-
-
Notifications
You must be signed in to change notification settings - Fork 491
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make pyproject.toml the source for build dependencies #36982
Make pyproject.toml the source for build dependencies #36982
Conversation
I expect Anyway, some change away from the |
Well, this is pretty much what I had in mind when I said "but we also don't need to redesign it right now." Distro-from-library has a few benefits over library-from-distro:
We do however still need the install-requires.txt with the versions in them (the python package |
My solution for this is #31662, packaging sage-bootstrap with the metadata as a pip-installable distribution |
The example I have in mind (if sage-foo is pure python) is,
That's just how people expect to work on a python project. If cython is involved, there would also be a Anyway, details aside, it's just nicer to not have to solve this extra problem. |
The syncing of versions has to happen one way or the other. I think we all know the various possible designs, which differ by the time that the syncing happens and the actor that does the syncing. In the end, it will depend on the actual developer & user community of a "subpackage" what is the best way to maintain it. Right now we have the luxury of the monorepo, where all version info is central and syncing is done by developers, not users, by running the I'm all for making our system agnostic with respect to the syncing mechanism so that when it is useful for a community that takes care of a "subpackage" finds it convenient or more productive to develop in a separate repo, we are ready for it. But at the moment there is no evidence that we have a viable community for any subpackage that would need this. |
One design consideration: |
The built-in stuff in GitHub (obviously) does not know about out install-requires.txt files. The table https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems shows for Python:
I doesn't say in the documentation what actual filenames it scans. But https://github.com/sagemath/sage/network/dependencies shows that it finds files named So a nice simple improvement for the dependency graphs / SBOM business would be:
Any such changes are easier to make after the refactoring done in: |
If a subpackage can be made to not depend on sage-bootstrap, then we don't need to worry about the version of sage-bootstrap. All else being equal, that's an improvement.
We'll never need it, but it's the simple standard solution to an easy problem. The Github dependency graph is a great example of how such a solution can save us time. Putting the dependencies in the standard location lets Github just... find them, easily, in contrast with the amount of work you've outlined under |
But there is no "standard location"; we have multiple packages in |
Inside of a pyproject.toml file is the standard location. When the monolithic one goes away, we'll have multiple pyproject.toml files, one for each subproject, having its own list of dependencies and constraints. Github will still be able to find them. and we'll still be able to figure out a version that satisfies them all to put in package-version.txt. There's even an automated tool called a package manager than can compute a feasible set of versions for us :) |
That's synchronizing ... by not synchronizing? |
The best kind of synchronizing! (Why would we manually synchronize them?) |
Hm? The synchronization of version constraints through bootstrap simplifies maintenance. I think there should be a compelling reason before we start giving different version constraints to different distribution packages in pkgs/. |
Well, presumably you've spent years working on the modularization so that users will be able to install only some parts of sage. Why would we require them to satisfy the constraints of the pieces that they haven't installed? |
For the convenience of developers. When users need more flexibility, that can be a compelling reason to deviate from it. |
For this developer at least, not having to run |
We already constrain users and developers --- by not using rust-dependent packages. We already hear requests from.developers (@tornaria for instance) for not putting upper limits on package versions. It may well be that there are platforms on which sage the distro doesn't work, but sagelib does work. |
Right, I forgot about that. Was indeed very easy to fix and the necessary install_requires files are now automatically generated. In the future, we may consider extracting the version from the pyproject.toml file directly also for the configure checks. |
And none of this is changed in this PR. |
The failing test is not related to this PR #36992. |
I'm starting to believe that when you say "modularity" you mean something different than what I understand by "modularity". For the convenience of developers, IMO modularity means independent modules that can be built, tested, installed, updated, independently of each other. This includes having each its own dependencies, and trying to "synchronize up" or "automate" is against this. I'm 100% in favour of static pyproject.toml files that allow me to build sage-the-lib with standard pep-517 builder, no bootstrap, no sage-setup if possible, no mandatory sage-conf, etc. Just find stuff on standard locations. Of course this only works if I have all the necessary bits already installed, but so what? The compiler will tell me if I'm missing some bits and I can correct that. Modularity also means separation of concerns, e.g. that my distro of choice takes care of other software needed to build sagemath.
Indeed, trying #36957 I learned that "sage the distro" doesn't work on void linux (I couldn't make |
Matthias, please stop removing the positive review label from this disputed PR. There are clear rules under which conditions this is should be done, you repeating your objections is not one of them. To be explicit: I'm setting this to positive review based on the following counting: |
|
The dispute resolution process is intended to resolve disagreements in the review process. It is not a replacement for the review process; and it's certainly not an invitation for authors to ignore review comments. |
This comment was marked as abuse.
This comment was marked as abuse.
Here's what a correct version of the idea of this PR would look like:
|
@dimpase, necessary reminder: "How we talk about past, current, future contributions" (https://groups.google.com/g/sage-devel/c/OeN8o14s6Jc/m/ChnpijP3AgAJ). The denunciations that you are using, the expressions of disrespect, etc., have no place in the Sage community. |
@tobiasdiez is correct about our procedure for disputed tickets. @mkoeppe pointed out some changes that he thinks are necessary, but the author and reviewer disagree and the vote is currently 3-1 in favor of this ticket. Others are, of course welcome to weigh in, but for now I'm setting this back to positive review. |
@roed314, thanks for the fast clarification about our procedures! Reminder though that I'm waiting for your response on some related matters since January. |
This has broken the CI. |
The broken repology index can now be seen in https://repology.org/projects/?inrepo=sagemath_develop |
…#36982 Signed-off-by: ci-sage workflow applying sagemath#37926 @ https://github.com/sagemath/sage/commits/f52bf519387ccb963a38560bbbd97479da723c91 <ci-sage@example.com>
This comment was marked as abuse.
This comment was marked as abuse.
…src/pyproject.toml` after sagemath#36982 <!-- ^ Please provide a concise and informative title. --> <!-- ^ Don't put issue numbers in the title, do this in the PR description below. --> <!-- ^ For example, instead of "Fixes sagemath#12345" use "Introduce new method to calculate 1 + 2". --> <!-- v Describe your changes below in detail. --> <!-- v Why is this change required? What problem does it solve? --> <!-- v If this PR resolves an open issue, please link to it here. For example, "Fixes sagemath#12345". --> Also some unrelated fixes: - fix for `centos-7-devtoolset` needed to adjust for a small change in how Docker files are parsed (https://github.com/sagemath/sage/actions/ru ns/8931531493/job/24538795775). - fix for `ubuntu-xenial-...` and other platforms that need special `configure` args - fix for current macOS Docker Desktop ### 📝 Checklist <!-- Put an `x` in all the boxes that apply. --> - [x] The title is concise and informative. - [ ] The description explains in detail what this PR is about. - [x] I have linked a relevant issue or discussion. - [ ] I have created tests covering the changes. - [ ] I have updated the documentation and checked the documentation preview. ### ⌛ Dependencies <!-- List all open PRs that this PR logically depends on. For example, --> <!-- - sagemath#12345: short description why this is a dependency --> <!-- - sagemath#34567: ... --> URL: sagemath#37926 Reported by: Matthias Köppe Reviewer(s): Kwankyu Lee, Matthias Köppe
As noted in #36951 (comment), the fact that the dependency declaration of sage-the-library depends on information contain in sage-the-distro's build folder is problematic for the separation of concerns. Sage-the-distro should rely on information of sage-the-library, not the other way around. Here we fix this for the build requirements by making
src/pyproject.toml
the single source of thruth. The correspondinginstall-requires.txt
are demoted to mere indicator files (to be removed later). Moreover, this change allows us to makepyproject.toml
a static file (no longer generated by configure), which should help with downstream packaging.Happy new year!
📝 Checklist
⌛ Dependencies