[all][dev] Beware how fun the new pip can be

Radosław Piliszek radoslaw.piliszek at gmail.com
Wed Jan 13 19:36:06 UTC 2021

Hiya, Folks!

Sharing what I have just learnt about the new pip's solver.
pip install PROJECT no longer guarantees to install the latest version
of PROJECT (or, well, giving you the ERROR that it cannot do it
because something something :-) ).
In fact, it will install the latest version *matching other
constraints* and do it *silently*.
Like it was recently only with Python version (i.e. py3-only would not
get installed on py2 - that is cool) but now it moved into any-package

As an example, I can give you [1] where we are experimenting with
getting some extracurricular package into our containers, notably
The only dep of fluent-logger is msgpack but the latest msgpack (as in
upper constraints: 1.0.2, or any 1.x for that matter) is not
compatible. However, the pin was introduced in fluent-logger in its
0.9.5 release (0.9.6 is the latest). Guess what pip does? Here is what
it does:

INFO:kolla.common.utils.openstack-base:Collecting fluent-logger
INFO:kolla.common.utils.openstack-base:  Downloading
(12 kB)
INFO:kolla.common.utils.openstack-base:  Downloading
(12 kB)
INFO:kolla.common.utils.openstack-base:  Downloading
(12 kB)

And that's it. Pip is happy, you got your "latest" version.
In previous pip one would get the latest version AND a warning. Now
just pip's view on what the "latest" version is.

I am glad we have upper-constraints which save the day here (forcing
the ERROR) but beware of this "in the wild".

[1] https://review.opendev.org/c/openstack/kolla/+/759855


More information about the openstack-discuss mailing list