Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add explicit pbr requirement #959

Closed
wants to merge 1 commit into from
Closed

Add explicit pbr requirement #959

wants to merge 1 commit into from

Conversation

mikelolasagasti
Copy link
Contributor

No description provided.

@sigmavirus24
Copy link
Member

Why? pbr is a build requirement, not a runtime requirement

@sigmavirus24 sigmavirus24 added the invalid This doesn't seem right label Oct 23, 2022
@mikelolasagasti
Copy link
Contributor Author

mikelolasagasti commented Oct 23, 2022
edited

Running pip install bandit installs pbr as required by setup.py:

pip install bandit
Collecting bandit
  Downloading bandit-1.7.4-py3-none-any.whl (118 kB)
     |████████████████████████████████| 118 kB 5.0 MB/s            
Collecting GitPython>=1.0.1
  Downloading GitPython-3.1.29-py3-none-any.whl (182 kB)
     |████████████████████████████████| 182 kB 40.1 MB/s            
Collecting PyYAML>=5.3.1
  Downloading PyYAML-6.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (682 kB)
     |████████████████████████████████| 682 kB 120.2 MB/s            
Collecting stevedore>=1.20.0
  Downloading stevedore-4.1.0-py3-none-any.whl (50 kB)
     |████████████████████████████████| 50 kB 3.7 MB/s             
Collecting gitdb<5,>=4.0.1
  Downloading gitdb-4.0.9-py3-none-any.whl (63 kB)
     |████████████████████████████████| 63 kB 2.4 MB/s              
Collecting pbr!=2.1.0,>=2.0.0
  Downloading pbr-5.11.0-py2.py3-none-any.whl (112 kB)
     |████████████████████████████████| 112 kB 128.2 MB/s            
Collecting smmap<6,>=3.0.1
  Downloading smmap-5.0.0-py3-none-any.whl (24 kB)
Installing collected packages: smmap, pbr, gitdb, stevedore, PyYAML, GitPython, bandit
Successfully installed GitPython-3.1.29 PyYAML-6.0 bandit-1.7.4 gitdb-4.0.9 pbr-5.11.0 smmap-5.0.0 stevedore-4.1.0
WARNING: You are using pip version 21.3.1; however, version 22.3 is available.
You should consider upgrading via the '/tmp/bandit/test/env/bin/python3 -m pip install --upgrade pip' command.

Later remove pbr:

$ pip uninstall pbr
Found existing installation: pbr 5.11.0
Uninstalling pbr-5.11.0:
  Would remove:
    /tmp/bandit/test/env/bin/pbr
    /tmp/bandit/test/env/lib/python3.10/site-packages/pbr-5.11.0.dist-info/*
    /tmp/bandit/test/env/lib/python3.10/site-packages/pbr/*
Proceed (Y/n)? y
  Successfully uninstalled pbr-5.11.0

Bandit is not able to work without pbr:

$ bandit
Traceback (most recent call last):
  File "/tmp/bandit/test/env/bin/bandit", line 5, in <module>
    from bandit.cli.main import main
  File "/tmp/bandit/test/env/lib64/python3.10/site-packages/bandit/__init__.py", line 5, in <module>
    import pbr.version
ModuleNotFoundError: No module named 'pbr'

File bandit/__init__.py imports pbr:

bandit/__init__.py:import pbr.version
bandit/__init__.py:__version__ = pbr.version.VersionInfo("bandit").version_string()

I'm packaging Bandit for Fedora and pbr was being installed in the past as dependency of stevedore. stevedore doesn't depend on pbr anymore so in newer Fedora releases bandit started to fail. As I had to add a dependency on pbr I guessed that adding it upstream would make sense.

@mportesdev
Copy link
Contributor

stevedore doesn't depend on pbr anymore

Which version are you referring to? I see that stevedore 3.5.2 and 4.1.0 both require pbr (!=2.1.0,>=2.0.0).

File bandit/__init__.py imports pbr:

bandit/__init__.py:import pbr.version
bandit/__init__.py:__version__ = pbr.version.VersionInfo("bandit").version_string()

Yes, I agree that if it's directly imported by bandit, it should be explicitly specified in requirements.

@mikelolasagasti
Copy link
Contributor Author

stevedore doesn't depend on pbr anymore

Which version are you referring to? I see that stevedore 3.5.2 and 4.1.0 both require pbr (!=2.1.0,>=2.0.0).

Sorry, I meant runtime dep but stevedore never had it.

Let me add more context. stevedore package in Fedora used to had a runtime dep on pbr, but maintainers removed that dep as upstream stevedore doesn't require it for runtime, but kept dep for building phase.

https://src.fedoraproject.org/rpms/python-stevedore/c/4b53b0bdf5f7e694561a6bd5926e99dbe5f327be?branch=rawhide

bandit's runtime dep on pbr was satisfied when stevedore required pbr, but once it was removed from stevedore bandit started to fail due to missing runtime dep was not being installed.

@mikelolasagasti
Copy link
Contributor Author

@sigmavirus24 any chance to reconsider the invalid tag?

@sigmavirus24 sigmavirus24 removed the invalid This doesn't seem right label Mar 10, 2023
@ericwb
Copy link
Member

ericwb commented Jun 6, 2023

PR #1016 has removed the runtime dependency on pbr. As a result, I don't believe this PR is needed any longer.

@ericwb ericwb closed this Jun 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericwb ericwb Awaiting requested review from ericwb ericwb is a code owner

@lukehinds lukehinds Awaiting requested review from lukehinds lukehinds is a code owner

@sigmavirus24 sigmavirus24 Awaiting requested review from sigmavirus24 sigmavirus24 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mikelolasagasti @sigmavirus24 @mportesdev @ericwb