我应该固定我的Python依赖版本吗? [英] Should I pin my Python dependencies versions?
问题描述
我将要发布过去几周一直在研究的Python库.我已经阅读了很多有关Python依赖项的内容,但是还不太清楚:
I am about to release a Python library I've been working on the past few weeks. I've read a lot about Python dependencies but something is not quite clear yet:
有些人假装您应该从不固定您的依赖项版本,因为这会阻止您的库用户升级那些依赖项.
Some people pretend you should never pin your dependencies versions as it would prevent the users of your library from upgrading those dependencies.
另一些主张您应该始终固定您的依赖项版本,因为这是保证发行版能够像您开发发行版时那样工作并防止在发行版中进行重大更改的唯一方法.依赖性在您的库中造成了严重破坏.
Some other claim that you should always pin your dependencies versions as it is the only way of guaranteeing that your release works the way it did when you developped it and to prevent that a breaking change in a dependency wreaks havoc in your library.
我不知何故去了一个混合解决方案,我假设我的依赖项使用了语义版本,并且只固定了主要版本版本号(例如somelib >= 2.3.0, < 3),但主版本号为0时除外(语义版本控制规定此类版本应视为易失性,即使仅打补丁号也可能会破坏API).
I'm somehow went for an hybrid solution, where I assumed my dependencies used semantic versioning and pinned only the major version number (say somelib >= 2.3.0, < 3) except when the major version number is 0 (semantic versioning dictates that such versions are to be considered volatile and may break the API even if only the patch number is bumped).
截至目前,我不确定哪种方法是最好的.是否有官方指南(甚至可能是PEP?)规定了有关Python依赖项以及如何指定它们的最佳实践?
As of now, I'm not sure which way is the best. Is there an official guideline (even a PEP perhaps ?) that dictates the best practice regarding Python dependencies and how to specify them ?
推荐答案
您应该始终固定依赖项,因为即使随着时间的流逝,它也会增加安全,可重复的构建的可能性.固定版本是您声明的软件包维护者,您已确认代码可以在给定的环境中工作.这有一个很好的副作用,可以保持您的理智,因为您不会被错误报告所淹没,在错误报告中,您必须将检查器纳入每个程序包的相关性和系统细节中.
You should always pin your dependencies as it increases the possibility of safe, repeatable builds, even as time passes. The pinned versions are your declaration as a package maintainer that you've verified that your code works in a given environment. This has a nice side effect of preserving your sanity as you won't be inundated with bug reports in which you have to play inspector into every package codependency and system detail.
用户始终可以选择忽略固定的依赖项版本,并自行承担风险.但是,在发布库的新版本时,应更新依赖项版本以进行改进和错误修复.
Users can always choose to ignore the pinned dependency-versions and do so at their own risk. However, as you release new versions of your library, you should update your dependency versions to take in improvements and bug fixes.
关于语义依赖的PEP 426部分( Python软件包的元数据)状态:
The section of PEP 426 about Semantic dependencies (Metadata for Python Software Packages ) states:
"Dependency management is heavily dependent on the version identification and specification scheme defined in PEP 440 (PEP 440 - Version Identification and Dependency Specification)."
由此,我推断权威的最佳实践"是对依赖项进行版本控制,因为据称包装上的PEP关系严重依赖"相关PEP概述的版本控制细节.
From this, I infer that the authoritative "best practice" is to version your dependencies, as the relationship of the PEP on packaging is stated to be "heavily dependent" on the versioning details outlined by the related PEP.
这篇关于我应该固定我的Python依赖版本吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
