Deprecate --allow-unsafe option #989
Comments
atugushev
added
deprecation
|
As a user, I'd love to see this! I find both the flag and the warning message printed without the flag confusing. |
In future versions of pip-tools, the --allow-unsafe behavior will used by default. Adding the --no-allow-unsafe option now allows users to continue using the old behavior in a backward compatible way. Refs #989
|
Out of curiosity, does anyone know the reason why these packages were considered unsafe in the first place? I tried to track it down a while back to assure myself that |
|
I don't know, but atugushev asked the same question back in 2019 and tagged some people who might know, and no one offered any answers. So it seems like whatever the answer is, we're not super likely to find someone who remembers. atugushev also noted in that thread that "unsafe packages are also used in pip-sync to ignore uninstall those packages," so maybe another guess could be that they were originally marked as "unsafe" packages because they were unsafe to uninstall rather than unsafe to pin, and that concept spread to other parts of the codebase accidentally. |
|
Thanks! I never considered that pip-sync may be a factor. I just sort of assumed that it was copied from pip where setuptools, and later pip and wheel, have been excluded from freeze for time immemorial (the migration to git in 2008). |
|
Would it be time to do the switch? |
|
@atugushev I'm unclear of the scope of this issue... is it:
Anyway, curious what's the next action on this issue? |
|
It's stated on deprecations section.
We simply forgot to switch the default in |
|
I'd love to understand why these packages are considered (un)safe for pining... One thing that comes to my mind: My application is really an application and not a library. I have a fully pinned set of dependencies, and my users should never use other versions (yes, we release updates if libraries have security fixes that are applicable to our usage of them). So the requirements.txt from pip-compile is used for my package's install_requires metadata. Now, when someone who's installing that app creates a venv, then that venv contains pip and setuptools. Not sure which version is chosen, "latest" would be my expectation especially for pip. But now I AFAIK pip and setuptools are both VERY strict about backwards compatibility and I'd even consider them part of the Python stdlib even though they aren't really part of it. So why would I want to pin those...? If there was at least an option to exclude those packages (either as "unsafe" or just ignoring them) without having to specify this on the command line all the time (e.g. a config file), I think the change of the default wouldn't feel so annoying. |
|
setuptools is not particularly strict about backwards compatibility. I've been broken by it many times over. The community is moving away from setuptools having any sort of special-cased position in the ecosystem. There's maybe more of an argument for pip, since it's special-cased by stdlib via IMO, pip-tools is definitely doing the right thing by changing the default here. If explicitly specifying |
This is to match the `pip freeze` requirements compilation method. It's not clear to me if we actually want this behaviour or not. If seems `pip freeze` will exclude dependencies of itself: https://pip.pypa.io/en/stable/cli/pip_freeze/#cmdoption-all Even if there are other packages installed that depend on those dependencies. `uv pip compile`, and now the original `pip-compile` both have decided to include setuptools in generated requirements files: astral-sh/uv#1353 jazzband/pip-tools#989 (comment) So I'm not sure if we have a reason for going against this here or if they were just being excluded because that's what pip freeze does. Hopefully we can drop this commit and use the default behaviour in the future. For now when I'm trying to provide the new backend it's here to make the diff of generated files more precise. This message prefix to identify a pip compile comment was taken from these examples: # The following packages were excluded from the output: # setuptool # The following packages are considered to be unsafe in a requirements file: # setuptools==41.4.0 # via protobuf
This is to match the `pip freeze` requirements compilation method. It's not clear to me if we actually want this behaviour or not. If seems `pip freeze` will exclude dependencies of itself: https://pip.pypa.io/en/stable/cli/pip_freeze/#cmdoption-all Even if there are other packages installed that depend on those dependencies. `uv pip compile`, and now the original `pip-compile` both have decided to include setuptools in generated requirements files: astral-sh/uv#1353 jazzband/pip-tools#989 (comment) So I'm not sure if we have a reason for going against this here or if they were just being excluded because that's what pip freeze does. Hopefully we can drop this commit and use the default behaviour in the future. For now when I'm trying to provide the new backend it's here to make the diff of generated files more precise. This message prefix to identify a pip compile comment was taken from these examples: # The following packages were excluded from the output: # setuptool # The following packages are considered to be unsafe in a requirements file: # setuptools==41.4.0 # via protobuf
This is to match the `pip freeze` requirements compilation method. It's not clear to me if we actually want this behaviour or not. If seems `pip freeze` will exclude dependencies of itself: https://pip.pypa.io/en/stable/cli/pip_freeze/#cmdoption-all Even if there are other packages installed that depend on those dependencies. `uv pip compile`, and now the original `pip-compile` both have decided to include setuptools in generated requirements files: astral-sh/uv#1353 jazzband/pip-tools#989 (comment) So I'm not sure if we have a reason for going against this here or if they were just being excluded because that's what pip freeze does. Hopefully we can drop this commit and use the default behaviour in the future. For now when I'm trying to provide the new backend it's here to make the diff of generated files more precise. This message prefix to identify a pip compile comment was taken from these examples: # The following packages were excluded from the output: # setuptool # The following packages are considered to be unsafe in a requirements file: # setuptools==41.4.0 # via protobuf
This is to match the `pip freeze` requirements compilation method. It's not clear to me if we actually want this behaviour or not. If seems `pip freeze` will exclude dependencies of itself: https://pip.pypa.io/en/stable/cli/pip_freeze/#cmdoption-all Even if there are other packages installed that depend on those dependencies. `uv pip compile`, and now the original `pip-compile` both have decided to include setuptools in generated requirements files: astral-sh/uv#1353 jazzband/pip-tools#989 (comment) So I'm not sure if we have a reason for going against this here or if they were just being excluded because that's what pip freeze does. Hopefully we can drop this commit and use the default behaviour in the future. For now when I'm trying to provide the new backend it's here to make the diff of generated files more precise. This message prefix to identify a pip compile comment was taken from these examples: # The following packages were excluded from the output: # setuptool # The following packages are considered to be unsafe in a requirements file: # setuptools==41.4.0 # via protobuf
This is to match the `pip freeze` requirements compilation method. It's not clear to me if we actually want this behaviour or not. If seems `pip freeze` will exclude dependencies of itself: https://pip.pypa.io/en/stable/cli/pip_freeze/#cmdoption-all Even if there are other packages installed that depend on those dependencies. `uv pip compile`, and now the original `pip-compile` both have decided to include setuptools in generated requirements files: astral-sh/uv#1353 jazzband/pip-tools#989 (comment) So I'm not sure if we have a reason for going against this here or if they were just being excluded because that's what pip freeze does. Hopefully we can drop this commit and use the default behaviour in the future. For now when I'm trying to provide the new backend it's here to make the diff of generated files more precise. This message prefix to identify a pip compile comment was taken from these examples: # The following packages were excluded from the output: # setuptool # The following packages are considered to be unsafe in a requirements file: # setuptools==41.4.0 # via protobuf
I'm starting to think it might make sense to deprecate
--allow-unsafeand make it the default behavior, but that would be as a separate issue/PR for discussion.Originally posted by @jcushman in #806 (comment)
Additional context
pypa/pip#6459
https://stackoverflow.com/a/58864335/1529164
The text was updated successfully, but these errors were encountered: