[openstack-dev] [all]deprecating [test-]requirements-PYN.txt

Robert Collins robertc at robertcollins.net
Thu Jul 2 22:18:48 UTC 2015

On 3 July 2015 at 08:22, Dave Walker <email at daviey.com> wrote:
> On 29 June 2015 at 04:59, Robert Collins <robertc at robertcollins.net> wrote:
>> Hi, so we're nearly ready to deprecate the python-version-specific
>> requirements files. Once we have infra's requirements cross checking
>> jobs all copacetic again, we should be able to move forward.
>> There isn't a specific spec for this in pbr, and I wanted to get some
>> broad input into the manner of the deprecation.
> <SNIP>
> Slightly offtopic, but I've noticed that some consumers of bandit[0]
> have been creating requirements-bandit.txt.  This is to specify bandit
> requirements without requiring the whole test-requirements.txt env to
> be installed, to run what is essentially a linting tool.

Well, this doesn't really make sense to me. making a new virtualenv
with tools like that is a few seconds (after the first warm-up time),
and the virtualenvs persist.

For CI, its not the bottleneck and thus perf is irrelevant.

> I'm not sure I like the idea of creating MORE requirements.txt style
> files as it pollutes the project root namespace and currently has no
> syncing from global-requirements.
> I wondered if you had any ideas on how to solve this for bandit usage,
> and potentially other projects?
> [0] https://wiki.openstack.org/wiki/Security/Projects/Bandit

Its feasible to use extras for this, but I wouldn't.
requirements-bandit.txt is definitely a problem though as its not
synced, not linted, and not cross-checked.

So my recommendations are:
1) test-requirements. Thats what its there for.
2) extras if that reallllly is an issue. Also if doing this help
everyone by documenting where the issue is.


Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud

More information about the OpenStack-dev mailing list