Goes on a frenzie to download hundreds (all?) of (.whl) versions of boto3, botocore

[yarikoptic]

Description

Original use case -- this https://github.com/dandi/dandi-api-webshots-tools/blob/master/requirements.txt , boiled down to combination of dandi and selenium which leads to smth like

dandi@drogon:/tmp$ python3 -m venv venv && source venv/bin/activate && pip install --upgrade pip && pip install 'dandi' 'selenium'
Requirement already satisfied: pip in ./venv/lib/python3.9/site-packages (20.3.4)
Collecting pip
  Using cached pip-23.2.1-py3-none-any.whl (2.1 MB)
Installing collected packages: pip
  Attempting uninstall: pip
    Found existing installation: pip 20.3.4
    Uninstalling pip-20.3.4:
      Successfully uninstalled pip-20.3.4
Successfully installed pip-23.2.1
Collecting dandi
  Obtaining dependency information for dandi from https://files.pythonhosted.org/packages/5d/31/b68e518bb135538031bfda140db823a52a067c66c5fd424b0b58d1fd4d40/dandi-0.56.0-py3-none-any.whl.metadata
  Using cached dandi-0.56.0-py3-none-any.whl.metadata (7.5 kB)
Collecting selenium
  Obtaining dependency information for selenium from https://files.pythonhosted.org/packages/f9/2f/9c6eef6487faca5006ae1ba43cf6ab627c7e3d2a7ec5a3b8728e2105472d/selenium-4.12.0-py3-none-any.whl.metadata
  Using cached selenium-4.12.0-py3-none-any.whl.metadata (6.9 kB)
...
Collecting botocore<1.30.0,>=1.29.146 (from boto3<2.0,>=1.24->zarr-checksum->dandi)
  Obtaining dependency information for botocore<1.30.0,>=1.29.146 from https://files.pythonhosted.org/packages/8e/59/59b444f5e93ea0eaf839e1ecfe904533e00b83940028159d17bbe1b9d932/botocore-1.29.146-py3-none-any.whl.metadata
  Using cached botocore-1.29.146-py3-none-any.whl.metadata (5.9 kB)
Collecting boto3<2.0,>=1.24 (from zarr-checksum->dandi)
  Obtaining dependency information for boto3<2.0,>=1.24 from https://files.pythonhosted.org/packages/dd/5f/d880fd9a9a5b3fec23dc07563ca9538d5f465dd4283331c588ca8fe0daab/boto3-1.26.145-py3-none-any.whl.metadata
  Using cached boto3-1.26.145-py3-none-any.whl.metadata (7.0 kB)
Collecting botocore<1.30.0,>=1.29.145 (from boto3<2.0,>=1.24->zarr-checksum->dandi)
  Obtaining dependency information for botocore<1.30.0,>=1.29.145 from https://files.pythonhosted.org/packages/b7/31/47d10013dbacc78f1ea080e92ae06438e593fb24145fdd929ef542446a74/botocore-1.29.145-py3-none-any.whl.metadata
  Using cached botocore-1.29.145-py3-none-any.whl.metadata (5.9 kB)
Collecting boto3<2.0,>=1.24 (from zarr-checksum->dandi)
  Obtaining dependency information for boto3<2.0,>=1.24 from https://files.pythonhosted.org/packages/98/1e/d636fc4a63d9343a0e973e4b9e44b9a4d7a9531821bd8b3dc7fa720dc054/boto3-1.26.144-py3-none-any.whl.metadata
  Using cached boto3-1.26.144-py3-none-any.whl.metadata (7.0 kB)
Collecting botocore<1.30.0,>=1.29.144 (from boto3<2.0,>=1.24->zarr-checksum->dandi)
  Obtaining dependency information for botocore<1.30.0,>=1.29.144 from https://files.pythonhosted.org/packages/7a/79/dffb326aa5c86ff001d707c506844094b8ce1e52215bb08a36f39893509f/botocore-1.29.144-py3-none-any.whl.metadata
  Using cached botocore-1.29.144-py3-none-any.whl.metadata (5.9 kB)
...
Collecting boto3<2.0,>=1.24 (from zarr-checksum->dandi)
  Downloading boto3-1.26.50-py3-none-any.whl (132 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 132.7/132.7 kB 66.4 MB/s eta 0:00:00
...

so you can see it going after all those .patch versions of botocore and boto3 (.144, .143, ...) and then I think other .minor versions and so on...

at the end it does finish with

Using cached uri_template-1.3.0-py3-none-any.whl (11 kB)
Using cached dnspython-2.4.2-py3-none-any.whl (300 kB)
Installing collected packages: wcwidth, sortedcontainers, rfc3987, pytz, asciitree, appdirs, zipp, webcolors, urllib3, uri-template, tzdata, typing-extensions, tqdm, tenacity, sniffio, six, semantic-version, ruamel.yaml.clib, rpds-py, pyyaml, pysocks, pycryptodomex, pycparser, packaging, numpy, natsort, more-itertools, jsonpointer, joblib, jmespath, jeepney, interleave, idna, humanize, h11, fqdn, fasteners, exceptiongroup, entrypoints, dnspython, click, ci-info, charset-normalizer, certifi, attrs, wsproto, scipy, ruamel.yaml, rfc3339-validator, requests, referencing, python-dateutil, pydantic, outcome, numcodecs, jaraco.classes, isodate, importlib-metadata, h5py, fscacher, email-validator, click-didyoumean, cffi, blessed, bidsschematools, zarr, trio, pandas, keyrings.alt, jsonschema-specifications, etelemetry, cryptography, botocore, arrow, trio-websocket, SecretStorage, s3transfer, jsonschema, isoduration, selenium, pyout, keyring, hdmf, boto3, zarr-checksum, pynwb, dandischema, nwbinspector, dandi
Successfully installed SecretStorage-3.3.3 appdirs-1.4.4 arrow-1.2.3 asciitree-0.3.3 attrs-23.1.0 bidsschematools-0.7.1 blessed-1.20.0 boto3-1.28.44 botocore-1.31.44 certifi-2023.7.22 cffi-1.15.1 charset-normalizer-3.2.0 ci-info-0.3.0 click-8.1.7 click-didyoumean-0.3.0 cryptography-41.0.3 dandi-0.56.0 dandischema-0.8.4 dnspython-2.4.2 email-validator-2.0.0.post2 entrypoints-0.4 etelemetry-0.3.0 exceptiongroup-1.1.3 fasteners-0.18 fqdn-1.5.1 fscacher-0.4.0 h11-0.14.0 h5py-3.9.0 hdmf-3.9.0 humanize-4.8.0 idna-3.4 importlib-metadata-6.8.0 interleave-0.2.1 isodate-0.6.1 isoduration-20.11.0 jaraco.classes-3.3.0 jeepney-0.8.0 jmespath-1.0.1 joblib-1.3.2 jsonpointer-2.4 jsonschema-4.19.0 jsonschema-specifications-2023.7.1 keyring-24.2.0 keyrings.alt-5.0.0 more-itertools-10.1.0 natsort-8.4.0 numcodecs-0.11.0 numpy-1.25.2 nwbinspector-0.4.29 outcome-1.2.0 packaging-23.1 pandas-2.1.0 pycparser-2.21 pycryptodomex-3.18.0 pydantic-1.10.12 pynwb-2.5.0 pyout-0.7.3 pysocks-1.7.1 python-dateutil-2.8.2 pytz-2023.3.post1 pyyaml-6.0.1 referencing-0.30.2 requests-2.31.0 rfc3339-validator-0.1.4 rfc3987-1.3.8 rpds-py-0.10.2 ruamel.yaml-0.17.32 ruamel.yaml.clib-0.2.7 s3transfer-0.6.2 scipy-1.11.2 selenium-4.12.0 semantic-version-2.10.0 six-1.16.0 sniffio-1.3.0 sortedcontainers-2.4.0 tenacity-8.2.3 tqdm-4.66.1 trio-0.22.2 trio-websocket-0.10.4 typing-extensions-4.7.1 tzdata-2023.3 uri-template-1.3.0 urllib3-1.26.16 wcwidth-0.2.6 webcolors-1.13 wsproto-1.2.0 zarr-2.16.1 zarr-checksum-0.2.9 zipp-3.16.2

so with boto3-1.28.44 botocore-1.31.44 so the most recent ones on pypi and double-checked:

(venv) dandi@drogon:/tmp$ python -c 'import boto3; print(boto3.__version__)'
1.28.44
(venv) dandi@drogon:/tmp$ python -c 'import botocore; print(botocore.__version__)'
1.31.44

and only those installed

(venv) dandi@drogon:/tmp$ ls -ld venv/lib/python3.9/site-packages/boto*info
drwxr-xr-x 2 dandi dandi 4096 Sep 11 11:45 venv/lib/python3.9/site-packages/boto3-1.28.44.dist-info
drwxr-xr-x 2 dandi dandi 4096 Sep 11 11:45 venv/lib/python3.9/site-packages/botocore-1.31.44.dist-info

Expected behavior

to not query/download all those other versions of boto3 and botocore only to install the most recent one at the end.

pip version

23.2.1

Python version

originally locally 3.11.5 and then on server with 3.9.2

OS

Debian GNU/Linux

How to Reproduce

$ python3 -m venv venv && source venv/bin/activate && pip install --upgrade pip && pip install 'dandi' 'selenium'

Output

No response

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[yarikoptic]

I guess it is just a typical one for https://pip.pypa.io/en/stable/topics/dependency-resolution/#possible-ways-to-reduce-backtracking which INFO messages referred to in this progression a number of times.

Unfortunately logging/UI is not really helpful to figure out what is the culprit ...

It would have been nice if at the end of the installation there was information about which conflicts were not resolved or what versions of dependencies were not the most latest installed to get versions satisfied, and ideally where those dependencies came from - i.e. which packages specified them. Feel welcome to retitle or close in favor of some already existing issue along those lines.

[notatallshaw]

This is not uncommon when Pip gets stuck in a backtracking situation with boto3 and botocore. The only way to know if it can resolve a requirment is to download a package and analyze it's metadata, there is no guaranteed way to know ahead of time what will resolve the conflict, and boto3 and botocore make a new release every day so 100s might be downloaded just to determine that's not the cause of the conflict

Further dependency resolution is an NP hard problem so it can be quite tricky to provide any useful information to a user on why backtracking is happening, especially when it does eventually resolve (if there is no solution Pip will print the final blocking conflict).

One thing that will help the performance of situations is that when PyPi backfills PEP 658 files Pip will not need to download the full 10 MBs of each package but instead a small file (which you saw in the first few downloads as new packages are enabled for PEP 658 file distribution).

I am working on a branch of Pip which is better at reporting errors and it gives like these:

INFO: pip is backtracking because of incompatible requirements on: urllib3, requests, urllib3[socks], botocore

I was initially suspicious of the extra (urllib3[socks]) as there are known performance issues with extras but I tried the branch from this PR and there wasn't any significant improvements. I applied my commits onto that branch and the feedback message changed a little bit (which turns out to be quite helpful in the end):

INFO: pip is backtracking because of incompatible requirements on: selenium, botocore, requests, urllib3[socks], urllib3

Do you think this would have been actually helpful for you if it was in the output? It would be useful for me to know whether to continue to pursue that PR.

Anyway let's look at the requirements for each of these projects:

Selenium: https://github.com/SeleniumHQ/selenium/blob/selenium-4.11.2-python/py/requirements.txt

async-generator==1.10
attrs==21.4.0
certifi==2023.7.22
cffi==1.15.0
cryptography==41.0.2
dataclasses==0.6
debugpy==1.6.0
h11==0.13.0
idna==3.3
importlib-metadata==4.11.3
inflection==0.5.1
iniconfig==1.1.1
more-itertools==8.13.0
multidict==6.0.2
outcome==1.1.0
packaging==21.3
pluggy==1.0.0
py==1.11.0
pycparser==2.21
pyOpenSSL==22.0.0
pyparsing==3.0.8
PySocks==1.7.1
pytest==7.2.0
pytest-instafail==0.4.2
pytest-mock==3.10.0
pytest-trio==0.8.0
sniffio==1.2.0
sortedcontainers==2.4.0
toml==0.10.2
trio>=0.20.0
trio-websocket==0.9.2
urllib3[socks]==2.0.2  
wsproto==1.1.0
zipp==3.8.0

Botocore: https://github.com/boto/botocore/blob/1.31.4/setup.cfg#L5

jmespath>=0.7.1,<2.0.0
python-dateutil>=2.1,<3.0.0
urllib3>=1.25.4,<1.27

Requests: https://github.com/psf/requests/blob/v2.31.0/setup.py#L61

    "charset_normalizer>=2,<4",
    "idna>=2.5,<4",
    "urllib3>=1.21.1,<3",
    "certifi>=2017.4.17",

urllib3[socks]: (it seems base urllib3 has no requirements) https://github.com/urllib3/urllib3/blob/2.0.2/pyproject.toml#L56

  "PySocks>=1.5.6,<2.0,!=1.5.7",

So, as you can see botocore is not compatible with urllib3 2 and the latest version of Selenium is specifying urllib3[socks]==2.0.2. Actually as I was digging through different repos I found that boto3 is not compatible with urllib3 2 in general (e.g. psf/requests#6443).

You can handle this in one of two ways, you can pin urllib3<2 as a requirement, or what I do is specify it as a constraint so it doesn't force urllib3 to be installed but just makes sure if it does it is less than 2. e.g. create a file called constraints.txt:

urllib3<2

And then run:

pip install -r requirements.txt -c constraints.txt

You should find that adding this as a requirement or constraint will be significantly faster to resolve.

Unfortunately I don't think the "frenzie" is actually incorrect behavior, however it would certainly be useful if Pip was able to better express why it was backtracking.

[sanderr]

Alternatively, if you don't want to add artificial constraints, I found that specifying botocore explicitly as a dependency, without any constraints, also gets rid of the backtracking. It causes the resolver to pick a candidate for it earlier in the process, thereby it will search a version of urrllib3 that matches the constraints in botocore instead of the other way around. It's still a workaround rather than a solution but it might suffice for you.

pip install dandi selenium botocore

Pro:

• No artificial constraint: if botocore ever releases a version that drops/bumps the upper bound on urllib3, your install command should just install the newer version.

Con:

• Relies more on the specifics / implementation details of pip's resolution logic. Then again, afaik the pip maintainers are very careful about making changes to resolution order (especially between a direct requirement and a transitive dependency), so it will probably remain stable.
• Can't do it with a constraints file, only a requirement, so you do introduce an artificial dependency (if dandi ever stops depending on botocore, your install command would keep installing it). I would personally always prefer this over an artificial constraint, but there's something to say for either option.

[notatallshaw]

Yes, while not an official feature(?) my understanding is the design of the resolver is that you can give it "hints" by providing dependencies and providing them in a specific order.

However my concern in this example is that older versions of botocore might not put an upper bound on urllib3 in their requirements, but they are still not compatible with urllib3 2. So if you're not paying specific attention the resolver could still decide to pick an older version of botocore with a newer version of urllib3.

[yarikoptic]

Thank you @notatallshaw and @sanderr ! Per @notatallshaw comment with selenium requirements.txt I thought that indeed selenium reads them out in their setup.py like some projects do

so started to compose an issue for them to fix such a practice

here is the unfinished draft:

ATM co-installation of the Selenium via pip with some other packages can be proven to be challenging if not impossible. See e.g. #12274 . It stems from the fact that

Originally dependencies were not strictly versioned, see e.g. https://github.com/SeleniumHQ/selenium/blob/c8a7cb1896fb8cd80a016b00687d4345f4daf799/py/requirements.txt

Then in 135b8e291c2cccfafd61974ace25db928b014675 was first move to hardfix some, and that opened the pandora's box. More and more being fixed and then similar to his requests, but in relation to a specific dependency were filed before e.g.

• Relax python dependencies in Selenium 4 beta SeleniumHQ/selenium#9312
  and resulted in replacing strict == with =~ introducing lower/upper bounds, which would be reasonable under assumption of "semver versioning works!" .
  But then later in 04f7d00e83fbe79bbbc16acd594059d83d964dcc all were moved to strict == and now even with the help of dependabot dependencies augomagically boosted to the most recent release (see e.g. f4efb8b95e9d6bf4bfe7fd16d0741c2e4331beac).

but apparently their setup.py is nicely specifying the range https://github.com/SeleniumHQ/selenium/blob/trunk/py/setup.py#L73 which includes "urllib3[socks]>=1.26,<3", and I even checked the

❯ grep Req PKG-INFO
Requires-Python: >=3.8
Requires-Dist: urllib3[socks]>=1.26,<3
Requires-Dist: trio~=0.17
Requires-Dist: trio-websocket~=0.9
Requires-Dist: certifi>=2021.10.8

so it seems that we should be all good on that one here since botocore wants urllib3>=1.25.4,<1.27 so 1.26 series should be all good. Or am I wrong somewhere above?

INFO: pip is backtracking because of incompatible requirements on: selenium, botocore, requests, urllib3[socks], urllib3

Do you think this would have been actually helpful for you if it was in the output? It would be useful for me to know whether to continue to pursue that PR.

It would be better than nothing (current behavior) for sure! But because those messages are spit out somewhere intermixed with many other messages -- they might not even be available due to limited size of the terminal history whenever backtracking would be done, which could take awhile like in this case.

do you think it would be possible/reasonably easy to implement, if backtracking was triggered, at the end of the installation to include similar message, eg.

...
Successfully installed SecretStorage-3.3.3 ...
Note: During installation backtracking was needed because of incompatible requirements on selenium, botocore, requests, urllib3[socks], urllib3

which would then alert and point user to those. But I also wonder if further analysis could be done, e.g. going through all installed packages and double-checking that pip installed all desired versions and not went for some other version, e.g.

Note: package X install-requires urllib3[socks]>=1.26,<2 but urllib3 2.0.2 was installed

or I even wonder if smth like following which could be handy

Note: Following installed versions have more recent versions available urllib3 (2.0.2 -> 2.0.4), ...

which could hint on what packages did not get their most recent versions installed for some reason which might be due to those strict dependencies specifications etc. WDYT?

[notatallshaw]

but apparently their setup.py is nicely specifying the range https://github.com/SeleniumHQ/selenium/blob/trunk/py/setup.py#L73 which includes "urllib3[socks]>=1.26,<3", and I even checked the

Good catch, the chain of events is a little more complicated, the algorithm the resolver does is something a long the lines of:

1. Do a breadth first search/collection of all user requirements
2. Do a depth first search on the requirements collected attempting to preserve user and collection order

So going through the collection process where we count the user collection as a depth of 1, the next depth as 2, etc.. (I'm 1 indexing because it's easier for to count the requirements or packages that led to a package being collected)

Here is a highly curated series of steps that caused significant backtracking, I'll do requirements in monospace and packages in bold:

1. urllib3 2.0.4 is colllected with a depth of 2 (from urllib3[socks]<3,>=1.26 from selenium 4.12.0 from selenium)
2. botocore 1.31.47 is collected with a depth of 4 (from botocore<1.32.0,>=1.31.47 from boto3 1.28.47 from boto3<2.0,>=1.24 from zarr-checksum 0.2.9 from zarr-checksum from dandi-0.56 from dandi>=0.24.0)
3. BACKTRACK CAUSE: botocore 1.31.47 requires urllib3<1.27,>=1.25.4 but the current urllib3 package collected is 2.0.4, and urllib3 is much higher up the depth chain than botocore, so Pip starts backtracking on botocore and it's parents to see if it can find a version of botocore that does not conflict on urllib3 2.0.4
4. Eventually Pip backtracks enough on botocore and boto3 that the requirement boto3<2.0,>=1.24 is exhausted from zarr-checksum 0.2.9
5. Pip finally starts backtracking on urllib3, but the graph of all things which involved urllib3 now has gotten very large, so there is a lot to check at each step

Hope that makes sense.

Previous versions of Pip would spend time backtracking on unrelated packages, that didn't happen here, it was looking at the right packages it just didn't know that botocore and it's family of packages have lots of versions which barely change requirements and so it would be more efficent to check other packages in the conflict.

I do wonder if Pip could possibly make the choice that urllib3 should backtrack over botocore because the current candidate is newer than any version possible against the conflicting requirement, but then I wonder if that's indiciative in general or just in specific cases. I'll have a think about it and play with the code and see if it's even possible to force a package higher up in the depth chain to backtrack without rearchitecting significantly.

It would be better than nothing (current behavior) for sure! But because those messages are spit out somewhere intermixed with many other messages -- they might not even be available due to limited size of the terminal history whenever backtracking would be done, which could take awhile like in this case.

Well looking at this situation in detail I'm not sure how helpful it was anyway, I will play around with what information can be available and see if I could make a more useful message and look at how to get it into the logs.

Adding it at the end might certainly be useful but I don't know enough about the Pip reporter to know how easy it is, I will take a look when I get there.

All your other ideas sound great, I however don't have the capacity to add something like those, I'm sure the Pip maintainers would look at a helpful logging message PR if you or someone else is interested in contributing.

[notatallshaw]

I do wonder if Pip could possibly make the choice that urllib3 should backtrack over botocore because the current candidate is newer than any version possible against the conflicting requirement

While I have an intuituion that there is a possible optimization here, after trying a few times to get this to work I found I ended up breaking more important optimziations which made backtracking much slower. So for now I am no long pursuring this.

[yarikoptic]

Thanks for trying @notatallshaw !

[pradyunsg]

Can you do a run of this with PIP_RESOLVER_DEBUG=1 pip install --log log.txt ... and paste the logs in https://gist.github.com/new and share the link to the Gist created?

That'll include useful information about what the dependency resolver is doing, which can help with diagnosing the underlying issue here. :)

[notatallshaw]

That'll include useful information about what the dependency resolver is doing, which can help with diagnosing the underlying issue here. :)

FYI I'm happy to do that as I can reproduce the issue, but I'm quite confident I've already explained why the backtracking occurs in this cause in this comment: #12274 (comment)

I personally don't see any obvious optimization available to Pip / resolvelib in this case.

One can intuit that the wrong package is being backtracked on by looking at the larger graph, but I don't know how easy that is to express in terms of how the current backtrack algorithm is implemented.

[notatallshaw]

That'll include useful information about what the dependency resolver is doing, which can help with diagnosing the underlying issue here. :)

FYI I'm happy to do that as I can reproduce the issue, but I'm quite confident I've already explained why the backtracking occurs in this cause in this comment: #12274 (comment)

I realized that if my explanation is correct it follows that his would be a more minimal reproducible example:

urllib3[socks]<3,>=1.26
boto3<2.0,>=1.24

And indeed it exhibits the exact same behvior, but this example produces a log file too big to upload to gist, so here is a version which doesn't backtrack as much:

urllib3[socks]<2.06,>=1.26
boto3<1.28.57,>=1.28.50

And here is the is the raw gist (because even with this greatly reduced version the non-raw gist is truncated ): https://gist.githubusercontent.com/notatallshaw/0bd205eab179a09ba57782aab2c784bb/raw/76e71e5d881fc39937109e120f2896e2585e6b42/log.txt

[notatallshaw]

Seems like OPs problem is much better now, and this issue can be closed.

Pip made a new release which is more likely to help it not go into a frenzie when dealing with extras, and in the mean time the ecosystem has improved significantly to support urllib3 2.0.

I am only able to reproduce OPs issue to a much smaller extent now by carefully chosing upperbounds on package versions, or by using pypi-timemachine. I can't reproduce it significantly just be using the given requirements.

[notatallshaw]

I am going to close this issue as OPs requirements no longer cause this problem. While it's possible for the pip resolver to start backtracking many versions, there is a significant improvement on the PyPI index (and any other index that chooses to implement it) that pip first checks metadata files for dependency information meaning that there is a lot smaller downloads.

There are still performance and algorithm improvements that can be made, but they are being tracked in other issues.