Unvendor dependencies #1668
Comments
|
I'm not entirely on board with this idea (But hear me out). I think a valid alternative might be looking into an automated approach to vendoring dependencies, such as using the https://pypi.org/project/vendoring/ project. (I am not saying this exactly, but, some sort of similar automated approach). I could imagine a setup where the dependencies are still shipped as vendored (provided that licensing is not a problem as it isn't a problem now), but that it is easier to automatically apply updates to the latest things automatically, automatically test that nothing is broken, etc. The same caveats of "doing this carefully" apply, and I do agree we should remove any/every vendored dep that we don't actually need, but I don't necessarily think that moving to a "user pip-installs things" model is 100% the best approach. Edit: And, in the case that we decide to nix the easy "install rez behind studio firewall" capabilities, we should be very careful to explicitly state what approach we expect users/studios to take who are in that scenario, and vet that the approach works. While it was never an explicitly stated "compatibility guarantee", it was a fairly big implicit compatibility promise that rez made for years and years, and we shouldn't necessarily abandon it without explicit alternatives laid out. |
|
Thanks for the input @maxnbk! I'd be very interested in understanding what makes you hesitate. You probably wrote about this in the past, but I can't remember your arguments. When you have time, can you describe what value you see in keeping our dependencies vendored please? I did try to add some pros in the issue description, but I'm sure I missed some. It might be one of these decisions that will require us to prob the community to get a good sense of what they want. I could even take some time to write a proper REP with lots of details and clear details on how things would work for our users.
I thought about using I'm still not sold to the idea though. It just adds us more work and things to maintain. Another argument for unvendoring is that we get support for newer python versions for free.
I agree that if we go that route, we'll need to better document how to deploy rez. |
|
@instinct-vfx and @bpabel any opinions? I think Thorsten was/is supportive of unvendoring our dependencies, but a written statement might help here. |
|
I don't see any reasons to vendor something that could simply be specified as a dependency that is handled at build time, so I'd prefer to get rid of them. That being said, I think the most likely issue with switching from vendored libraries to dependencies is that it introduces the potential for dependency conflicts with other libraries that use the rez python api. I think that's actually a good thing for users of the api, because it means the 3rd party types are better defined and documented, rather than being an unknown version of some vendored library. And vendoring a library that's a different version than the normal installed version in a python environment has potential for weird errors as well, so vendoring isn't really a ironclad solution anyways. I'd prefer to offload that problem to package management systems. For the "install rez behind firewall" situation, all studios have at least one machine connected to the internet, and are capable of building a rez installation that can then by manually copied to all the other airgapped machines, so I don't really see that as a real issue. I also don't really like that rez needs to be installed from source. That really shouldn't be the way that rez is most commonly distributed IMHO. I'd prefer to see rez deployed mainly as a bundled exe/app. PyInstaller is an option, but there are a ton of others. Technically, we'd still be redistributing dependencies, but they would be managed as dependencies via a package management tool, like Even better if we can distribute MSI installers, app pkg's, brew installers, etc., though I know that's asking a lot. Having a bundled exe/app allows us to still install in airgapped environments and get rid of vendoring. |
|
From my POV, the most important aspect of vendoring was -- and still remains -- site package isolation. Rez's python dependencies must be accessible only to the That said, this story gets more complicated for those who wish to use Personally, I think the best choice is an automated vendoring solution like the one proposed by @maxnbk, so that you can achieve your OpenSSF goal rapidly without painfully rediscovering why vendoring was introduced in the first place. If you choose not to vendor, that's fine, just make sure you carefully consider the API scenario presented above. |
|
By the way, the policy and rationale for pip’s use of vendoring is probably relevant here: https://pip.pypa.io/en/stable/development/vendoring-policy/# |
|
Sorry for not following up earlier. Will give some feedback today. |
|
I have always been pro-unvendoring (or contra-vendoring?). The current status is a testament to how bad things get. The most recent (!) version vendored is 4 years old. For some of the dependencies we do not even really know. Not even if we may have modified dependencies. For $current_job, we isolate our rez runtime environment completely. But even if you don't would you not at least use a virtualenv? Why would that force us to prescribe handling of dependencies? It is a virtualenv separate from whatever you would need on the system level or in other runtime environments. re: requirements.txt: For some of our projects we use requirements.in -> requirements.txt compilation to manage "general restrictions for requirements vs. version pins for releases". That seems to work quite well. re: air gapped scenarios: My take always was there needs to be some kind of process in place already if you are in an air-gapped scenario and my expectation would be for studios to use their chosen process. (we are not, so this is pure speculation on my behalf!). We also use Nexus as a pypi proxy/cache that we also use to host internal packages privately for example. Sorry for the brevity, this week is wild here. Also keep in mind this is from a mostly Windows perspective so i might be missing Linux specifics completely. |
|
Just to be clear, nothing says that an automated-vendoring approach wouldn't also use dependabot-updatable-requirements files. I don't see that as an entirely valid argument either for or against; We want dependabot's to work and flag issues, but neither approach (other than leaving it as it is) has to go without that aspect. I could imagine a world where we could ship a "all dependencies vendored-in" package, and an "some assembly required but you can tweak the requirements yourselves or bring in your own pypi cache or whatever"-package. (Which is really just the source, but that's semantics.) |
|
Thank you so much @chadrik for taking some time to give us your perspective on this! I'll take some time to reply to react to @instinct-vfx and @chadrik later, but
is what I'm kind of what I also was starting to think about. |
|
I'm also not married to the "all deps vendored" not just being a matrix of platform/arch/os venv's that get built and shipped out from the same requirements, if it has to be that. Automation can still be what we get at the end of the day. Of course, it'd be a lot easier if we can still rely on locking ourselves to ABI-agnostic dependencies. |
JeanChristopheMorinPerso
added
the
openssf-best-practices
|
Two thoughts: 1: We have a way to download files to the locked-down production network - but not an easy way to mirror arbitrary set of PyPI dependencies. So it is meaningfully easier to grab the rez source tarball and be ready to install it, compared to to grabbing the rez and finding/downloading 19 separate packages of the compatible versions for the vendored dependencies I suspect this is not uncommon - it's been case in at least two places I've worked Something like Gaffer's dependencies repo might be a good middleground - where the packages can be referenced in a way compatible with dependency scans, but also a known-good set of dependencies are packaged into a single download 2: A bunch of the dependencies (which are nicely listed here) look like they should maybe be removed, rather than unvendored, e.g
It's also hard to tell from that list which are dependencies-of-dependencies (e.g I think |
As part of the OpenSSF Best Practices badges, we must monitor and periodically verify that none of the project dependencies contain known vulnerabilities. We also need to have the dependencies in a machine-parseable format. And we also need to make it easy to update dependencies.
Currently, all our dependencies are vendored in
src/rez/vendor. This makes it hard to monitor them and update them. It's also very easy to start modifying them, which makes it even harder to update them after. Even worse, some of our vendored dependencies were heavily modified :(This was done mainly because some studios don't have internet access and the original author of rez wanted these studios to be able to install rez in an easy way. Another reason was because rez is "special". After multiple conversations within the TSC, we think that this is not a valid concern for multiple reasons:
But vendoring does provide value because dependencies are guaranteed to always work due to the fact that their version are baked and the code is vendored.
We should look at unvendoring our dependencies. We'll have to plan this very carefully and potentially do it gradually. We might also want to run our test suite using the lowest and highest supported version of each library (so one run with lower bounds and one with upper bounds) and have them run on a periodic basis. We'd want these tests to report any error very loudly so that we can address incompatibilities with newer versions.
We could have a
requirements.txtfile for users that install with the install script. That requirements file would have==for all versions. (Not sure though).Requirements:
The text was updated successfully, but these errors were encountered: