-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: add circular dependency checker for build requirements #415
Conversation
4ec3f30
to
01d06e1
Compare
I have some concerns, in decreasing order of abstraction:
|
8a46920
to
f5137b0
Compare
85275c0
to
10e0dbc
Compare
Yeah, I refactored this a bit to do post build name extraction and validation in cases where
The purpose of this is to prevent packages from being built that have circular dependencies, currently
So project name can be now manually set via
Yeah, I now have it so it shouldn't depend on PEP 621 metadata to be able to do the cycle check, but it should use PEP 621 metadata when available as it allows for earlier detection of dependency cycles prior to a build.
Dependency name normalization should now be handled when comparing dependencies for cycle checks. I think this can be fairly easily extended to do checks like the ones for |
10e0dbc
to
232ba32
Compare
232ba32
to
4e135e3
Compare
I've further extended the dependency checker to check dependencies originating from the
This also catches the(soon to be fixed once flit_core vendors tomli) invalid dependency cycle:
|
The code doesn't check for cycles. It checks whether something else depends on the project under build, specifically. The PEP says that the build dependency graph must be acyclic. It's ok if we don't want to validate the graph in whole, just want to make sure we're aware and ok with that before continuing with the review. |
Yeah, it currently just checks for a specific type of cycle, a cycle where the project depends on itself.
This is mostly designed to catch accidental self cycles before a package author publishes a package.
Yeah, I'm aware it's not covering all cases, I figured this was a good starting point though as this catches some of the most problematic cases. |
47fe09f
to
14c2d8a
Compare
Implement a basic build requirement cycle detector per PEP-517: - Project build requirements will define a directed graph of requirements (project A needs B to build, B needs C and D, etc.) This graph MUST NOT contain cycles. If (due to lack of co-ordination between projects, for example) a cycle is present, front ends MAY refuse to build the project. - Front ends SHOULD check explicitly for requirement cycles, and terminate the build with an informative message if one is found. See: https://www.python.org/dev/peps/pep-0517/#build-requirements
14c2d8a
to
137af3c
Compare
I've updated this to also now better detects self-cycles in situations using |
Doing some cleaning of the PR queue, this seems to have been open for a long time. Sorry @jameshilliard. Feel free to ping me directly, as often as you'd like, if this ever happens in the future. I'll close this as there are several conflicts with the current main, and I don't think this is a particularly important issue. Realistically, I think a circular dependency with the current version being built can only happen if someone downstream add a dependency before the package they're depending on is released, no? This would also make it so that the latest release of the downstream package won't work until the new version of dependency is released. Other circular dependencies should already be handled by pip, which we use to provision the build environment, AFAICT. |
That wasn't the issue this is supposed to catch from my understanding.
This is less related to versioning and is rather intended to catch cases where packages accidentally have pep517 violating circular build dependencies.
Well the issue is that pip doesn't properly detect circular build system dependencies for pure python package dependencies that have wheels available. This means that a package which may build with pip will fail with other build systems that effectively enforce the pep517 no circular dependencies rule, for example buildroot's python infrastructure has a no circular dependencies requirement as well as a no wheels requirement. |
@FFY00 Rebased on top of main. |
I can't re-open the PR for some reason, can you? If not, just open a new PR. I'll try to make sure I review it, but feel free to ping me. |
You can't reopen a PR that has been force pushed while closed. But you can make a new PR. |
You can if you force push it back to what the commit sha1 was at the time of it being closed. |
Reopened as #593. |
Implement a basic build requirement cycle detector per PEP-517:
Project build requirements will define a directed graph of
requirements (project A needs B to build, B needs C and D, etc.)
This graph MUST NOT contain cycles. If (due to lack of co-ordination
between projects, for example) a cycle is present, front ends MAY
refuse to build the project.
Front ends SHOULD check explicitly for requirement cycles, and
terminate the build with an informative message if one is found.
See:
https://www.python.org/dev/peps/pep-0517/#build-requirements