmatic compromise over absolutes...]
Perhaps the projects that currently use upper constraints don't care about a secure virtualenv/container build, and thats fine. It still does have a point to test against the versions end users will most likely have, and they most likely have security fixed versions (because they're good users and run against a stable security maintained enterprise operating system). We'd be doing ourselves a favor by testing a situation that is coming close to the end user situation in our CI. [...]
Doing conformance testing on those distros with their packaged versions of our external dependencies would much more closely approximate what I think you want than testing with a shifting set of old-and-new Python dependencies installed from PyPI. It would probably also be easier to maintain over the long haul. -- Jeremy Stanley