[Zope-dev] Bad package dependencies

Chris McDonough chrism at plope.com
Thu Nov 1 23:43:24 EDT 2007 

In summary:

- Uploading eggs that have loose install_requires dependencies to the  
cheeseshop is harmful.

- Taking non-Zope-the-appserver deployments into account, I'd be  
suspicious of any "install_requires"
   dependency on "zope.configuration" except in a Zope-the-appserver  
meta-egg.

- Same for the [zcml] extra when specifying 'zope.component' in  
install_requires.

- The dependencies of zope.configuration seem not sane, transitively.

- The dependencies of zope.component [zcml] seem not sane, transitively
   (although 'zope.component' without the [zcml] is reasonably sane).

Details:

I wanted to go use zope.pagetemplate in a small non-Zope project.   
When I did "easy_install zope.pagetemplate" (from PyPI) into a fresh  
virtual environment, it installed all of the following eggs:

./zope.pagetemplate-3.4.0-py2.4.egg
./zope.tal-3.4.0-py2.4.egg
./zope.tales-3.4.0-py2.4.egg
./zope.interface-3.4.1-py2.4-macosx-10.3-i386.egg
./zope.i18n-3.4.0-py2.4.egg
./zope.i18nmessageid-3.4.3-py2.4-macosx-10.3-i386.egg
./zope.configuration-3.4.0-py2.4.egg
./zope.component-3.4.0-py2.4.egg
./pytz-2007g-py2.4.egg
./zope.schema-3.4.0-py2.4.egg
./zope.deprecation-3.4.0-py2.4.egg
./zope.proxy-3.4.0-py2.4-macosx-10.3-i386.egg
./zope.security-3.4.0-py2.4-macosx-10.3-i386.egg
./zope.event-3.4.0-py2.4.egg
./zope.deferredimport-3.4.0-py2.4.egg
./zope.testing-3.5.1-py2.4.egg
./zope.location-3.4.0-py2.4.egg
./zope.exceptions-3.4.0-py2.4.egg
./zope.traversing-3.4.0-py2.4.egg
./zope.publisher-3.4.1-py2.4.egg
./zope.app.applicationcontrol-3.4.1-py2.4.egg
./zope.app.testing-3.4.1-py2.4.egg
./zope.size-3.4.0-py2.4.egg
./zope.error-3.5.1-py2.4.egg
./zope.app.security-3.4.0-py2.4.egg
./zope.app.publication-3.4.3-py2.4.egg
./zope.app.folder-3.4.0-py2.4.egg
./zope.app.dependable-3.4.0-py2.4.egg
./zope.app.debug-3.4.0-py2.4.egg
./zope.app.container-3.5.2-py2.4-macosx-10.3-i386.egg
./zope.app.component-3.4.1-py2.4.egg
./zope.app.authentication-3.4.1-py2.4.egg
./zope.annotation-3.4.0-py2.4.egg
./zope.app.appsetup-3.4.1-py2.4.egg
./ZODB3-3.8.0b4-py2.4-macosx-10.3-i386.egg
./zope.app.publisher-3.5.0a2-py2.4.egg
./zope.app.pagetemplate-3.4.0-py2.4.egg
./zope.app.form-3.4.1-py2.4.egg
./zope.app.exception-3.4.1-py2.4.egg
./zope.app.error-3.5.1-py2.4.egg
./zope.app.http-3.4.1-py2.4.egg
./zope.dublincore-3.4.0-py2.4.egg
./zope.datetime-3.4.0-py2.4.egg
./zope.copypastemove-3.4.0-py2.4.egg
./zope.app.broken-3.4.0-py2.4.egg
./zope.filerepresentation-3.4.0-py2.4.egg
./zope.lifecycleevent-3.4.0-py2.4.egg
./zope.dottedname-3.4.2-py2.4.egg
./zope.cachedescriptors-3.4.0-py2.4.egg
./zope.app.zapi-3.4.0-py2.4.egg
./zope.thread-3.4-py2.4.egg
./zope.formlib-3.4.0-py2.4.egg
./zope.app.interface-3.4.0-py2.4.egg
./zope.app.session-3.5.1-py2.4.egg
./zdaemon-2.0.1-py2.4.egg
./ZConfig-2.5-py2.4.egg

Once it gets past ZConfig, it then failed with:

error: Installed distribution zope.traversing 3.4.0 conflicts with  
requirement zope.traversing>=3.5.0a1.dev-r78730

The transitive install_requires dependencies of zope.pagetemplate  
3.4.0 can't possibly be right, or at least they're much too  
conservative.

The problem starts in the install_requires of zope.i18n:

     install_requires=['setuptools',
                       'pytz',
                       'zope.i18nmessageid',
                       'zope.component [zcml]',
                       'zope.configuration',
                       ],

zope.i18n should not depend on zope.configuration in install_requires,  
because it's only used in it's "zcml.py" and if you use it as a  
library (as opposed to as a Zope plugin) you won't load up any of its  
zcml; even if "important" stuff gets registered, it's expected that  
you'll have to do it by hand when it's used as a library.

The dependency on 'zope.component [zcml]' is legitimate except for the  
[zcml] part for the same reason.

The install_requires for the zope.pagetemplate setup.py (at least for  
3.4.0) should be:

     install_requires=['setuptools',
                       'pytz == 2007g',
                       'zope.i18nmessageid == 3.4.3',
		      'zope.component == 3.4.0',
                       ],

When I build a new zope.i18n (3.4.0) egg with these dependencies, its  
transitive dependency set when installed is:

pytz-2007g-py2.4.egg
setuptools-0.6c7-py2.4.egg
zope.component-3.4.0-py2.4.egg
zope.deferredimport-3.4.0-py2.4.egg
zope.deprecation-3.4.0-py2.4.egg
zope.event-3.4.0-py2.4.egg
zope.i18n-3.4.0-py2.4.egg
zope.i18nmessageid-3.4.3-py2.4-macosx-10.3-i386.egg
zope.interface-3.4.1-py2.4-macosx-10.3-i386.egg
zope.proxy-3.4.0-py2.4-macosx-10.3-i386.egg

.. which is acceptable, I think.  Once that's done, the additional  
dependencies imposed by zope.pagetemplate are:

zope.pagetemplate
zope.tal
zope.tales

.. and it works as a library:

Python 2.4.4 (#1, Oct 17 2007, 20:25:32)
[GCC 4.0.1 (Apple Computer, Inc. build 5250)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
 >>> from zope.pagetemplate.pagetemplatefile import PageTemplate
 >>> my_pt = PageTemplate()
 >>> my_pt.write("<html></html>")
 >>> my_pt()
u'<html></html>\n'

I ran all unit tests by hand, as opposed to risking false passes due  
to installations that would come from tests_require when invoked via  
setup.py test and they work.  I've uploaded the revised zope.i18n  
tarball here:

http://dist.repoze.org/zope.i18n-3.4.0.1-repoze.tar.gz

The current release of zope.pagetemplate on PyPI just can't be  
installed via easy_install due to a conflict, probably because  
somebody uploaded a new egg and some dependency isn't specific  
enough.  Removing the dependency on "zope.configuration" and  
"zope.component [zcml]" (replacing it with "zope.component") in my  
case happens to fix that for me temporarily but this is indicative of  
a larger problem.  Distributions made with "install_requires"  
specifications that do not name a particular "==" version or at least  
a min-max range should not be uploaded to the cheeseshop (as opposed  
to a private repository that has a smaller working set and to whom  
fewer people contribute), because their existence is just pollution  
for people who try to install them using easy_install.  The transitive  
dependency set will inevitably break over time as new (incompatible)  
eggs are uploaded, as the Grok folks already know.

I think fixing this sort of stuff is important if it's a goal to allow  
people to use Zope technologies outside of Zope-the-appserver.  I'd  
like to participate by making new releases, but I'm not sure whose  
toes I'd be stepping on, and I think I'd need guidance from people who  
understand why things are the way they are now.  Maybe we should have  
a sprint.

- C

More information about the Zope-Dev mailing list