On 2021-01-06 22:04:34 +0100 (+0100), Thomas Goirand wrote: [...]
As a downstream distribution package maintainer, I see this as a major regression of the code quality that upstream is shipping. Without l-c tests, there's no assurance of the reality of a lower-bound dependency.
So then we're back to 5 years ago, when OpenStack just artificially was setting very high lower bound because we just didn't know...
Please don't do it.
The tidbit you're missing here is that we never actually had working lower-bounds checks. The recent update to make pip correctly confirm requested versions of packages get installed, which has caused these jobs to all fall over, proves that. So it's not a regression. I'm personally in favor of doing lower-bounds checking of our software, always have been, but nobody's done the work to correctly implement it. The old jobs we had punted on it, and now we can see clearly that they weren't actually testing what people thought. Properly calculating transitive dependency lower-bounds requires a modified dependency solver with consistent inverse sorting, and that doesn't presently exist. -- Jeremy Stanley