From cosimo at anthrotype.com Sun Jan 7 05:12:35 2018 From: cosimo at anthrotype.com (Cosimo Lupo) Date: Sun, 7 Jan 2018 10:12:35 +0000 Subject: [Distutils] Should abi3 tag be usable on Windows? Message-ID: <86bead53-3fd6-43c7-a176-ddd498ed98b0@Spark> Hello, CFFI has recently added support for Py_LIMITED_API extension modules built for CPython 3. The wheel module since version 0.30.0 also supports passing ?py-limited-api cp3X to bdist_wheel command to allow the generated .whl to be installed on all CPython versions equal or greater than the one specified. Yesterday I was trying to apply this on a cffi-built extension module, and it worked for Linux and macOS but failed for Windows: https://github.com/hynek/argon2_cffi/pull/32 The AssertionError from wheel.pep425tags complains that a tag with abi3 would be unsupported for the target platform. Alex Gronholm commented > imp.get_suffixes() does not seem to contain any ABI3 suffixes, but I'm not sure if this is even applicable on Windows. Incidentally, I noticed one specific package, PyQt5, that distributes both abi3-tagged wheels for Mac and manylinux and Windows wheels for a range of cp35.cp36.cp37 but with abi tag set as ?none?, and they do seem to work. So, can one make such py_limited_api wheels work on Windows with the current state of the tooling, and if so how? Thank you in advance Cosimo Lupo -------------- next part -------------- An HTML attachment was scrubbed... URL: From cosimo at anthrotype.com Sun Jan 7 07:39:44 2018 From: cosimo at anthrotype.com (Cosimo Lupo) Date: Sun, 07 Jan 2018 12:39:44 +0000 Subject: [Distutils] Should abi3 tag be usable on Windows? In-Reply-To: <86bead53-3fd6-43c7-a176-ddd498ed98b0@Spark> References: <86bead53-3fd6-43c7-a176-ddd498ed98b0@Spark> Message-ID: I jut found this related pip issue: https://github.com/pypa/pip/issues/4445 (I myself as @anthrotype commented on that thread back in April last year but then completely forgot...) After re-reading it now, it's still not clear to me what the resolution on that issue was. On Sun, Jan 7, 2018 at 10:12 AM Cosimo Lupo wrote: > Hello, > > CFFI has recently added support for Py_LIMITED_API extension modules built > for CPython 3. > The wheel module since version 0.30.0 also supports passing > ?py-limited-api cp3X to bdist_wheel command to allow the generated .whl to > be installed on all CPython versions equal or greater than the one > specified. > > Yesterday I was trying to apply this on a cffi-built extension module, and > it worked for Linux and macOS but failed for Windows: > > > *https://github.com/hynek/argon2_cffi/pull/32* > > The AssertionError from wheel.pep425tags complains that a tag with abi3 > would be unsupported for the target platform. > > Alex Gronholm commented > > > imp.get_suffixes() does not seem to contain any ABI3 suffixes, but I'm > not sure if this is even applicable on Windows. > > Incidentally, I noticed one specific package, PyQt5, that distributes both > abi3-tagged wheels for Mac and manylinux and Windows wheels for a range of > cp35.cp36.cp37 but with abi tag set as ?none?, and they do seem to work. > > So, can one make such py_limited_api wheels work on Windows with the > current state of the tooling, and if so how? > > Thank you in advance > > Cosimo Lupo > -- Cosimo Lupo -------------- next part -------------- An HTML attachment was scrubbed... URL: From cosimo at anthrotype.com Sun Jan 7 08:40:29 2018 From: cosimo at anthrotype.com (Cosimo Lupo) Date: Sun, 07 Jan 2018 13:40:29 +0000 Subject: [Distutils] Should abi3 tag be usable on Windows? In-Reply-To: References: <86bead53-3fd6-43c7-a176-ddd498ed98b0@Spark> Message-ID: It turns out setuptools is still linking to PYTHON36.DLL instead of PYTHNO3.DLL even when py_limited_api=True https://github.com/pypa/setuptools/issues/1248 This is a different, though somewhat related, problem from the one concering wheel/pip pep425tags disallowing `abi3` tag on Windows. On Sun, Jan 7, 2018 at 12:39 PM Cosimo Lupo wrote: > I jut found this related pip issue: > https://github.com/pypa/pip/issues/4445 > > (I myself as @anthrotype commented on that thread back in April last year > but then completely forgot...) > > After re-reading it now, it's still not clear to me what the resolution on > that issue was. > > On Sun, Jan 7, 2018 at 10:12 AM Cosimo Lupo wrote: > >> Hello, >> >> CFFI has recently added support for Py_LIMITED_API extension modules >> built for CPython 3. >> The wheel module since version 0.30.0 also supports passing >> ?py-limited-api cp3X to bdist_wheel command to allow the generated .whl to >> be installed on all CPython versions equal or greater than the one >> specified. >> >> Yesterday I was trying to apply this on a cffi-built extension module, >> and it worked for Linux and macOS but failed for Windows: >> >> >> *https://github.com/hynek/argon2_cffi/pull/32* >> >> The AssertionError from wheel.pep425tags complains that a tag with abi3 >> would be unsupported for the target platform. >> >> Alex Gronholm commented >> >> > imp.get_suffixes() does not seem to contain any ABI3 suffixes, but I'm >> not sure if this is even applicable on Windows. >> >> Incidentally, I noticed one specific package, PyQt5, that distributes >> both abi3-tagged wheels for Mac and manylinux and Windows wheels for a >> range of cp35.cp36.cp37 but with abi tag set as ?none?, and they do seem to >> work. >> >> So, can one make such py_limited_api wheels work on Windows with the >> current state of the tooling, and if so how? >> >> Thank you in advance >> >> Cosimo Lupo >> > > > -- > Cosimo Lupo > -- Cosimo Lupo -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve.dower at python.org Sun Jan 7 20:31:18 2018 From: steve.dower at python.org (Steve Dower) Date: Mon, 8 Jan 2018 12:31:18 +1100 Subject: [Distutils] Should abi3 tag be usable on Windows? In-Reply-To: References: <86bead53-3fd6-43c7-a176-ddd498ed98b0@Spark> Message-ID: There is a solution to that problem on the linked issue. Basically, you need to declare Py_LIMITED_API in your code or as an extra preprocessor variable. Windows doesn?t use a filename suffix for python3.dll linked extensions as it will be handled at load time. The tag for the wheel is outside of my area, so hopefully someone can chime in on that for you. Cheers, Steve Top-posted from my Windows phone From: Cosimo Lupo Sent: Monday, January 8, 2018 10:32 To: distutils-sig at python.org Subject: Re: [Distutils] Should abi3 tag be usable on Windows? It turns out setuptools is still linking to PYTHON36.DLL instead of PYTHNO3.DLL even when py_limited_api=True https://github.com/pypa/setuptools/issues/1248 This is a different, though somewhat related, problem from the one concering wheel/pip pep425tags disallowing `abi3` tag on Windows. On Sun, Jan 7, 2018 at 12:39 PM Cosimo Lupo wrote: I jut found this related pip issue: https://github.com/pypa/pip/issues/4445 (I myself as @anthrotype commented on that thread back in April last year but then completely forgot...) After re-reading it now, it's still not clear to me what the resolution on that issue was. On Sun, Jan 7, 2018 at 10:12 AM Cosimo Lupo wrote: Hello, CFFI has recently added support for Py_LIMITED_API extension modules built for CPython 3. The wheel module since version 0.30.0 also supports passing ?py-limited-api cp3X to bdist_wheel command to allow the generated .whl to be installed on all CPython versions equal or greater than the one specified. Yesterday I was trying to apply this on a cffi-built extension module, and it worked for Linux and macOS but failed for Windows: https://github.com/hynek/argon2_cffi/pull/32 The AssertionError from wheel.pep425tags complains that a tag with abi3 would be unsupported for the target platform. Alex Gronholm commented > imp.get_suffixes() does not seem to contain any ABI3 suffixes, but I'm not sure if this is even applicable on Windows. Incidentally, I noticed one specific package, PyQt5, that distributes both abi3-tagged wheels for Mac and manylinux and Windows wheels for a range of cp35.cp36.cp37 but with abi tag set as ?none?, and they do seem to work. So, can one make such py_limited_api wheels work on Windows with the current state of the tooling, and if so how? Thank you in advance Cosimo Lupo -- Cosimo Lupo -- Cosimo Lupo -------------- next part -------------- An HTML attachment was scrubbed... URL: From vano at mail.mipt.ru Tue Jan 9 16:02:48 2018 From: vano at mail.mipt.ru (Ivan Pozdeev) Date: Wed, 10 Jan 2018 00:02:48 +0300 Subject: [Distutils] Allow to debug extension modules Message-ID: <81b9894e-4d13-5206-59ad-bdf8e415d235@mail.mipt.ru> In the https://mail.python.org/pipermail/python-ideas/2018-January/048558.html thread, it was discovered that, stumpingly enough, it seems not possible to debug extension modules! * For a release Python, it's not even possible to build an extension without optimizations * For a debug Python, it's possible to build but not possible to install it, or any other package that depends on it Moreover, the feedback says that it makes no sense to build an extension with _DEBUG against a release Python and vice versa. But distutils' build_ext logic does (or at least trying to do since that breaks) just this, as it looks at the --debug option to `build' instead of checking the type of the running Python. Am I missing something crucial here, or do I need to fix distutils now to be able to debug a problem in my extension module? -- Regards, Ivan From vano at mail.mipt.ru Tue Jan 9 17:57:48 2018 From: vano at mail.mipt.ru (Ivan Pozdeev) Date: Wed, 10 Jan 2018 01:57:48 +0300 Subject: [Distutils] Add processor generation, Windows version (and possibly other things) to wheel platform tag Message-ID: This is a follow-up to this thread (the 2nd link is continuation): https://mail.python.org/pipermail/distutils-sig/2017-October/031750.html https://mail.python.org/pipermail/distutils-sig/2017-November/031759.html After discovering https://www.python.org/dev/peps/pep-0425/ , I see that what I was asking for is add more data to the wheel's platform tag. Specifically: * Processor generation if it's higher than what Python officially supports * Windows version if it's higher than what Python officially supports (like it's already done for MacOS) In fact, references to other libraries that the wheel expects on the system that Nick Coghlan proposed in https://www.python.org/dev/peps/pep-0459/ can also be implemented in the platform tag. They belong there with the current infrastructure because: * Anything external to a Python installation that is expected on the system, combined, _is_ the platform. * A wheel's name has to be unique and descriptive (it needs to include everything required for pip to pick the best download). Sure, this can make the name very long, but the more to describe, the longer the description. -- Regards, Ivan From vano at mail.mipt.ru Tue Jan 9 18:16:02 2018 From: vano at mail.mipt.ru (Ivan Pozdeev) Date: Wed, 10 Jan 2018 02:16:02 +0300 Subject: [Distutils] Allow to debug extension modules In-Reply-To: <81b9894e-4d13-5206-59ad-bdf8e415d235@mail.mipt.ru> References: <81b9894e-4d13-5206-59ad-bdf8e415d235@mail.mipt.ru> Message-ID: <83e8f1c2-4f54-0b2f-3098-70957702fad8@mail.mipt.ru> On 10.01.2018 0:02, Ivan Pozdeev via Distutils-SIG wrote: > In the > https://mail.python.org/pipermail/python-ideas/2018-January/048558.html > thread, it was discovered that, stumpingly enough, it seems not > possible to debug extension modules! > > * For a release Python, it's not even possible to build an extension > without optimizations > > * For a debug Python, it's possible to build but not possible to > install it, or any other package that depends on it I see now that it's possible to write `<...>\cpython\python.bat setup.py build --debug install' to install a single package containing an extension. pip is still broken though: try e.g. to install `scandir' (a dependency of IPython) with it. > > Moreover, the feedback says that it makes no sense to build an > extension with _DEBUG against a release Python and vice versa. But > distutils' build_ext logic does (or at least trying to do since that > breaks) just this, as it looks at the --debug option to `build' > instead of checking the type of the running Python. > > Am I missing something crucial here, or do I need to fix distutils now > to be able to debug a problem in my extension module? > -- Regards, Ivan From thomas at kluyver.me.uk Wed Jan 10 08:44:36 2018 From: thomas at kluyver.me.uk (Thomas Kluyver) Date: Wed, 10 Jan 2018 13:44:36 +0000 Subject: [Distutils] PEP 566 - metadata 1.3 changes Message-ID: <1515591876.1977781.1230551776.08931300@webmail.messagingengine.com> I hope everyone has had a good break. :-) I'd like to see PEP 566 move forwards. From the last thread, I think people were mostly happy with it as stands, but there were some proposals to introduce further metadata changes. I'd suggest that we finalise the PEP as it currently stands, and save up other changes for a future metadata revision. One change I would like to the current text is to make more explicit that the format of several fields allowing version specifiers (Requires-Dist, Provides-Dist, Obsoletes-Dist, Requires-External) has changed, as PEP 508 removes the need for parentheses around the version specifier. The section on version specifiers currently refers to PEP 440, which doesn't mention the parentheses at all, and says they are otherwise unchanged from PEP 345, which says parentheses are required. I would like to add some text to that section, such as: "Following PEP 508, version specifiers no longer need to be surrounded by parentheses in the fields Requires-Dist, Provides-Dist, Obsoletes-Dist or Requires-External, so e.g. `requests >= 2.8.1` is now a valid value. The recommended format is without parentheses, but tools parsing metadata should also be able to handle version specifiers in parentheses." Thanks, Thomas From dholth at gmail.com Wed Jan 10 09:54:08 2018 From: dholth at gmail.com (Daniel Holth) Date: Wed, 10 Jan 2018 14:54:08 +0000 Subject: [Distutils] PEP 566 - metadata 1.3 changes In-Reply-To: <1515591876.1977781.1230551776.08931300@webmail.messagingengine.com> References: <1515591876.1977781.1230551776.08931300@webmail.messagingengine.com> Message-ID: AFAICT the only missing feature from old-Metadata-2.0 is "description as message body", which places readable description text after the key/value pairs. On Wed, Jan 10, 2018 at 8:45 AM Thomas Kluyver wrote: > I hope everyone has had a good break. :-) > > I'd like to see PEP 566 move forwards. From the last thread, I think > people were mostly happy with it as stands, but there were some proposals > to introduce further metadata changes. I'd suggest that we finalise the PEP > as it currently stands, and save up other changes for a future metadata > revision. > > One change I would like to the current text is to make more explicit that > the format of several fields allowing version specifiers (Requires-Dist, > Provides-Dist, Obsoletes-Dist, Requires-External) has changed, as PEP 508 > removes the need for parentheses around the version specifier. > > The section on version specifiers currently refers to PEP 440, which > doesn't mention the parentheses at all, and says they are otherwise > unchanged from PEP 345, which says parentheses are required. I would like > to add some text to that section, such as: > > "Following PEP 508, version specifiers no longer need to be surrounded by > parentheses in the fields Requires-Dist, Provides-Dist, Obsoletes-Dist or > Requires-External, so e.g. `requests >= 2.8.1` is now a valid value. The > recommended format is without parentheses, but tools parsing metadata > should also be able to handle version specifiers in parentheses." > > Thanks, > Thomas > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG at python.org > https://mail.python.org/mailman/listinfo/distutils-sig > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ncoghlan at gmail.com Wed Jan 10 18:42:09 2018 From: ncoghlan at gmail.com (Nick Coghlan) Date: Thu, 11 Jan 2018 09:42:09 +1000 Subject: [Distutils] PEP 566 - metadata 1.3 changes In-Reply-To: References: <1515591876.1977781.1230551776.08931300@webmail.messagingengine.com> Message-ID: +1 from me for the adjustment Thomas suggested, since that's in the intended vein of "properly document the status quo". On 11 January 2018 at 00:54, Daniel Holth wrote: > AFAICT the only missing feature from old-Metadata-2.0 is "description as > message body", which places readable description text after the key/value > pairs. Do pip/PyPI/et al currently support that? If yes, then I think it would be good to include. On the other hand, if it's a genuine enhancement, then we probably want to defer it to metadata 1.4 in order to clearly separate the "Update the specification to match reality" step from the "Further improve the usability of the specification" step. Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From thomas at kluyver.me.uk Fri Jan 12 10:26:40 2018 From: thomas at kluyver.me.uk (Thomas Kluyver) Date: Fri, 12 Jan 2018 15:26:40 +0000 Subject: [Distutils] PEP 566 - metadata 1.3 changes In-Reply-To: References: <1515591876.1977781.1230551776.08931300@webmail.messagingengine.com>

Message-ID: <1515770800.3215267.1233239040.16CD87E7@webmail.messagingengine.com> On Wed, Jan 10, 2018, at 11:42 PM, Nick Coghlan wrote: > On 11 January 2018 at 00:54, Daniel Holth wrote: > > AFAICT the only missing feature from old-Metadata-2.0 is "description as > > message body", which places readable description text after the key/value > > pairs. > > Do pip/PyPI/et al currently support that? It looks like twine supports it, at least for wheels: https://github.com/pypa/twine/blob/f74eae5506300387572c65c9dbfe240d927788c2/twine/wheel.py#L99 I don't think pip needs to support it (does pip do anything with descriptions?). I haven't looked at PyPI's code, but I'd guess it uses the metadata sent with the upload by tools like twine and flit. Thomas From alex.gronholm at nextday.fi Fri Jan 12 11:00:21 2018 From: alex.gronholm at nextday.fi (=?UTF-8?Q?Alex_Gr=c3=b6nholm?=) Date: Fri, 12 Jan 2018 18:00:21 +0200 Subject: [Distutils] PEP 566 - metadata 1.3 changes In-Reply-To: <1515770800.3215267.1233239040.16CD87E7@webmail.messagingengine.com> References: <1515591876.1977781.1230551776.08931300@webmail.messagingengine.com>

<1515770800.3215267.1233239040.16CD87E7@webmail.messagingengine.com> Message-ID: On the same note, wheel currently writes "2.0" as its metadata version. Shouldn't this be changed into 1.3 (along with ditching metadata.json)? Thomas Kluyver kirjoitti 12.01.2018 klo 17:26: > On Wed, Jan 10, 2018, at 11:42 PM, Nick Coghlan wrote: >> On 11 January 2018 at 00:54, Daniel Holth wrote: >>> AFAICT the only missing feature from old-Metadata-2.0 is "description as >>> message body", which places readable description text after the key/value >>> pairs. >> Do pip/PyPI/et al currently support that? > It looks like twine supports it, at least for wheels: > https://github.com/pypa/twine/blob/f74eae5506300387572c65c9dbfe240d927788c2/twine/wheel.py#L99 > > I don't think pip needs to support it (does pip do anything with descriptions?). I haven't looked at PyPI's code, but I'd guess it uses the metadata sent with the upload by tools like twine and flit. > > Thomas > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG at python.org > https://mail.python.org/mailman/listinfo/distutils-sig From dholth at gmail.com Fri Jan 12 11:02:58 2018 From: dholth at gmail.com (Daniel Holth) Date: Fri, 12 Jan 2018 16:02:58 +0000 Subject: [Distutils] PEP 566 - metadata 1.3 changes In-Reply-To: References: <1515591876.1977781.1230551776.08931300@webmail.messagingengine.com>

<1515770800.3215267.1233239040.16CD87E7@webmail.messagingengine.com> Message-ID: Yes, after the PEP is prep'd. On Fri, Jan 12, 2018 at 11:00 AM Alex Gr?nholm wrote: > On the same note, wheel currently writes "2.0" as its metadata version. > Shouldn't this be changed into 1.3 (along with ditching metadata.json)? > > > Thomas Kluyver kirjoitti 12.01.2018 klo 17:26: > > On Wed, Jan 10, 2018, at 11:42 PM, Nick Coghlan wrote: > >> On 11 January 2018 at 00:54, Daniel Holth wrote: > >>> AFAICT the only missing feature from old-Metadata-2.0 is "description > as > >>> message body", which places readable description text after the > key/value > >>> pairs. > >> Do pip/PyPI/et al currently support that? > > It looks like twine supports it, at least for wheels: > > > https://github.com/pypa/twine/blob/f74eae5506300387572c65c9dbfe240d927788c2/twine/wheel.py#L99 > > > > I don't think pip needs to support it (does pip do anything with > descriptions?). I haven't looked at PyPI's code, but I'd guess it uses the > metadata sent with the upload by tools like twine and flit. > > > > Thomas > > _______________________________________________ > > Distutils-SIG maillist - Distutils-SIG at python.org > > https://mail.python.org/mailman/listinfo/distutils-sig > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG at python.org > https://mail.python.org/mailman/listinfo/distutils-sig > -------------- next part -------------- An HTML attachment was scrubbed... URL: From donald at stufft.io Fri Jan 12 15:51:23 2018 From: donald at stufft.io (Donald Stufft) Date: Fri, 12 Jan 2018 15:51:23 -0500 Subject: [Distutils] Deprecating/Removing OpenID/Google login support for PyPI Message-ID: As folks are likely aware, legacy PyPI currently supports logging in using OpenID and Google Auth while Warehouse does not. After much deliberation, I?ve decided that Warehouse will not be implementing OpenID or Google logins, and once we shutdown legacy PyPI, OpenID/ and Google logins to PyPI will no longer be possible. This decision was made for a few reasons: * Very few people actually are using OpenID or Google logins as it is. In one month we had ~15k logins using the web form, ~5k using basic auth, and 62 using Google and 7 using OpenID. This is a several orders of magnitude difference. * Regardless of how you log into PyPI (Password or Google/OpenID) you?re required to have a password added to your account to actually upload anything to PyPI. This negates much of the benefit of a federated authentication for PyPI as it stands. * Keeping these requires ongoing maintenance to deal with any changes in the specification or to update as Google deprecates/changes things. * Adding support for them to Warehouse requires additional work that could better be used elsewhere, where it would have a higher impact. - Donald From cosimo at anthrotype.com Sat Jan 13 13:00:44 2018 From: cosimo at anthrotype.com (Cosimo Lupo) Date: Sat, 13 Jan 2018 18:00:44 +0000 Subject: [Distutils] Should abi3 tag be usable on Windows? In-Reply-To: <5a52c9ea.e495500a.d4117.7fc0SMTPIN_ADDED_MISSING@mx.google.com> References: <86bead53-3fd6-43c7-a176-ddd498ed98b0@Spark> <5a52c9ea.e495500a.d4117.7fc0SMTPIN_ADDED_MISSING@mx.google.com> Message-ID: Thank you, Steve. Ok so, setuptools can successfully build extension modules with Py_LIMITED_API on Windows, with a generic *.pyd suffix and no extra tags. However, there are still two problems before I can distribute them: 1) it's not clear how wheels containing such extension modules should be tagged on Windows, given that `abi3` tag is not recognized for that platform. The function imp.get_suffixes() used by both pip and wheel to get the list of supported tags does not return any abi3 suffixes on Windows, and for this reason the bdist_wheel command assumes from this that Windows does not support extensions built with Py_LIMITED_API, and gives an error. Some have resorted to tagging their Windows wheels with abi "none" to work around this, however "none" seems to imply that extension does not use the Python ABI which is not true. Alex Gr?nholm (current maintainer of pypa/wheel package) pointed me to this other related discussion on distutils-sig (from 2013) where Paul Moore explains what the problem is: https://mail.python.org/pipermail/distutils-sig/2013-February/020022.html Has anything happened since the to address this either in the PEPs and/or the tooling? 2) the current virtualenv module (not the built-in venv) does not copy over the required PYTHON3.DLL and thus importing such extension modules from within the virtual environment fails. The latter issue was already fixed in virtualenv's master branch, but virtualenv package hasn't seen a release since then (the last release 15.10.0 was in November 2016). https://github.com/pypa/virtualenv/pull/1083 I would love to take advantage of CPython limited API feature, and be able to distribute a one/two wheels per platform instead of four (multiply that by two for 32 vs 64 bit arch), and having to rebuild one for each new Python 3.x release. It works fine for Linux and macOS; I hope that Windows python users will also be able to enjoy this soon. I am willing to contribute my time to help solving this issue. Thanks, Cosimo On Mon, Jan 8, 2018 at 1:31 AM Steve Dower wrote: > There is a solution to that problem on the linked issue. Basically, you > need to declare Py_LIMITED_API in your code or as an extra preprocessor > variable. > > > > Windows doesn?t use a filename suffix for python3.dll linked extensions as > it will be handled at load time. The tag for the wheel is outside of my > area, so hopefully someone can chime in on that for you. > > > > Cheers, > > Steve > > > > Top-posted from my Windows phone > > > > *From: *Cosimo Lupo > *Sent: *Monday, January 8, 2018 10:32 > *To: *distutils-sig at python.org > *Subject: *Re: [Distutils] Should abi3 tag be usable on Windows? > > > > It turns out setuptools is still linking to PYTHON36.DLL instead of > PYTHNO3.DLL even when py_limited_api=True > > https://github.com/pypa/setuptools/issues/1248 > > > > This is a different, though somewhat related, problem from the one > concering wheel/pip pep425tags disallowing `abi3` tag on Windows. > > > > > > On Sun, Jan 7, 2018 at 12:39 PM Cosimo Lupo wrote: > > I jut found this related pip issue: > https://github.com/pypa/pip/issues/4445 > > > > (I myself as @anthrotype commented on that thread back in April last year > but then completely forgot...) > > > > After re-reading it now, it's still not clear to me what the resolution on > that issue was. > > > > On Sun, Jan 7, 2018 at 10:12 AM Cosimo Lupo wrote: > > Hello, > > CFFI has recently added support for Py_LIMITED_API extension modules built > for CPython 3. > The wheel module since version 0.30.0 also supports passing > ?py-limited-api cp3X to bdist_wheel command to allow the generated .whl to > be installed on all CPython versions equal or greater than the one > specified. > > Yesterday I was trying to apply this on a cffi-built extension module, and > it worked for Linux and macOS but failed for Windows: > > https://github.com/hynek/argon2_cffi/pull/32 > > The AssertionError from wheel.pep425tags complains that a tag with abi3 > would be unsupported for the target platform. > > Alex Gronholm commented > > > imp.get_suffixes() does not seem to contain any ABI3 suffixes, but I'm > not sure if this is even applicable on Windows. > > Incidentally, I noticed one specific package, PyQt5, that distributes both > abi3-tagged wheels for Mac and manylinux and Windows wheels for a range of > cp35.cp36.cp37 but with abi tag set as ?none?, and they do seem to work. > > So, can one make such py_limited_api wheels work on Windows with the > current state of the tooling, and if so how? > > Thank you in advance > > > > Cosimo Lupo > > > > -- > > Cosimo Lupo > > > > -- > > Cosimo Lupo > > > -- Cosimo Lupo -------------- next part -------------- An HTML attachment was scrubbed... URL: From bussonniermatthias at gmail.com Sat Jan 13 13:39:44 2018 From: bussonniermatthias at gmail.com (Matthias Bussonnier) Date: Sat, 13 Jan 2018 19:39:44 +0100 Subject: [Distutils] Deprecating/Removing OpenID/Google login support for PyPI In-Reply-To: References: Message-ID: > * Very few people actually are using OpenID or Google logins as it is. In one month we had ~15k logins using the web form, ~5k using basic auth, and 62 using Google and 7 using OpenID. This is a several orders of magnitude difference. Not opposing to open-id/Google-ID removal, but I would love to login-with-google, though because I already have an account (and can't associate my google account with the PyPI one) I'm not using login with google. Also it did not work for as long as I can remember. So the low number of people actually _using_ it might not reflect people who would like to use it. Maybe look at the number of people trying and failing ? -- M On 12 January 2018 at 21:51, Donald Stufft wrote: > As folks are likely aware, legacy PyPI currently supports logging in using > OpenID and Google Auth while Warehouse does not. After much deliberation, > I?ve decided that Warehouse will not be implementing OpenID or Google > logins, and once we shutdown legacy PyPI, OpenID/ and Google logins to PyPI > will no longer be possible. > > This decision was made for a few reasons: > > * Very few people actually are using OpenID or Google logins as it is. In > one month we had ~15k logins using the web form, ~5k using basic auth, and > 62 using Google and 7 using OpenID. This is a several orders of magnitude > difference. > * Regardless of how you log into PyPI (Password or Google/OpenID) you?re > required to have a password added to your account to actually upload > anything to PyPI. This negates much of the benefit of a federated > authentication for PyPI as it stands. > * Keeping these requires ongoing maintenance to deal with any changes in > the specification or to update as Google deprecates/changes things. > * Adding support for them to Warehouse requires additional work that could > better be used elsewhere, where it would have a higher impact. > > - Donald > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG at python.org > https://mail.python.org/mailman/listinfo/distutils-sig > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wes.turner at gmail.com Sat Jan 13 13:55:30 2018 From: wes.turner at gmail.com (Wes Turner) Date: Sat, 13 Jan 2018 13:55:30 -0500 Subject: [Distutils] Deprecating/Removing OpenID/Google login support for PyPI In-Reply-To: References: Message-ID: python-social-auth supports OAuth 1, OAuth 2, OpenID, SAML with many auth providers and python trsmeworks; including Pyramid, BitBucket, Google, GitHub, GitLab, https://python-social-auth.readthedocs.io/en/latest/ http://python-social-auth.readthedocs.io/en/latest/backends/ https://github.com/python-social-auth/social-app-pyramid/ There's likely someone with more experience with a different authentication abstraction API? https://github.com/uralbash/awesome-pyramid/#authentication lists quite a few authentication and authorization systems which may also be useful for implementing TUF? On Friday, January 12, 2018, Donald Stufft wrote: > As folks are likely aware, legacy PyPI currently supports logging in using > OpenID and Google Auth while Warehouse does not. After much deliberation, > I?ve decided that Warehouse will not be implementing OpenID or Google > logins, and once we shutdown legacy PyPI, OpenID/ and Google logins to PyPI > will no longer be possible. > > This decision was made for a few reasons: > > * Very few people actually are using OpenID or Google logins as it is. In > one month we had ~15k logins using the web form, ~5k using basic auth, and > 62 using Google and 7 using OpenID. This is a several orders of magnitude > difference. > * Regardless of how you log into PyPI (Password or Google/OpenID) you?re > required to have a password added to your account to actually upload > anything to PyPI. This negates much of the benefit of a federated > authentication for PyPI as it stands. > * Keeping these requires ongoing maintenance to deal with any changes in > the specification or to update as Google deprecates/changes things. > * Adding support for them to Warehouse requires additional work that could > better be used elsewhere, where it would have a higher impact. > > - Donald > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG at python.org > https://mail.python.org/mailman/listinfo/distutils-sig > -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas at kluyver.me.uk Sat Jan 13 13:59:48 2018 From: thomas at kluyver.me.uk (Thomas Kluyver) Date: Sat, 13 Jan 2018 18:59:48 +0000 Subject: [Distutils] Deprecating/Removing OpenID/Google login support for PyPI In-Reply-To: References: Message-ID: <1515869988.720882.1234315968.3EBF05CE@webmail.messagingengine.com> On Sat, Jan 13, 2018, at 6:39 PM, Matthias Bussonnier wrote: > Not opposing to open-id/Google-ID removal, but I would love to login-with- > google, though because I already have an account (and can't associate > my google account with the PyPI one) I'm not using login with google. > Also it did not work for as long as I can remember. So the low number > of people actually _using_ it might not reflect people who would like > to use it. Maybe look at the number of people trying and failing ? On the other hand, I created my account using OpenID years ago, and now I always log in with a password. Based on the numbers Donald gave, I don't think it's worth spending more time investigating the demand. If there really is demand, people will make it known on issues etc., and it could be considered for Warehouse further down the line. For now, passwords are working, and there are more important things to build and maintain. Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From ncoghlan at gmail.com Sun Jan 14 09:29:42 2018 From: ncoghlan at gmail.com (Nick Coghlan) Date: Mon, 15 Jan 2018 00:29:42 +1000 Subject: [Distutils] Deprecating/Removing OpenID/Google login support for PyPI In-Reply-To: <1515869988.720882.1234315968.3EBF05CE@webmail.messagingengine.com> References: <1515869988.720882.1234315968.3EBF05CE@webmail.messagingengine.com> Message-ID: On 14 January 2018 at 04:59, Thomas Kluyver wrote: > Based on the numbers Donald gave, I don't think it's worth spending more > time investigating the demand. If there really is demand, people will make > it known on issues etc., and it could be considered for Warehouse further > down the line. For now, passwords are working, and there are more important > things to build and maintain. Something else I'll note here is that there are a few things we want to explore post-Warehouse migration that require PyPI to serve as its own identity provider: - two-factor authentication support - orgs, teams, and role-based access control - revocable CLI (and other app) token support Adding back social auth some time post-migration will likely still be an option (similar to the way Atlassian allow social auth logins to establish and authenticate for BitBucket accounts), it would just be lower priority than the above (and leaving it out for the time being should simplify the development of the above capabilities). Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From chris at withers.org Mon Jan 15 03:00:49 2018 From: chris at withers.org (Chris Withers) Date: Mon, 15 Jan 2018 08:00:49 +0000 Subject: [Distutils] pipenv best practices? Message-ID: Hi All, Couldn't find an obviously better discussion forum than this for pipenv stuff, but please point me to where the rest of the discussions are happening... So, with pipenv, what files do we version control for a project? both Pipfile and Pipfile.lock? Hopefully one I missed from the docs: with the correct files source controlled, how do I reproduce the environment on another machine? Continuing on the deployment theme: I'm used to being able to put /path/to/some/ve/bin/some_script in crontabs and the like, where some_script comes form a setuptools entry point. What's the canonical way of doing this with pipenv? Last up, how should pipenv be used for library development? (ie: where dependencies and minimal constraints are expressed in setup.py and where you want to test against as many python versions and library combinations as you support). Other than sadness around capitalisation of the config file names, it looks really exciting :-) cheers, Chris From j.orponen at 4teamwork.ch Mon Jan 15 02:03:05 2018 From: j.orponen at 4teamwork.ch (Joni Orponen) Date: Mon, 15 Jan 2018 08:03:05 +0100 Subject: [Distutils] Deprecating/Removing OpenID/Google login support for PyPI In-Reply-To: References: Message-ID: On Fri, Jan 12, 2018 at 9:51 PM, Donald Stufft wrote: > As folks are likely aware, legacy PyPI currently supports logging in using > OpenID and Google Auth while Warehouse does not. After much deliberation, > I?ve decided that Warehouse will not be implementing OpenID or Google > logins, and once we shutdown legacy PyPI, OpenID/ and Google logins to PyPI > will no longer be possible. > > This decision was made for a few reasons: > > * Very few people actually are using OpenID or Google logins as it is. In > one month we had ~15k logins using the web form, ~5k using basic auth, and > 62 using Google and 7 using OpenID. This is a several orders of magnitude > difference. > For reference: OpenID has never worked for me and I think content blockers rip out the Google option for me. * Regardless of how you log into PyPI (Password or Google/OpenID) you?re > required to have a password added to your account to actually upload > anything to PyPI. This negates much of the benefit of a federated > authentication for PyPI as it stands. > OAuth app tokens are a possible way to achieve this as well and might suite various release pipelines better. * Keeping these requires ongoing maintenance to deal with any changes in > the specification or to update as Google deprecates/changes things. > * Adding support for them to Warehouse requires additional work that could > better be used elsewhere, where it would have a higher impact. > All that said, +1 for not bothering with it. If it ever is tackled, I'm sure this day and age will bring more, more visible and more direct feedback on it working or not working for users than the previous iteration. -- Joni Orponen -------------- next part -------------- An HTML attachment was scrubbed... URL: From brett at python.org Mon Jan 15 14:46:09 2018 From: brett at python.org (Brett Cannon) Date: Mon, 15 Jan 2018 19:46:09 +0000 Subject: [Distutils] pipenv best practices? In-Reply-To: References: Message-ID: On Mon, 15 Jan 2018 at 00:33 Chris Withers wrote: > Hi All, > > Couldn't find an obviously better discussion forum than this for pipenv > stuff, but please point me to where the rest of the discussions are > happening... > Not here from what I can tell. :) Probably your best bet is to ask on the pipenv GitHub project and file an issue so the pipenv docs can give you guidance. I know for me personally it's getting a bit hazy between this list and pypa-dev where stuff should go (I'm personally starting to shift towards pypa-dev and considering this actually for distutils proper). But I happen to know the answer to your pipenv questions, Chris, so I'll answer them here. > > So, with pipenv, what files do we version control for a project? both > Pipfile and Pipfile.lock? > Yes. > Hopefully one I missed from the docs: with the correct files source > controlled, how do I reproduce the environment on another machine? > pipenv install --ignore-pipfile > > Continuing on the deployment theme: I'm used to being able to put > /path/to/some/ve/bin/some_script in crontabs and the like, where > some_script comes form a setuptools entry point. > What's the canonical way of doing this with pipenv? > Beats me. I think there's a command to get back to the venv that pipenv created on your behalf. > > Last up, how should pipenv be used for library development? (ie: where > dependencies and minimal constraints are expressed in setup.py and where > you want to test against as many python versions and library > combinations as you support). > That doesn't fall under pipenv's purview. Think of pipenv as trying to make venv + pip easier to work with. Since you don't use pip to express dependencies for your library then you shouldn't with pipenv either. Or put another way, think of your pipfile as just a different format for a requirements.txt file, not a replacement for flit or setuptools. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sh at changeset.nyc Mon Jan 15 22:33:09 2018 From: sh at changeset.nyc (Sumana Harihareswara) Date: Mon, 15 Jan 2018 22:33:09 -0500 Subject: [Distutils] Fwd: Warehouse update: recent progress In-Reply-To: References: Message-ID: Forwarding from pypa-dev. -------- Forwarded Message -------- Subject: Warehouse update: recent progress Date: Mon, 15 Jan 2018 22:32:45 -0500 From: Sumana Harihareswara To: pypa-dev at googlegroups.com Happy new year! After the late-December holiday season, the Warehouse team had a meeting and followup chats last week to discuss the first milestone, the MVP for package maintainers to try Warehouse and give feedback.[0] Full notes from a January 10th meeting and its followups are on the PSF wiki.[1] Highlights from that meeting and related work in the last week and change: * A number of items were blocked on Nicole Harris's availability -- she's the designer working on our front-end views. We sorted out things she needs and are making better progress on those now. * Donald wrote to distutils-sig[2] about removing OpenID/Google login support for PyPI.[3] * Ernest and Nicole are working on a maintainer views meta-issue to "Classify, describe, and share the *current* functionality implemented by PyPI to assist contributors while developing warehouse's maintainer UI."[4] * The Warehouse roadmap, which previously only lived in GitHub milestone descriptions, is now all in one wiki page for easier reading and linking.[5] * Dustin has been working on adding the ability for a project owner to add/remove roles for their projects.[6] * Ernest has been continuing to work on deployment infrastructure, which is getting more robust and resilient. * We've created, reviewed, improved, and/or merged several other pull requests to Warehouse and related projects. In particular, development is now getting easier, as we have an SMTP service for development[7] and a better Makefile[8], and are getting better testing instructions.[9] We are incrementally getting a clearer picture of what work is left in this milestone so I can get you an estimate of when the Maintainer MVP will be. And Warehouse continues to get easier to hack on; feel free to join us on Freenode in case you want any help as you poke around the Warehouse code![10] [0] https://github.com/pypa/warehouse/milestone/8 [1] https://wiki.python.org/psf/PackagingWG/2018-01-10-Warehouse [2] https://mail.python.org/pipermail/distutils-sig/2018-January/031855.html [3] https://github.com/pypa/warehouse/issues/61 [4] https://github.com/pypa/warehouse/issues/2734 [5] https://wiki.python.org/psf/WarehouseRoadmap [6] https://github.com/pypa/warehouse/pull/2705 [7] https://github.com/pypa/warehouse/pull/2709 [8] https://github.com/pypa/warehouse/pull/2728 [9] https://github.com/pypa/warehouse/pull/2758 [10] https://webchat.freenode.net/?channels=%23pypa-dev -- Sumana Harihareswara Changeset Consulting https://changeset.nyc From ncoghlan at gmail.com Mon Jan 15 23:24:54 2018 From: ncoghlan at gmail.com (Nick Coghlan) Date: Tue, 16 Jan 2018 14:24:54 +1000 Subject: [Distutils] pipenv best practices? In-Reply-To: References: Message-ID: On 16 January 2018 at 05:46, Brett Cannon wrote: > On Mon, 15 Jan 2018 at 00:33 Chris Withers wrote: >> >> Hi All, >> >> Couldn't find an obviously better discussion forum than this for pipenv >> stuff, but please point me to where the rest of the discussions are >> happening... > > > Not here from what I can tell. :) Probably your best bet is to ask on the > pipenv GitHub project and file an issue so the pipenv docs can give you > guidance. I know for me personally it's getting a bit hazy between this list > and pypa-dev where stuff should go (I'm personally starting to shift towards > pypa-dev and considering this actually for distutils proper). Personally, I don't think mailing lists in general are a great medium for asking usage and support questions. Anyway, we genuinely don't have a clear answer to this question, so I've posted a meta-issue on the pipenv tracker to decide how we want to handle it: https://github.com/pypa/pipenv/issues/1305 >> Continuing on the deployment theme: I'm used to being able to put >> /path/to/some/ve/bin/some_script in crontabs and the like, where >> some_script comes form a setuptools entry point. >> What's the canonical way of doing this with pipenv? > > Beats me. I think there's a command to get back to the venv that pipenv > created on your behalf. "pipenv --venv" gives the path for the current project, so what I tend to do is run "ls -s $(pipenv --venv) .venv" from the directory containing Pipfile and Pipfile.lock in order to create a deterministic path name. >> Last up, how should pipenv be used for library development? (ie: where >> dependencies and minimal constraints are expressed in setup.py and where >> you want to test against as many python versions and library >> combinations as you support). > > That doesn't fall under pipenv's purview. Think of pipenv as trying to make > venv + pip easier to work with. Since you don't use pip to express > dependencies for your library then you shouldn't with pipenv either. Or put > another way, think of your pipfile as just a different format for a > requirements.txt file, not a replacement for flit or setuptools. pipenv does cover this case to some degree - the trick is that it involves thinking of your library's *test suite* as the application you want to deploy. (Hence the reference to "development and testing environments" at the end of the intro to https://packaging.python.org/tutorials/managing-dependencies/) For that case, you don't put *any* of your dependencies from `setup.py` into `Pipfile`, you just run "pipenv install -e src", which will give you a Pipfile entry like: "" = {editable = true, path = "src"} I personally then edit that entry to replace the commit hash with the actual project name All the testing and linting dependencies then go under [dev-packages]. The part you can't fully rely on yet is the lock file, since that aims to lock down the version of Python as well, not just the versions of the Python level dependencies. So if you're testing across multiple versions (e.g. with tox), the best current approach is to use "pipenv lock --requirements" to export just the library dependencies from Pipfile.lock. That's an area that could definitely use some UX improvement, but it isn't clear to me at this point what that would actually look like (short of adding a notion of named "install profiles" to the lock file format, which could then be aligned with tox test environments). Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From ncoghlan at gmail.com Mon Jan 15 23:25:59 2018 From: ncoghlan at gmail.com (Nick Coghlan) Date: Tue, 16 Jan 2018 14:25:59 +1000 Subject: [Distutils] pipenv best practices? In-Reply-To: References:

Message-ID: On 16 January 2018 at 14:24, Nick Coghlan wrote: > On 16 January 2018 at 05:46, Brett Cannon wrote: >> On Mon, 15 Jan 2018 at 00:33 Chris Withers wrote: >>> Continuing on the deployment theme: I'm used to being able to put >>> /path/to/some/ve/bin/some_script in crontabs and the like, where >>> some_script comes form a setuptools entry point. >>> What's the canonical way of doing this with pipenv? >> >> Beats me. I think there's a command to get back to the venv that pipenv >> created on your behalf. > > "pipenv --venv" gives the path for the current project, so what I tend > to do is run "ls -s $(pipenv --venv) .venv" from the directory > containing Pipfile and Pipfile.lock in order to create a deterministic > path name. Oops, that should have been "ln -s $(pipenv --venv) .venv". Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From chris at withers.org Tue Jan 16 03:08:06 2018 From: chris at withers.org (Chris Withers) Date: Tue, 16 Jan 2018 08:08:06 +0000 Subject: [Distutils] pipenv best practices? In-Reply-To: References: Message-ID: <6b8db301-8ac7-8537-c162-4cace0ac2b48@withers.org> On 15/01/2018 19:46, Brett Cannon wrote: > > But I happen to know the answer to your pipenv questions, Chris, so I'll > answer them here. Continuing here then :-) > So, with pipenv, what files do we version control for a project? both > Pipfile and Pipfile.lock? > > > Yes. great, thanks! How does Pipfile.lock work in the context of a project which may be installed on multiple operating systems with different final package requirements? > Hopefully one I missed from the docs: with the correct files source > controlled, how do I reproduce the environment on another machine? > > pipenv install --ignore-pipfile That's a surprising spelling. Why does Pipfile need to be ignored? Surely Pipfile.lock will be consulted if present and used for the explicit requirements? > Last up, how should pipenv be used for library development? (ie: where > dependencies and minimal constraints are expressed in setup.py and where > you want to test against as many python versions and library > combinations as you support). > > > That doesn't fall under pipenv's purview. Think of pipenv as trying to > make venv + pip easier to work with. Since you don't use pip to express > dependencies for your library then you shouldn't with pipenv either. Or > put another way, think of your pipfile as just a different format for a > requirements.txt file, not a replacement for flit or setuptools. Well, kinda, pipenv is shaping up to be the "replacement" for pip+virtualenv, where the latter becomes just an implementation detail. Would be great if it had a good story for that use case :-) cheers, Chris From chris at withers.org Tue Jan 16 03:16:25 2018 From: chris at withers.org (Chris Withers) Date: Tue, 16 Jan 2018 08:16:25 +0000 Subject: [Distutils] pipenv best practices? In-Reply-To: References:

Message-ID: <5c7f2499-32e5-0cd0-237d-fb1e15aa53fd@withers.org> On 16/01/2018 04:24, Nick Coghlan wrote: > Anyway, we genuinely don't have a clear answer to this question, so > I've posted a meta-issue on the pipenv tracker to decide how we want > to handle it: https://github.com/pypa/pipenv/issues/1305 Thanks! >>> Continuing on the deployment theme: I'm used to being able to put >>> /path/to/some/ve/bin/some_script in crontabs and the like, where >>> some_script comes form a setuptools entry point. >>> What's the canonical way of doing this with pipenv? >> > "pipenv --venv" gives the path for the current project, so what I tend > to do is run "ln -s $(pipenv --venv) .venv" from the directory > containing Pipfile and Pipfile.lock in order to create a deterministic > path name. Hmm, that feels hacky. It doesn't feel like there's consensus on this issue, and there's enough dupes coming in that it feels a shame that https://github.com/pypa/pipenv/issues/1049 has been closed. I actually want both use cases in different scenarios. For dev, I typically want one venv per python version (how do I do that?) somewhere central. For deployment, I want a ./.venv or ./ve right next to the Pipfile. >>> Last up, how should pipenv be used for library development? (ie: where >>> dependencies and minimal constraints are expressed in setup.py and where >>> you want to test against as many python versions and library >>> combinations as you support). >> > pipenv does cover this case to some degree - the trick is that it > involves thinking of your library's *test suite* as the application > you want to deploy. (Hence the reference to "development and testing > environments" at the end of the intro to > https://packaging.python.org/tutorials/managing-dependencies/) As an aside: I find the doc split difficult. Even as a relatively experience python dev, knowing that I wanted to figure out what pipenv does and how to use it, I started at http://pipenv.readthedocs.io/en/latest/ which has no links to the tutorial(s). > For that case, you don't put *any* of your dependencies from > `setup.py` into `Pipfile`, you just run "pipenv install -e src", which > will give you a Pipfile entry like: > > "" = {editable = true, path = "src"} > > I personally then edit that entry to replace the commit hash with the > actual project name I'm afraid I don't know enough about pipenv internals to understand the implications of the above, or why you might want to change the commit has to the project name, and indeed, what the implications of that might be. > All the testing and linting dependencies then go under [dev-packages]. Where can I find out more about [dev-packages]? > The part you can't fully rely on yet is the lock file, since that aims > to lock down the version of Python as well, not just the versions of > the Python level dependencies. So if you're testing across multiple > versions (e.g. with tox), ...or a .travis.yml axis for CI, or just separate venvs for local dev, in my case... > the best current approach is to use "pipenv > lock --requirements" to export just the library dependencies from > Pipfile.lock. ...but what do I do with Pipfile.lock then? .gitigore? cheers, Chris From p.f.moore at gmail.com Tue Jan 16 04:47:18 2018 From: p.f.moore at gmail.com (Paul Moore) Date: Tue, 16 Jan 2018 09:47:18 +0000 Subject: [Distutils] pipenv best practices? In-Reply-To: <6b8db301-8ac7-8537-c162-4cace0ac2b48@withers.org> References: <6b8db301-8ac7-8537-c162-4cace0ac2b48@withers.org> Message-ID: On 16 January 2018 at 08:08, Chris Withers wrote: >> That doesn't fall under pipenv's purview. Think of pipenv as trying to >> make venv + pip easier to work with. Since you don't use pip to express >> dependencies for your library then you shouldn't with pipenv either. Or put >> another way, think of your pipfile as just a different format for a >> requirements.txt file, not a replacement for flit or setuptools. > > > Well, kinda, pipenv is shaping up to be the "replacement" for > pip+virtualenv, where the latter becomes just an implementation detail. > Would be great if it had a good story for that use case :-) I think the big issue is that it's not clear what use cases pipenv is *trying* to address. Your description of it being a "replacement" for pip+virtualenv is more or less what I originally assumed it was intended to be. But I tripped over this a while back, when I found it very difficult to use pipenv on a project where I needed to: 1. Reference an unreleased version of a project from github 2. Have one of its dependencies be satisfied from a locally (within the project directory) stored copy of a wheel, as there was no suitable wheel on PyPI. I can't recall the details - they are in various issues on the pipenv tracker - but it was clear that I was trying to do something that wasn't considered "expected use" of pipenv, and I was getting very frustrated by the workarounds I needed to use to support my requirements. The guys on the pipenv tracker were very helpful, but when you're hitting design limitations, you can't expect quick fixes, so I ended up going back to pew + requrements.txt. I think that if the pipenv docs had some better guidance on what use cases it was intended to cover (and what it wasn't, in relation to the broader range of pip+virtualenv use cases) that would help people better understand its place in the ecosystem. Paul From ncoghlan at gmail.com Tue Jan 16 05:03:13 2018 From: ncoghlan at gmail.com (Nick Coghlan) Date: Tue, 16 Jan 2018 20:03:13 +1000 Subject: [Distutils] pipenv best practices? In-Reply-To: References: <6b8db301-8ac7-8537-c162-4cace0ac2b48@withers.org> Message-ID: On 16 January 2018 at 19:47, Paul Moore wrote: > I think that if the pipenv docs had some better guidance on what use > cases it was intended to cover (and what it wasn't, in relation to the > broader range of pip+virtualenv use cases) that would help people > better understand its place in the ecosystem. That's fair, and making the PyPUG tutorial specifically about *application* dependency management was an initial step in that direction - for the library development use case, you're generally going to step out of pipenv's world as soon as you try to run your tests across multiple versions. The basic usage constraint is that pipenv expects you to control your target Python version, and it expects you to have exactly one - to go beyond that (as is needed for multi-version library support), you'll still need to drop down to the lower level tooling, either skipping the use of pipenv entirely, or else by using `pipfile lock --requirements` to shift levels. Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From p.f.moore at gmail.com Tue Jan 16 05:22:36 2018 From: p.f.moore at gmail.com (Paul Moore) Date: Tue, 16 Jan 2018 10:22:36 +0000 Subject: [Distutils] pipenv use cases Message-ID: On 16 January 2018 at 10:03, Nick Coghlan wrote: > On 16 January 2018 at 19:47, Paul Moore wrote: >> I think that if the pipenv docs had some better guidance on what use >> cases it was intended to cover (and what it wasn't, in relation to the >> broader range of pip+virtualenv use cases) that would help people >> better understand its place in the ecosystem. > > That's fair, and making the PyPUG tutorial specifically about > *application* dependency management was an initial step in that > direction - for the library development use case, you're generally > going to step out of pipenv's world as soon as you try to run your > tests across multiple versions. > > The basic usage constraint is that pipenv expects you to control your > target Python version, and it expects you to have exactly one - to go > beyond that (as is needed for multi-version library support), you'll > still need to drop down to the lower level tooling, either skipping > the use of pipenv entirely, or else by using `pipfile lock > --requirements` to shift levels. New subject as I don't want to hijack the original thread to rehash my old issue, but I do want to make a couple of points on this (and I agree, it's hard to find a good forum to discuss things like this as it stands). 1. "pipenv expects you to control your target Python version" - I'm not 100% sure what that means, but if it's saying "pipenv is only really for code that will only be used with a single Python version" then that's basically excluding a huge chunk of Python development. Specifically, library development of all forms. Admittedly my experience of what's "typical" is biased strongly by the communities I work with, but conversely the "writing standalone apps in Python" community doesn't really seem to have a web presence that we can promote pipenv through, so it's becoming visible via the "general Python development" community, which quite biased to libraries, and so is not the right target audience, from what you say. 2. My specific issues weren't outside that constraint - I *was* writing code that would only ever need to run under Python 3.6. My problem was the need for "local" build dependencies, which seems entirely within that use case. In fairness, the pipenv devs weren't totally against the functionality I needed, it's just not something they had considered important. Maybe the problem here is that there isn't a good set of "developing apps in Python" best practices (as opposed to the library development situation - use install_requires, test with tox, ...), so I didn't know the "recommended" solution to my problem, that pipenv would have been expecting me to use. Maybe it's a chicken-and-egg situation - the "best practice" is to use pipenv, but until pipenv gets to encounter all the various use cases, that "best practice" doesn't properly cover every situation... Paul From ncoghlan at gmail.com Tue Jan 16 05:44:38 2018 From: ncoghlan at gmail.com (Nick Coghlan) Date: Tue, 16 Jan 2018 20:44:38 +1000 Subject: [Distutils] pipenv use cases In-Reply-To: References: Message-ID: On 16 January 2018 at 20:22, Paul Moore wrote: > On 16 January 2018 at 10:03, Nick Coghlan wrote: >> On 16 January 2018 at 19:47, Paul Moore wrote: >>> I think that if the pipenv docs had some better guidance on what use >>> cases it was intended to cover (and what it wasn't, in relation to the >>> broader range of pip+virtualenv use cases) that would help people >>> better understand its place in the ecosystem. >> >> That's fair, and making the PyPUG tutorial specifically about >> *application* dependency management was an initial step in that >> direction - for the library development use case, you're generally >> going to step out of pipenv's world as soon as you try to run your >> tests across multiple versions. >> >> The basic usage constraint is that pipenv expects you to control your >> target Python version, and it expects you to have exactly one - to go >> beyond that (as is needed for multi-version library support), you'll >> still need to drop down to the lower level tooling, either skipping >> the use of pipenv entirely, or else by using `pipfile lock >> --requirements` to shift levels. > > New subject as I don't want to hijack the original thread to rehash my > old issue, but I do want to make a couple of points on this (and I > agree, it's hard to find a good forum to discuss things like this as > it stands). > > 1. "pipenv expects you to control your target Python version" - I'm > not 100% sure what that means, but if it's saying "pipenv is only > really for code that will only be used with a single Python version" > then that's basically excluding a huge chunk of Python development. > Specifically, library development of all forms. Yes, that's deliberate. We want to target app developers as our initial audience, since library and framework developers have different needs (and for folks just starting out with library development, pipenv + the latest version of Python is actually fine - matrix testing only comes into play once folks actually want to support older versions, perhaps because the version they started out with is no longer the latest one). > Admittedly my > experience of what's "typical" is biased strongly by the communities I > work with, but conversely the "writing standalone apps in Python" > community doesn't really seem to have a web presence that we can > promote pipenv through, so it's becoming visible via the "general > Python development" community, which quite biased to libraries, and so > is not the right target audience, from what you say. As I noted in my original comment, pipenv only applies to library and framework development insofar as you can treat your test suite as an "app" to be deployed to developer's machine (the deployment mechanism is "git clone", but it's still a deployment). Where that currently breaks down is as soon as you're testing across multiple versions, where the combination of wheel files and environment markers means the current lock file format runs into trouble (but so do requirements files). > 2. My specific issues weren't outside that constraint - I *was* > writing code that would only ever need to run under Python 3.6. My > problem was the need for "local" build dependencies, which seems > entirely within that use case. In fairness, the pipenv devs weren't > totally against the functionality I needed, it's just not something > they had considered important. Maybe the problem here is that there > isn't a good set of "developing apps in Python" best practices (as > opposed to the library development situation - use install_requires, > test with tox, ...), so I didn't know the "recommended" solution to my > problem, that pipenv would have been expecting me to use. Maybe it's a > chicken-and-egg situation - the "best practice" is to use pipenv, but > until pipenv gets to encounter all the various use cases, that "best > practice" doesn't properly cover every situation... Local build dependencies are within scope, but pipenv doesn't magically fix the development resource constraint problem :) Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From p.f.moore at gmail.com Tue Jan 16 06:21:26 2018 From: p.f.moore at gmail.com (Paul Moore) Date: Tue, 16 Jan 2018 11:21:26 +0000 Subject: [Distutils] pipenv use cases In-Reply-To: References: Message-ID: On 16 January 2018 at 10:44, Nick Coghlan wrote: > Yes, that's deliberate. We want to target app developers as our > initial audience, since library and framework developers have > different needs (and for folks just starting out with library > development, pipenv + the latest version of Python is actually fine - > matrix testing only comes into play once folks actually want to > support older versions, perhaps because the version they started out > with is no longer the latest one). Having that up front in the pipenv docs/webpage would probably help communicate the intention better. At the moment, it's pretty hard to find. And the general "pipenv is cool!" enthusiasm (which I agree with - it is :-)) tends to encourage people to try it out for whatever their use case is (hence Chris' original post). Also, there's a quite common recommendation around to "build your app as a library and have its main program as a console script entry point" - tools like pip, tox, pytest, pew, pipenv itself, etc take that approach, for example. So separating "app developers" and "library developers" still leaves a fairly large grey area. > Local build dependencies are within scope, but pipenv doesn't > magically fix the development resource constraint problem :) Understood - as I said, the pipenv devs were very helpful, it just took a bit of time to establish what I was trying to do, and that it *was* something that they saw the need to support. Actually implementing that support can take as long as it needs - I appreciate the "so much to do, so little time" problem. Better publicised "Python application development workflow" best practices might have helped save a little of our time in establishing I had a valid use case and they intended to support it but didn't yet. That's all I'm really saying. Paul From thomas at kluyver.me.uk Tue Jan 16 06:42:29 2018 From: thomas at kluyver.me.uk (Thomas Kluyver) Date: Tue, 16 Jan 2018 11:42:29 +0000 Subject: [Distutils] PEP 566 - metadata 1.3 changes In-Reply-To: References: <1515591876.1977781.1230551776.08931300@webmail.messagingengine.com>