I have a utility called backup-tool (fictional). This has a direct dependency on a third-party library called security-utils (fictional, again). And this dependency has a dependency on cryptography (a real dependency). So, backup-tool has a transitive dependency on cryptography. No particular versions are demanded neither from backup-tool nor from security-utils.
Now I have two servers: one running Linux, and one running FreeBSD. I create a virtual environment on Linux and run pip install backup-tool under it. Everything works fine.
On FreeBSD, cryptography with the version 2.9.2 can be installed without any issues. Other versions, however, cause a build failure. (Workarounds could be found, for sure, but this is not the point.)
Now I setup a virtual environment and pre-install the right version using pip install cryptography==2.9.2. Later on—this is all setup in an automated pipeline, and I cannot join those two steps—my tool is installed using pip install backup-tool. The transient dependency to cryptography is resolved as a version 3.x, which doesn't work.
However, if I run pip install backup-tool cryptography==2.9.2 in a single step, everything works. This means that backup-tool is compatible to cryptography in the version 2.9.2.
My question: Is it possible to hint to pip within the virtual environment that no other version of cryptography should be installed, if it is already there? The dependency tree could as well be resolved to match the version already installed, but the latest version is picked instead.
I could further specify the (transient) dependency cryptography==2.9.2 in the requirements.txt or setup.py of backup-tool. But since this is rather an environment than a software constraint, it would be useless restriction for most setups.
from Make Existing Package Version in Virtual Environment Stick
No comments:
Post a Comment