DEP 7: Dependency Policy (draft) #26

jacobian · 2016-09-29T16:57:33Z

Python Packaging is Good Now.

glyph · 2016-09-29T17:37:05Z

This means that dependencies that require C extensions are probably not acceptable

What about projects which include manylinux1, windows, and mac wheels as part of their release process, and statically link their dependencies? In principle, it's totally possible to make C extension modules that do not require a C compiler to install nowadays.

This could create potential issues for FreeBSD users, for example, however, or people who use custom Pythons with weird compile-time options. So I'm not saying this restriction should be removed, necessarily; just that it should be better-motivated.

jacobian · 2016-09-29T17:44:17Z

@glyph FWIW I wrote that part before manylinux1 was a thing :) This is right now a super-rough set of notes from when I first thought about it months ago, I turned it into a PR to sorta force myself to work on it more. I agree the C-ext part bears thinking through more clearly before setting a hard and fast rule.

mjtamlyn · 2016-09-30T15:36:06Z

draft/0007-dependancy-policy.rst

+- External dependencies should be easy to install on all the platforms that Django supports (i.e. Linux/Mac/Windows, all supported Python versions including PyPy, etc). This means that dependencies that require C extensions are probably not acceptable.
+- stability
+- maintainability
+- "backup plan"


What happens if a dependency goes unmaintained definitely needs logging

Yes, I'm procrastinating coming up with the actual proposed rules/guidlines. That's the hard part.

alex · 2016-09-30T17:05:01Z

Probably we should include a bit of guidance on how to do version pinning; I suspect we want it to look something like: "Only support libraries which have a decent backwards compatibility policy; put a reasonable minimum version and then no cap", but maybe we want to do semver style caps, foo>=1.0,<2.0

adamchainz · 2016-10-03T13:52:46Z

draft/0007-dependancy-policy.rst

@@ -0,0 +1,148 @@
+========================


filename should feature dependency not dependancy 😉

akki · 2016-10-09T05:19:31Z

draft/0007-dependancy-policy.rst

+Django was at that time. ``virtualenv`` didn't exist yet, and system-wide
+installs were the norm (and just as problematic then as now). PyPI had
+occasional downtime, leading to frustration when trying to deploy to production.
+``easy_install`` failed in many corner casess. One of Django's early releases


typo: cases.

jezdez · 2016-10-11T09:11:11Z

draft/0007-dependancy-policy.rst

+
+Indeed. It's time for Django to let go of its decade-old suspicion of the
+packaging ecosystem. Python packaging is reliable and dependable, and it's time
+we took full advantage of features now available.


This makes my heart be full ❤️

jezdez · 2016-10-11T09:11:34Z

draft/0007-dependancy-policy.rst

+
+- Django implements its own internationalizing/localization framework, but many
+  developers feel `Babel <http://babel.pocoo.org/en/latest/>`_ is a superior
+  implementation.


aaugustin · 2016-10-11T10:27:44Z

draft/0007-dependancy-policy.rst

+dependencies are optional.
+
+However, a lot has changed in the last decade! In 2006, Django was pretty
+aweful: we had just `removed the magic


aaugustin · 2016-10-11T10:31:12Z

I learnt things in this DEP :-)

shaib · 2016-10-11T12:47:18Z

Continuing @alex's note, I think we need a checklist for the dependency-adding-mini-DEPs to answer:

Does a specific minor version of Django depend on a specific version of the package? specific branch? If not, how do we guarantee backwards-compatibility for bugfix releases?
How do we handle security/data-loss fixes? If relevant, can we get pre-notifications? If so, can we forward them?

In particular detail: Suppose Django 3.1.x depends on Frobnicate>=2.0,<3.0 as @alex suggested. At some point a vulnerability is discovered in Frobnicate<=2.3. Do we update the dependency to Frobnicate>=2.4,<3.0, or tell our users to keep tabs on Frobnicate on their own? If we do update, does such a change, in general, justify a Django security release?

In addition, we should consider LTS: How do we guarantee support for the term covered in our LTS policy? Should we limit the addition of dependencies to some part of our LTS cycle?

Also, I think we need to re-evaluate every dependency for every minor release. If some dependency's API becomes part of Django's API, then removing it becomes an issue; we should prepare for this -- one way would be forbidding ourselves to expose dependency APIs, but, frankly, I think that's not a workable limitation.

jacobian · 2016-11-05T12:16:47Z

I think I've addressed the points raised by @alex @glyph @shaib. I'm going to make one final pass just for clarity and conciseness, but this is now done enough for me to merge.

carljm · 2016-11-05T12:19:11Z