Path: csiph.com!news.samoylyk.net!gothmog.csi.it!bofh.it!news.nic.it!robomod From: Jeremy Stanley Newsgroups: linux.debian.maint.python Subject: Re: Upstream dependency version requirements [Was: Re: review for beets/2.9.0-1] Date: Mon, 04 May 2026 15:40:01 +0200 Message-ID: References: X-Original-To: debian-python@lists.debian.org X-Mailbox-Line: From debian-python-request@lists.debian.org Mon May 4 13:32:46 2026 Old-Return-Path: X-Amavis-Spam-Status: No, score=-11.9 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1, LDO_WHITELIST=-5, PGPSIGNATURE=-5] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -4.6 X-Greylist: delayed 2060 seconds by postgrey-1.36 at bendel; Mon, 04 May 2026 13:32:28 UTC MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ppRIb+ySlpVSp50U" Content-Disposition: inline X-Sa-Exim-Connect-IP: 66.70.103.60 X-Sa-Exim-Rcpt-To: debian-python@lists.debian.org X-Sa-Exim-Mail-From: fungi@yuggoth.org X-Sa-Exim-Scanned: No (on azathoth.yuggoth.org); SAEximRunCond expanded to false X-Mailing-List: archive/latest/23761 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/afiX2gpJfXzDJAME@yuggoth.org Approved: robomod@news.nic.it Lines: 78 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Date: Mon, 4 May 2026 12:58:02 +0000 X-Original-Message-ID: X-Original-References: <20260503154921.59d3b4b8@debian.org> Xref: csiph.com linux.debian.maint.python:17483 --ppRIb+ySlpVSp50U Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2026-05-04 15:07:22 +0300 (+0300), Peter Pentchev wrote: >On Sun, May 03, 2026 at 03:49:21PM -0000, Jeroen Ploemen wrote: [...] >> For both of the above, it's often an open question whether version=20 >> restrictions declared by upstream are actually hard requirements or=20 >> just a matter of "we prefer to have everyone use the version we=20 >> tested with". > >From my experience with various upstream projects, both individual=20 >authors with varying levels of experience and workflows, and=20 >more complex organizations (e.g. OpenStack), IMHO it is most useful to,=20 >at least initially, "assume good faith" [...] To use the OpenStack example, our dependency management upstream has=20 both parts Jeroen mentioned: 1. requirements.txt files (or similar=20 lists in pyproject.toml) for each individual project are coordinated=20 so that they remain coinstallable while staying as loosely-defined=20 as possible; 2. a global constraints list essentially "pins" a=20 solution for requirements across all OpenStack projects like a=20 lockfile, in order to stabilize upstream integration testing and=20 allow us to quickly identify regressions in dependencies as new=20 releases for them appear. It's always been our goal to remain flexible for the benefit of=20 downstream distribution package maintainers, and when individual=20 projects within OpenStack specify a lower bound, upper bound, or=20 excluded version in their requirements it typically signals an=20 actual regression that project is trying to avoid (either because=20 the project has started depending on a new feature from that=20 dependency, or the dependency introduced a backward incompatibility=20 or presumed-temporary breaking bug). Put another way, the constraints list is the exact versions of=20 dependencies (including transitive dependencies) that were tested=20 with upstream at that time, but we understand that distributions=20 downstream have a need to make our software work with different=20 versions than what we've tested and so expect them to do their own=20 testing where relevant in order to confirm everything continues to=20 work as intended. I won't speculate about the Beets upstream dependency management,=20 but as a user of it myself (and having managed pip-installed venvs=20 of it myself in the past for various reasons), it does appear they=20 have a very complex set of requirements so almost certainly are=20 working around the sorts of problems which arise from that. --=20 Jeremy Stanley --ppRIb+ySlpVSp50U Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmn4l8dfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCnaaA//baP7rBFakGxDqD+26ZYd4rWRntcrr58+uAVdNdZc12Ip7zJT/25V8oE7 CJw7MZzt44jZHSneLTjWmefFhzgFUTUS/sHT/vZbQC+IPMB4/VwzAK8+Fe/v3AfX ke+AGH6YQJeG6yy75QGdQezg87u8Sm4pRISlV/SawJP1oD4qKUF4J2+AVkUMa0/f Y6YVNtE1y4ezCrST+rHe5o/Y7ap9lKV4oCErMv/gC3i16k+hH23esO/aLGAKldVq ExBRiTlW5enurqu5GpnC794bOF1lgaY1KCLDSrJN/Y+IhZeJgyqNsOfCKD3AOi84 Nxb91Ip25y6KzGnC22/W+9BhgzKzYBwzpYKG8m29pA21no0TN28kiNdthw2rtNlR lc0iY1oKyNHT6FOEvf+Dm7oc2IiydfuPXlNop8jUItXYwxxbnH+ritqlijloEO05 MdIyRraqjrvdooLpQfTAMC4P4THoS49JxwcBNQpsQUCP8371I2uwqiAhcucF3gbx U/2YNkNuEAUtVxK1OL2xZShcliyWz2aWUQ9WsY1a2poRZjIBOs6qB3lTzU7s4iHh VHbV+6tpoPLQq/ovadUETjKV32mVcI1GmJ7w4N2nZTOQlraHzjXG8Vqt6CwVt/lg 9zUFhrs8hGueFHXDVXXkEG5tC6CHkQKP45xyJpauDQts1o52oAY= =TXry -----END PGP SIGNATURE----- --ppRIb+ySlpVSp50U--