[all][dev] Beware how fun the new pip can be

Andrii Ostapenko anost1986 at gmail.com
Wed Jan 13 19:54:24 UTC 2021

On Wed, Jan 13, 2021 at 1:37 PM Radosław Piliszek
<radoslaw.piliszek at gmail.com> wrote:
> Hiya, Folks!
> Sharing what I have just learnt about the new pip's solver.
> pip install PROJECT no longer guarantees to install the latest version
> of PROJECT (or, well, giving you the ERROR that it cannot do it
> because something something :-) ).
> In fact, it will install the latest version *matching other
> constraints* and do it *silently*.
> Like it was recently only with Python version (i.e. py3-only would not
> get installed on py2 - that is cool) but now it moved into any-package
> territory.
> As an example, I can give you [1] where we are experimenting with
> getting some extracurricular package into our containers, notably
> fluent-logger.
> The only dep of fluent-logger is msgpack but the latest msgpack (as in
> upper constraints: 1.0.2, or any 1.x for that matter) is not
> compatible. However, the pin was introduced in fluent-logger in its
> 0.9.5 release (0.9.6 is the latest). Guess what pip does? Here is what
> it does:
> INFO:kolla.common.utils.openstack-base:Collecting fluent-logger
> INFO:kolla.common.utils.openstack-base:  Downloading
> http://mirror-int.dfw.rax.opendev.org:8080/pypifiles/packages/1a/f5/e6c30ec7a81e9c32c652c684004334187db4cc09eccf78ae7b69e62c7b10/fluent_logger-0.9.6-py2.py3-none-any.whl
> (12 kB)
> INFO:kolla.common.utils.openstack-base:  Downloading
> http://mirror-int.dfw.rax.opendev.org:8080/pypifiles/packages/d5/cb/19d838561ec210321aea24c496ec61930d6fdbb2f98d3f06cebab33c1331/fluent_logger-0.9.5-py2.py3-none-any.whl
> (12 kB)
> INFO:kolla.common.utils.openstack-base:  Downloading
> http://mirror-int.dfw.rax.opendev.org:8080/pypifiles/packages/d1/d4/f9b3493f974cdac831bf707c3d9fec93b1a0ebd986eae4db4f101dd72378/fluent_logger-0.9.4-py2.py3-none-any.whl
> (12 kB)
> And that's it. Pip is happy, you got your "latest" version.
> In previous pip one would get the latest version AND a warning. Now
> just pip's view on what the "latest" version is.
> I am glad we have upper-constraints which save the day here (forcing
> the ERROR) but beware of this "in the wild".
> [1] https://review.opendev.org/c/openstack/kolla/+/759855
> -yoctozepto

Really big change, no surprise it's full of bugs. I had a situation
with an infinite loop of 'Requirement already satisfied' just
Can only suggest to file issues https://github.com/pypa/pip/issues and
fall back to 20.2, i think virtualenv==20.2.1 is the latest that comes
with 20.2 pip

More information about the openstack-discuss mailing list