scipy, networkx: Update install-requires.txt #33520
Comments
|
New commits:
|
|
Author: Matthias Koeppe |
|
Commit: |
|
comment:3
Why are upper bounds needed for these packages? For example, networkx doesn't yet have a version 2.8 released (at least on pip) and I couldn't find a ticket that says that this version is indeed not compatible with the current version of sagelib. |
|
comment:4
It's part of best practices to set upper bounds so that incompatible releases of these third-party packages do not retroactively break our release. |
|
comment:5
Replying to @mkoeppe:
Best practice is to only set a upper limit for versions that are known to cause incompatibilities. For example, have a look at:
(https://snarky.ca/why-i-dont-like-semver/, from one of the core members of the python team) and https://iscinumpy.dev/post/bound-version-constraints/ for a very detailed analysis ending with the recommendation
|
|
comment:6
For each of the updates of these packages from x.y to x.(y+1) we had tickets for fixing doctest failures that they introduced. So yes, we can predict future incompatibility. |
|
comment:7
Note also our release cadence (https://wiki.sagemath.org/ReleaseTours) is on the order of months to half a year. Which means when an incompatibility arises, we are not able to react quickly, and we will be months with broken dependencies. |
|
comment:10
Replying to @mkoeppe:
That conversely means that people cannot upgrade networkx for a very long time although there might be no or only minor incompatibilities. Big -1 from my side on upper limits that don't satisfy one of the criteria outlined in the linked articles. |
|
Reviewer: Tobias Diez |
|
comment:11
All those "requirements" are only indications for pip to manage dependencies on its own. If you are not using pip to manage your package (say apt, emerge, pacman...) those requirements are only indication for you as a packager, you can ignore them. I usually pay attention to lower bounds, but the upper one is checked by running the testsuite if there is one, and comparing the result with the highest version that fits the upper limit. I tend to agree that higher limits are bets about future development - unless you happen to have inside knowledge about upcoming breakage. |
|
comment:12
Replying to @kiwifb:
Yes, input from you and other packagers of cutting-edge distributions can inform us about upper bounds that we need to set in |
|
comment:13
In addition to our experience with the upgrades of these packages over the years, scipy used the MAJOR.MINOR.MICRO versioning, and the policy https://scipy.github.io/devdocs/dev/core-dev/index.html#version-numbering advises that "Minor versions are typically released twice a year and can contain new features, deprecations and bug-fixes." (Micro version steps cannot make new deprecations.) So such deprecation warnings are routinely introduced twice a year with the release of a new MINOR versions. Sage users/developers traditionally value spotless doctest runs (see typical sage-devel posts); the conservative policy of excluding an increase of the MINOR version ( Of course, it would be valid to argue that this is too conservative. A more relaxed policy would consider that within 6 months a hard incompatibility can only be introduced when the next MINOR version is released; so this would justify setting But what is the right policy is for the Sage community to decide and cannot be resolved by a generic appeal to (selected) authority. |
|
comment:14
Guidance on upper bounds for numpy is in https://numpy.org/devdocs/user/depending_on_numpy.html#runtime-dependency-version-ranges |
|
comment:15
Also relevant, from the scipy core-dev documentation: https://docs.scipy.org/doc/scipy/dev/core-dev/index.html#version-ranges-for-numpy-and-other-dependencies and https://docs.scipy.org/doc/scipy/dev/core-dev/index.html#updating-upper-bounds-of-dependencies |
|
comment:16
And here is the networkx deprecation policy. |
|
comment:17
Bumping this up so we can get this fix into 9.6. |
|
comment:18
I don't see how these last comments of yours address any point that is brought forward in comment:11 above and in https://iscinumpy.dev/post/bound-version-constraints/. Moreover, they actually are arguments for why these upper bounds are not a good idea:
And
In this ticket N=1. |
|
comment:20
From the packaging perspective in Gentoo, most packages only include lower limits. Upper limits, when they exist, are added after the fact in 99.9% of the cases (notable exceptions would be stuff like Part of the reasons I don't care that much about the limits on this ticket, is that I know they exist and rarely bother reading them :) |
|
comment:21
This makes sense for Gentoo, which is a fast moving cutting edge distribution. |
|
comment:22
We are talking here about the metadata that comes with releases of Sage (= releases about 2-3 times a year, with no bugfix releases ever). The idea is to provide each release with upper bounds for its key dependencies that ensures that this version can be used within its lifespan. |
|
comment:23
I do understand your intent, even if fundamentally living in Gentoo land for about 20 years makes me think it is misguided. It is something I associate with proprietary software. Which of course sagemath is a competition to. I just always feel I and Tobias and Antonio are just the wrong persons to help you make those kind of decisions - our investment in that aspect is low. |
|
comment:24
Replying to @mkoeppe:
Infinity? The numpy docs explicitly have a frequent release cycle as a requirement for an upper version limit. The reason for this is also explained in the the second link cited above:
And sage at it current dev speed cannot guarantee such quick releases. For example, what if scipy 1.9 contains an urgent hotfix? Then users of sage + scipy cannot upgrade their scipy for a few months just because we were guessing that scipy 1.9 might break a couple of doctests. |
|
comment:25
Replying to @tobiasdiez:
That's an extreme position which puts 0 emphasis on stability.
First of all, scipy has just only started the 1.8 series and will continue making 1.8.x fixes.
That's an argument that supports setting N higher, but it does not support N=infinity. |
|
comment:26
Replying to @mkoeppe:
Not at all. It's very easy (through mildly annoying) for users to set upper limits for these dependencies in their installation as they see fit; potentially trading new shiny bug fixes of scipy with some issues in sage's usage of scipy. But that tradeoff depends on the needs of the particular use case (maybe she doesn't need anything new from scipy vs she doesn't care that half of sage is broken with a new version of scipy as long as the other half works). Artificial upper version limits just remove this flexibility. Something like |
|
comment:27
Replying to @tobiasdiez:
This asymmetry between setting limits (easy) and removing limits (hard) is, of course, an important argument in favor of looser bounds; but it still does not support N=infinity. |
|
comment:28
I'll prepare a version based on the deprecation policies linked to in comment:14 to comment:16 |
|
comment:29
Replying to @mkoeppe:
Thanks! Note that just because something is deprecated (and later removed) doesn't mean that sage is affected by it. Thus one doesn't have to strictly follow the deprecation timeline, although it makes sense to take them as orientation. |
|
Branch pushed to git repo; I updated commit sha1. New commits:
|
|
Branch pushed to git repo; I updated commit sha1. New commits:
|
|
comment:33
Thanks for the changes. Shouldn't it be Moreover, I think it would be a good idea to distill our discussion and add a remark to the dev docs that upper bounds should be used carefully and need to be documented. |
|
comment:34
Replying to @tobiasdiez:
no, half a year is one minor release. |
|
Branch pushed to git repo; I updated commit sha1. New commits:
|
|
comment:36
Okay, looks good to me. Feel free to set it to positive review once https://github.com/sagemath/sagetrac-mirror/runs/5710585148?check_suite_focus=true passes. |
|
comment:37
Thanks! |
|
Changed branch from u/mkoeppe/scipy__networkx__update_install_requires_txt to |
After #33336 and #33495, we should change the upper version bounds in
build/pkgs/.../install-requires.txtDepends on #33495
CC: @antonio-rojas @tobiasdiez @kiwifb
Component: build
Author: Matthias Koeppe
Branch/Commit:
2abe0adReviewer: Tobias Diez
Issue created by migration from https://trac.sagemath.org/ticket/33520
The text was updated successfully, but these errors were encountered: