0

Situation:

  • Requirements for a Python package in requirements.txt
  • Dependency versions are pinned (good practice)
  • Dependency versions in requirements.txt should be kept in sync with equivalent Python packages in Debian stable

Example:

  • Python project depends on tenacity
  • Latest version of tenacity on PyPI: 9.0.0
  • tenacity is in stable repository: python3-tenacity
  • Version in stable repository: 8.2.1
  • Expected in requirements.txt: tenacity==8.2.1

Problem:

With every new Debian release, I have to manually sync package versions. This is boring and error-prone.

For inspiration, I looked at how large projects approach this. For Odoo, syncing is done manually: https://github.com/odoo/odoo/commit/172bf80de60e373a787c87643efe115e66f43e36

I can't imagine this use-case is very exotic, though, so: is there a generally accepted way to keep pinned versions in requirements.txt in sync with Debian stable?

dh_python3's --requires ensures that requirements in requirements.txt files are automatically added to Depends in debian/control.

Also good to note: I'm using dh_python3 with pybuild (so dh_python3's --requires option ensures dependencies are automatically added to debian/control).

Improve this question

1 Answer 1

Reset to default
0

If your ultimate goal is to generate version constraints on Python package dependencies in debian/control, note that Debian packages of Python modules usually try to avoid that: they only specify version ranges, if anything. See for example two of the Python packages I maintain: python3-pyqt5.qtchart and python3-pyqt6.qtcharts.

To pin versions, as far as I’m aware the generally accepted way is as follows. Assuming all the required packages are installed on your Debian system, asking pip to freeze the requirements again will update them to match the installed packages:

pip freeze --requirement requirements.txt | sed '/^\s*#.*pip freeze/,$ d' > new-requirements.txt

You can then check new-requirements.txt and replace requirements.txt with it if everything’s OK.

The sed filter is used to remove potentially transitive dependencies added by pip.

Improve this answer
8
  • "Assuming all the required packages are installed on your Debian system." That is not guaranteed to be the case. Commented Aug 14, 2024 at 12:27
  • You asked if there’s a generally accepted way ;-). (Although specifically pinning packages isn’t a great idea for debian/control.) If you don’t have the packages installed, how do you intend to build the dh_python3-based package? Commented Aug 14, 2024 at 12:33
  • Sorry, I'm not sure if I understand; I'm not pinning anything in d/control. Re building: that does not happen where development happens. Commented Aug 14, 2024 at 13:02
  • Right, my first sentence isn’t particularly clear. When you have your .deb package, does dpkg-deb -I ${YOUR_PACKAGE}.deb show strict version constraints on the python3-… dependencies? That’s what I’m referring to by “generate version contraints on Python package dependencies”. If your ultimate goal is to produce a .deb package, you could avoid a lot of bother by not specifying those version constraints. Commented Aug 14, 2024 at 13:09
  • Thanks for clarifying. dh_python3 doesn't take over version constraints, so the answer to your question is 'no'. But for local development purposes (as mentioned, not necessarily on Debian), it's necessary to use the same versions as in Debian stable, hence the question on how to (semi-)automatically sync dependency versions between requirements.txt and Debian stable. Commented Aug 14, 2024 at 16:44

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.