Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential dependency conflicts between erpbrasil-assinatura and pyopenssl #10

Open
NeolithEra opened this issue May 13, 2020 · 2 comments
Open

Potential dependency conflicts between erpbrasil-assinatura and pyopenssl #10

NeolithEra opened this issue May 13, 2020 · 2 comments

Comments

@NeolithEra
Copy link

Hi, as shown in the following full dependency graph of erpbrasil-assinatura, erpbrasil-assinatura requires pyopenssl ==18.0.0, erpbrasil-assinatura requires signxml * (signxml 2.7.2 will be installed, i.e., the newest version satisfying the version constraint), and directed dependency signxml 2.7.2 transitively introduces pyopenssl <20,>=17.5.0.

Obviously, there are multiple version constraints set for pyopenssl in this project. However, according to pip's “first found wins” installation strategy, pyopenssl 1.18.0 (i.e., the newest version satisfying constraint ==1.18.0) is the actually installed version.

Although the first found package version pyopenssl 1.18.0 just satisfies the later dependency constraint (pyopenssl <20,>=17.5.0), such installed version is very close to the upper bound of the version constraint of Pyopenssl specified by signxml 2.7.2.

Once signxml upgrades,its newest version will be installed, as erpbrasil-assinatura does not specify the upper bound of version constraint for signxml. Therefore, it will easily cause a dependency conflict (build failure), if the upgraded signxml version introduces a higher version of Pyopenssl, violating its another version constraint ==18.0.0.

According to the release history of signxml, it habitually upgrates Pyopenssl in its recent releases. For instance, signxml 2.2.4 upgrated Pyopenssl’s constraint from >= 16.0.0, < 17 to >= 0.15.1, < 17, signxml 2.6.0 upgrated Pyopenssl’s constraint from >= 0.15.1, < 17 to >= 17.5.0, < 19, and signxml 2.7.0 upgrated Pyopenssl’s constraint from >= 17.5.0, < 19 to >= 17.5.0, < 20.

As such, it is a warm warning of a potential dependency conflict issue for erpbrasil-assinatura.

Dependency tree

erpbrasil-assinatura - 0.4.2
| +- chardet(install version:3.0.4 version range:*)
| +- cryptography(install version:2.9 version range:*)
| | +- cffi(install version:1.14.0 version range:>=1.8)
| | +- six (install version:1.14.0 version range:>=1.4.1)
| +- endesive(install version:1.4.5 version range:*)
| | +- asn1crypto(install version:1.3.0 version range:*)
| | +- cryptography(install version:2.9 version range:*)
| | | +- cffi(install version:1.14.0 version range:>=1.8)
| | | +- six (install version:1.14.0 version range:>=1.4.1)
| | +- lxml(install version:4.5.0 version range:*)
| | +- oscrypto(install version:1.2.0 version range:*)
| | | +- asn1crypto(install version:1.3.0 version range:>=1.0.0)
| | +- paramiko(install version:2.7.1 version range:*)
| | | +- bcrypt(install version:3.1.7 version range:>=3.1.3)
| | | +- cryptography(install version:2.9 version range:>=2.5)
| | | | +- cffi(install version:1.14.0 version range:>=1.8)
| | | | +- six (install version:1.14.0 version range:>=1.4.1)
| | | +- pynacl(install version:1.3.0 version range:>=1.0.1)
| | | | +- six(install version:1.14.0 version range:*)
| | +- pdfminer.six(install version:20200402 version range:*)
| | +- pdf_annotate(install version: version range:*)
| | +- pykcs11(install version:1.5.7 version range:*)
| | +- pyopenssl(install version:18.0.0 version range:*)
| | | +- cryptography(install version:2.9 version range:>=2.2.1)
| | | | +- cffi(install version:1.14.0 version range:>=1.8)
| | | | +- six (install version:1.14.0 version range:>=1.4.1)
| | | +- six(install version:1.14.0 version range:>=1.5.2)
| | +- pytz(install version:2019.3 version range:*)
| | +- requests(install version:2.23.0 version range:*)
| | | +- certifi(install version:2020.4.5.1 version range:>=2017.4.17)
| | | +- chardet(install version:3.0.4 version range:>=3.0.2,<4)
| | | +- idna(install version:2.9 version range:>=2.5,<3)
| | | +- urllib3(install version:1.25.9 version range:>=1.21.1,<1.26)
| +- pyopenssl(install version:18.0.0 version range:==18.0.0)
| | +- cryptography(install version:2.9 version range:>=2.2.1)
| | | +- cffi(install version:1.14.0 version range:>=1.8)
| | | +- six (install version:1.14.0 version range:>=1.4.1)
| | +- six(install version:1.14.0 version range:>=1.5.2)
| +- pytz(install version:2019.3 version range:*)
| +- signxml(install version:2.7.2 version range:*)
| | +- asn1crypto(install version:1.3.0 version range:>=0.24.0)
| | +- certifi(install version:2020.4.5.1 version range:>=2018.1.18)
| | +- cryptography(install version:2.9 version range:<3,>=2.1.4)
| | | +- cffi(install version:1.14.0 version range:>=1.8)
| | | +- six (install version:1.14.0 version range:>=1.4.1)
| | +- eight(install version: version range:>=0.4.2,<2)
| | +- lxml(install version:4.5.0 version range:<5,>=4.2.1)
| | +- pyopenssl(install version:18.0.0 version range:<20,>=17.5.0)
| | | +- cryptography(install version:2.9 version range:>=2.2.1)
| | | | +- cffi(install version:1.14.0 version range:>=1.8)
| | | | +- six (install version:1.14.0 version range:>=1.4.1)
| | | +- six(install version:1.14.0 version range:>=1.5.2)
| +- tzlocal(install version:2.1b1 version range:*)

Thanks for your help.
Best,
Neolith
@NeolithEra
Copy link
Author

Suggested Solution

  1. Loosen the version range of pyopenssl to be >=1.18.0.
  2. Remove your direct dependency pyopenssl, and use the pyopenssl transitively introduced by signxml.
  3. Change your direct dependency signxml to be <=2.7.2.
    @mileo Which solution do you prefer, 1 ,2or 3?
    Please let me know your choice. May I pull a request to solve this issue?

@NeolithEra
Copy link
Author

@gabrielcardoso21,Could you help me review this issue? Thx :p

@mbcosta mbcosta mentioned this issue Feb 4, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@NeolithEra