我应该如何生成requirements.txt?点子冻结不是一个好方法 [英] How should I generate requirements.txt? Pip Freeze not a good way

问题描述

我应该如何为Python项目生成requirements.txt?

How should I generate requirements.txt for Python projects?

这是点子冻结的问题.假设我的包裹P需要A，B，C.假设C是导入X，Y，Z的库，但是P仅需要X.那么如果我:

Here is the problem I am having with pip freeze. Suppose my package P requires A, B, C. Suppose C is a library that imports X, Y, Z, but only X is needed by P. Then if I:

1) Install A
2) Install B
3) Install C, which installs X, Y, Z
4) Do a pip freeze into P's requirements.txt 

然后P的requirements.txt如下所示:

Then P's requirements.txt will look like:

1) A
2) B
3) C
4) X
5) Y
6) Z

但是在我的Python安装中，实际上不需要Y和Z即可运行P.

But Y and Z are not actually required in my Python installation for P to run.

据我所知，运行pip freeze生成P的要求将显示所有依赖关系，因此是P实际依赖关系的超集.

As far as I can tell, running pip freeze to generate P's requirements will show you all dependencies of dependencies, and thus is a superset of P's actual dependencies.

推荐答案

virtualenv的目的是对安装的软件包具有总控制权.

The purpose of a virtualenv is to have total control over the packages installed.

假设您只列出了A，B，C和X.每次从该需求文件中创建新的virtualenv时，都会获得Y和Z的最新版本.这有几个问题:

Suppose you only listed A, B, C, and X. Every time you create a new virtualenv from that requirements file, you'll get the latest versions of Y and Z. There are several problems with this:

1. 您可能不知道自己没有使用Y :对于一个足够复杂的项目，几乎不可能审核每个代码路径以确保C永远不会调用Y.您不必担心关于您自己的代码了；您也担心C的代码.这只是无法扩展.
2. 即使只是导入Y，也要使用它:Python允许在导入时执行任意代码.一个新版本的Y可以在导入时做各种令人讨厌的事情，例如打印到stdout，对X进行猴子修补，或者几乎可以想象的任何其他事情.设计良好的Y 不应执行这些操作，但是您会发现PyPI上的软件包质量变化很大.
3. 新版本的Y可以引入新的依赖关系:如果您包含新版本的Y，则最终也可能将包W添加到您的virtualenv中，因为新版本的Y需要它.随着添加更多软件包，前两个问题更加严重.更糟糕的是，您可能会发现新版本的Y依赖于更新版本的 X ，在这种情况下，您最终不会获得真正想要的软件包.
4. 产生已知良好的配置更为重要:pip freeze并非旨在找出最低要求.它旨在使将完整的应用程序一致地部署到许多不同的环境中.这意味着它将谨慎行事，并列出可能合理影响您项目的一切.

1. You can't know you're not using Y: For a sufficiently complex project, it is nearly impossible to audit every codepath to ensure C never calls into Y. You're not just worrying about your own code any more; you're worrying about C's code as well. This just doesn't scale.
2. Even if you're just importing Y, you're using it: Python allows arbitrary code execution at import time. A new version of Y could do all sorts of obnoxious things at import time, such as printing to stdout, monkey patching X, or just about anything else you can imagine. A well-designed Y shouldn't do these things, but you'll find the quality of packages on PyPI highly variable.
3. New versions of Y can pull in new dependencies: If you include a new version of Y, you could end up adding package W to your virtualenv too, because the new version of Y requires it. As more packages are added, the first two problems are exacerbated. Worse, you might find that the new version of Y depends on a newer version of X, in which case you won't end up with the packages you actually want.
4. Producing a known-good configuration is more important: pip freeze is not designed to figure out minimal requirements. It is designed to enable deploying a complete application to many different environments consistently. That means it will err on the side of caution and list everything which could reasonably affect your project.

由于这些原因，您不应尝试从需求文件中删除Y和Z.

For these reasons, you should not try to remove Y and Z from your requirements file.

这篇关于我应该如何生成requirements.txt?点子冻结不是一个好方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！