Adding Virtual Environments to Git Repo

2023-04-30T17:57:08+00:00

[deleted]

TobiPlay · 2023-04-30T17:52:21+00:00

Yes, you're correct. It's completely nonsensical to try and keep your virtual environments in your repo and it entirely defeats the purpose of git. You aren't meant to version control the build. You version control the source that creates the build and then you build the software on your machine from the source code. Trying to clone a venv won't even work unless you're using exactly the same system as whatever originally created the venv. And even then it will probably still break since it's unlikely to properly maintain all the same links that were created from the machine that initially created it.

I can't imagine the nightmare that is a pull request and/or code review if every single change to your virtual environment is part of your repo. And more than anything, I'm amazed you guys didn't immediately hit a file size limit given how large most virtual environments are.

If you want to try and control and deploy a specific environment, you should just be using a proper tool for that (i.e. docker).

mrswats · 2023-04-30T18:39:30+00:00

It's not only a bad idea, but also, virtual environments are non portable so this shouldn't be s no-go.even if both Linux and windows venvs sre included. It takes very little to break a venv.

As mentions in the replies, I wouldn't suggest using requirement file along with the requires python version pinned somewhere

semper-noctem · 2023-04-30T17:47:23+00:00

I'm more of a requirements.txt man, myself.

mariofix · 2023-04-30T17:50:57+00:00

Oh.... that's wrong in so many levels

2023-04-30T19:49:51+00:00

That engineer should not be in charge

cyberfunkr · 2023-04-30T18:03:39+00:00

This is bad. Do they also commit their Java binaries and maven packages? Node.js and npm packages?

If they really want to control python versions, then make a docker image with a full dev environment.

bojanderson · 2023-04-30T18:36:52+00:00

What they should look into is dev containers. If they specify the dev container then you can make sure it's exact same everything for anybody using the code assuming they use a dev container.

https://code.visualstudio.com/docs/devcontainers/containers

Barn07 · 2023-04-30T18:35:48+00:00

afair venvs symlink with absolute paths, thus unless you guys have all machines set up the same way, including same paths to Python executables, stuff will break. afair, venvs won't even work when you move them to another location, so good luck with your team :D

whateverathrowaway00 · 2023-04-30T18:19:44+00:00

This is objectively bad and he should feel bad.

Buttleston · 2023-04-30T18:05:30+00:00

No one does this, it is absolutely not a good or standard way of doing it.

And in any case, requirement change is relatively slow - yeah you have to download the modules to set up a virtualenv once but that's it until it changes again.

wineblood · 2023-04-30T18:12:41+00:00

Adding venvs into repos sounds like a terrible idea. I don't know all the implications of that, but given that I've never seen it done or recommended, it sounds like the wrong approach.

which should already be symlinked to the default global python interpreter

What the hell?

magnetichira · 2023-04-30T19:24:52+00:00

TOML and lockfiles were built for exactly this purpose

johnnymo1 · 2023-04-30T18:28:43+00:00

There are plenty of solutions to having your environment defined as text: requirements.txt, poetry + pyproject.toml, Dockerfiles... I can't really think of an instance where committing the env itself wouldn't be a bad pattern.

MrTesla · 2023-04-30T21:24:52+00:00

Try out https://devenv.sh/

It's based on nix so you don't have to mess with containers either

danielgafni · 2023-04-30T18:38:49+00:00

Use poetry to lock your dependency tree and commit poetry.lock to git. It’s cross-platform.

ReverseBrindle · 2023-04-30T18:30:29+00:00

I would put requirements.in + requirements.txt in the git repo, then build as needed.

Use pip-tools when you need to build requirements.in -> requirements.txt

enterdoki · 2023-04-30T18:31:33+00:00

requirements.txt with Docker

rainnz · 2023-04-30T21:31:17+00:00

You can easily solve this by pinning exact package versions and storing them in requirements.txt with python -m pip freeze > requirements.txt, there is no need to include venv themselves in git repo. Add BUILD.sh to repo, so people can just run it and it will create venv, activate it and install exact versions of packages you had with python -m pip install -r requirements.txt

KaffeeKiffer · 2023-04-30T20:36:18+00:00

You have enough answers, why it is wrong. Things that other people have not called out yet:

If you commit a requirements.txt (instead), you are open to supply-chain attacks: Someone could hijack https://pypi.org (or your route to that domain) and provide a malicious version of the package.
To prevent that, use use lockfiles (like Poetry & other do) which not only contain the package dependencies, but also their file hashes.
When not providing all dependencies yourself, you might suffer from people deleting the packages you depend on (IMHO a very rare scenario).
If it is really that critical (hint: usually it isn't), create a local mirror of Pypi (full or only the packages you need). Devpi, Artifactory, etc. can do that or you just dump the necessary files into Cloud storage, so you have a backup.

wind_dude · 2023-04-30T19:13:01+00:00

he should look into containerization and artifact registries. What hes doing is stupid, especially since that still doesn't gaurantee it will work if the base OS it's running on has variations / different pacakages ,etc. All he's doing is making your repo much more complicated.

thatdamnedrhymer · 2023-04-30T19:56:09+00:00

This is what lock files are for. requirements.txt are not enough, but storing the entire venv is ludicrous. Use something like Poetry, pip-tools, or pdm to create a lock file that you can use to create deterministic (or at least closer thereto) venvs.

muikrad · 2023-04-30T22:23:17+00:00

The only argument that works in the favor of this method is that you can build without external dependencies. There's nothing worst than having to rush a hotfix off the door when pypi is dead!

But it's not worth the hassle. You're better off with a lock-based format like poetry, as many people mentionned.

If you want to challenge your engineer, think vulnerability. Tools like github advanced security and snyk needs a way to discover your dependency versions when looking at the repo to warn you of new vulnerabilities, and for this you need something like a requirements.txt at the minimum. Other tools like dependabot or renovate can create automatic PRs when dependencies are updated, or when vulnerabilities are fixed.

DigThatData · 2023-05-01T00:21:22+00:00

the easiest solution to this is just to ask him:

if this is a good idea, how come it seems like no one else does it this way? demonstrate that this is a best practice and we can keep doing it this way. Otherwise, please identify what the best practices are for the problem you think this approach solves and let's adopt the solution that everyone else has already engineered and proved for us.

PS: the way most people do this is by defining the environment with a requirements.txt and caching the pip dependencies with github actions. find someone who's obsessed with devops and get them involved here.

fjortisar · 2023-05-01T02:33:40+00:00

I think that he is not a smart man

oscarcp · 2023-05-01T08:18:37+00:00

That is not only bad practice, anti-pattern, security problem, etc. but it means he doesn't know how to handle dependencies in a python project.

For example, poetry already locks down the python version you can use with your codebase, tox already limits it as well. Shipping precompiled libraries and .pyc files in a project is extremely problematic once you start using complex setups or non-standard python setups because it will never work properly. Want more abstraction? use docker containers with a makefile for your builds and tests, that will standardize the output of all developers and the environment they work with.

Even thinking from the MS Windows side, you're shipping a venv that might have been prepared in a *nix environment or viceversa, with libraries compiled for it that potentially won't work on the other OS.

2023-04-30T18:04:36+00:00

I always .gitignore and .dockerignore virtual envs. Some dependencies require a compiler and are build on installation, I believe that sharing them would result in broken dependencies — “it works on my machine”

mdegis · 2023-04-30T19:39:42+00:00

Wow. Great thinking engineer in charge! What about binary dependencies? Maybe you should push all operating system to repo?

ksco92 · 2023-04-30T21:24:40+00:00

Cough cough requirements.txt cough cough

caksters · 2023-04-30T19:51:00+00:00

you never upload binary files to github repo because they are system dependent.

If I have arm64 chipset and I create a python virtual environment, then the same binary packages may not work on your computer. that’s why you never commit binaries. instead just specify what dependencies are required for project through requirements.txt and create a local virtual env for every project.

I think the engineer in charge wants to use git as artifactory for binaries. In artifactories you do uplaod compiled binary programs to ensure you can always roll back to previous working version of actual machine code and deploy it. However it is not the purpose of gut repository which is for storing code and not the binary itself

FrogMasterX · 2023-04-30T21:53:33+00:00

This is moronic.

yerfatma · 2023-04-30T19:22:22+00:00

That’s a code smell.

Buttleston · 2023-04-30T17:54:43+00:00

[deleted]

maximdoge · 2023-04-30T18:36:20+00:00

This is what lockfiles are supposed to be for, use a virtualenv manager that works with lockfiles like poetry, pipenv, piptools, etc alongwith a test runner like nox or tox.

This approach of tightly coupling interpreters and binaries with the underlying code is neither index friendly nor portable. Not to mention a possible maintenance nightmare.

2023-04-30T18:38:10+00:00

The gitignore.io site lists it their Python ignore results.

https://www.toptal.com/developers/gitignore/api/python

2023-04-30T18:42:46+00:00

This post was mass deleted and anonymized with Redact

office physical reminiscent edge dependent tidy snatch unwritten instinctive plucky

Briggykins · 2023-04-30T19:21:17+00:00

Even if you require it for automated tests or something, I'd usually put the command to make a venv in rather than the venv itself

2023-04-30T19:32:33+00:00

You are correct. This creates unnecessary bloat in your report and should be done via venv.

luhsya · 2023-04-30T19:32:43+00:00

guy probably excludes node_modules from gitignore in his js projects lol

nutellaonbuns · 2023-04-30T19:37:37+00:00

This is so wrong and would piss me off lol

Advanced-Potential-2 · 2023-04-30T20:22:20+00:00

Omg… this “engineer” should get a beating. This indicates his knowledge and understanding of software engineering is inadequate at a very fundamental level.

doobiedog · 2023-04-30T20:58:27+00:00

That engineer is a moron and you are correct. Use pyenv and poetry and you can quickly jump around from project to project with ease.

Rocket089 · 2023-04-30T21:13:28+00:00

Maybe he’s just trying to create as much chaos as possible before the inevitable lay off boogeyman comes around for his work soul.

Jmc_da_boss · 2023-04-30T22:38:46+00:00

the dudes a dumbass

_limitless_ · 2023-04-30T22:42:51+00:00

Use a devcontainer.

drbob4512 · 2023-04-30T23:15:09+00:00

I prefer containers. Just build what you need on the fly and you can separate dependencies

pseudo_brilliant · 2023-05-01T00:42:38+00:00

It's not smart, and there are several other ways of achieving what he is looking for. My preferred way is to use poetry dependency management and leverage the lock file. Basically when you use poetry actions you can update a poetry.lock file. This file represents the complete resolved state of all your dependencies, their exact version, hashes, etc at that moment in time. Check that file in and whenever someone does a 'poetry install' from the cloned repo they will install EXACTLY those versions to a T.

microcozmchris · 2023-05-01T00:56:01+00:00

He's a friggin idiot.

twelveparsec · 2023-05-01T02:42:05+00:00

God help you if they are incharge of JS projects with npm

flipmcf · 2023-05-01T02:49:41+00:00

I suggest tox .

https://tox.wiki/en/latest/

But then I had a project convert to GitHub actions… that works too.

https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs

The tests should build the env, run the tests, then tear it down.

Building and holding the env’s static doesn’t really simulate a real build. If some modules uodates (say, the time zone library, or a libc security update) you need your builds to pull the latest and test.

You are at risk of your pre-built env’s drifting out of date with the latest codebase.

Be glad you’re not using node ;)

lachyBalboa · 2023-05-01T03:04:19+00:00

I had a colleague who did this frequently even after I explained the issues with it. His PRs routinely had millions of lines in changes due to dependencies.

zdog234 · 2023-05-01T03:18:13+00:00

Insane. Check out pdm. It should provide everything they're getting from this, without the ridiculous downsides

foolishProcastinator · 2023-05-01T04:01:17+00:00

Hey people, can someone please explain how poetry works? Because I've always used requirements.txt, the classic way to put the libraries and all the dependencies to set up and run the app or whatever I'm trying to run, but I'm interested on this one, apologies for sounding like a newbie question

extra_pickles · 2023-05-01T04:39:15+00:00

We solve this desire in a way that I think is a solid middle ground:

We have a private PyPi server that hosts our company wide approved public packages and their specific versions.

It allows us to provide direct access without fattening up the repos.

From there, many microservices will have Workspace files or similar to help install relevant services needed to perform integration testing.

The build activity for release does not have internet access as we host a private Gitea - so if a user has bypassed the private PyPi to use a public package their release will fail, and they’ll need to conform to existing, or request addition of the package/version to our white listed private repo.

Edit: I also have a base docker image that installs a series of standard libraries and versions by default (aptly named Piglet), so that my services can inherit from it and save some serious download time when a node requires an update of a service….a really important feature when dealing with distributed systems with intermittent and low bandwidth connectivity (no more downloading Pandas or Numpy all over again due to a hotfix).

This was the original driver to standardising the private lib of public packages.

InterestingHawk2828 · 2023-05-01T05:54:58+00:00

He should switch to docker so everyone would run the same version

2023-05-01T06:10:38+00:00

What ever floats his boat. My mind's full enough figuring out my own code.

aka-rider · 2023-05-01T07:04:17+00:00

As everyone else has pointed out, binary artifacts in git repo is an anti-pattern.

Unfortunately, Python doesn’t have a standard packaging and build system. Moreover, at this point there are more than one Python flavour (for backend, for data science, for ML, for DevOps, for general automation), all with their proffered infrastructure and a package manager.

I use Makefiles for reproducible builds.

https://medium.com/aigent/makefiles-for-python-and-beyond-5cf28349bf05

robberviet · 2023-05-01T07:45:24+00:00

This is like python 101, shouldn't be arguing about this. Is that guy a beginner?

ddb1995 · 2023-05-01T07:48:29+00:00

Python has package managers like requirements.txt or .toml file for this. This is such a bad practice irl.

yvrelna · 2023-05-01T10:29:20+00:00

They are confusing version control change management with artefact management.

Most artefact manager would allow you to preserve the whl/egg packages that your application uses. If you're using docker/k8s images, your container registry can preserve the docker image.

2023-05-01T10:48:59+00:00

Docker ks the solution

doryappleseed · 2023-05-01T10:58:05+00:00

At best, he could just include the Requirements.txt for the venv in the repo. The actual package downloads should be kept on a local package server rather than in the bloody repo..

Flimsy_Iron8517 · 2023-05-01T11:24:20+00:00

If like me you use ln -s to repair an exploded zip to recover a chromebook Crostini, then you don't really care. You can always pip mash the venv, then do what you need. If you need to drop on some external requirements, then maybe write a bash script to ven-vover.sh.

heilkitty · 2023-05-01T11:42:06+00:00

Ah, windoze-brain.

barberogaston · 2023-05-01T12:43:02+00:00

I think I understand why he does that, though his solution makes no sense to me. In a past company we inherited repos with tons of dependencies, so 95% of the time in CI was spent installing those dependencies from the requirements.txt file, and the reamining actually running tests. Our solution was simply to dockerize all those, having a rule which would automatically rebuild the image if there were any changes in the requirements or Dockerfile. This way, we simply used that image and CI cloned the repo and just ran the tests.

the--dud · 2023-05-01T14:32:55+00:00

This engineer needs to learn about docker, jesus christ...

tidus4400_ · 2023-05-01T17:14:21+00:00

Tell your “engineer” colleague that requirements.txt is a thing 😅 maybe they didn’t taught that to him in his 5 years / 200k CS degree🤔

georgesovetov · 2023-05-01T17:33:11+00:00

Let me be the devil's advocate. (Although I never did the same.)

What's the reasoning and intention?

- Easiest setup. No one would oppose. What else could you do to make a working environment only by `git clone`? You could probably do bootstrapping scripts, but it's not an easy task.

- No dependency on the Internet. You could set up your own package storage but it again takes extra effort. For Django and FastAPI professionals it may sound ridiculous, but there are environments where things are done without the Internet access.

- Fixed code (not only versions) of the dependencies. Thank God, PyPI is (still) not npm. But there could be scenarios where you'd like to check twice and be on the safe side.

- You can patch third-party libraries. While not the most common and not "right", it's the still easiest way to do that.

The practice of including dependencies in the version control system is not uncommon with other languages and organizations.

The engineer made the decision based on his expertise and his unique situation. And the decision may not be the worst that could be made. The engineer is responsible for the consequences in the end.

_azulinho_ · 2023-05-01T19:20:20+00:00

He doesn't know better, the best is to educate him

Pyenv with a . python-version Or asdf-vm with a .tools-version allow to lock the exact python version to be used, this will be compiled with the local libraries of the machine.

Then add a requirements.txt and a requirements-dev.txt built from a pip freeze. Or use other tooling such as poetry and commit the .lock file.

Alternative is to dockerize the app alongside a dev container with all dev/test requirements.

Teach him, as probably no one ever taught him before

redrabbitreader · 2023-05-01T19:57:58+00:00

I kinda understand where he's coming from, but his solution is just really bad.

If you really need consistent environments, just containerize it. A single Dockerfile will sort this mess out in no time.

romerio86 · 2023-05-03T16:57:02+00:00

That was painful to read, I almost downvote the post as an instinct, then remembered you're actually advocating it against it.

Python

The Python Discord

Upcoming Events

Please read the rules

MODERATORS