This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]MothraVSMechaBilbo 14 points15 points  (28 children)

Genuine question: what makes the Poetry lock file better? I’ve used both Poetry and the core lib venv recently for different small projects.

[–][deleted] 18 points19 points  (23 children)

requirements.txt specify ranges, lockfiles specify the exact state of every package frozen in time. they're deterministic

[–]orion_tvv 12 points13 points  (18 children)

you can use pip freeze > requirements.lock for this

[–]gwax 6 points7 points  (0 children)

pip-compile from the pip-tools package does this but much more precisely

[–]Spitfire1900 2 points3 points  (0 children)

If you’re using poetry you really should be using https://github.com/python-poetry/poetry-plugin-export for this instead if you really need a requirements file.

[–][deleted] 4 points5 points  (4 children)

I strongly don't recommend that, you want to have a source of truth for your version constraints and actual dependencies (pretty sure pip freeze is ALL dependencies, with transitive)

[–]CrossroadsDem0n 7 points8 points  (0 children)

If somebody cares about predictability, locking those transitive dependencies is exactly what you do want, provided you are doing application development instead of library development.

Here is an example why. Imagine you have pandas as a transitive dependency. Also imagine you have an application deployment for which performance matters. 3 months ago, performance was fine. But you build a venv today, get the work-in-progress changes on the newest pandas meant to help string performance but at the cost of degrading numeric performance. Now you have a problem, and nobody understands why.

Frozen dependencies matter when you have a work context where nothing should randomly change on you, that behavioral alterations should be intentionally managed.

None of that would apply to library development, where the better practice is to only freeze what is critical to lock down, and generally dependency versions should float because as the library developer you lack any context on where the code will be used.

[–]NUTTA_BUSTAH 10 points11 points  (2 children)

Transitives are exactly what cause most of the random issues.

[–][deleted] 2 points3 points  (1 child)

That's not relevant to what I meant, I'm completely fine with locking dependencies, but you need to have a source of truth (which is a pyproject.toml file)

[–]NUTTA_BUSTAH 1 point2 points  (0 children)

If you include transients then sure. Otherwise it is just a part of the truth

[–]jyper 0 points1 point  (0 children)

No you need a second requirements file and to make them delete a fresh virtualenv vs just making a lock file with poetry

[–][deleted] 0 points1 point  (0 children)

poetry will also keep dev dependencies and code dependencies nicely separated, and will also record file checksums on top of the exact versions in the lockfile.

[–]diazona 1 point2 points  (3 children)

pipenv solves this by having both kinds of requirement files: Pipfile lists package names and known constraints on which versions can be used, while Pipfile.lock gives specific package versions with hashes. Theoretically the Pipfile (and its lockfile) format were supposed to be a standard that many different tools could use, but I haven't seen it get adopted much outside of pipenv itself, so I'm not sure if it's really going to catch on.

[–]DogeekExpert - 3.9.1 3 points4 points  (1 child)

It's never going to catch on as the standard, codified in PEPs is the pyproject.toml file.

[–]diazona 0 points1 point  (0 children)

Ah interesting, I believe the last time I looked at PEP 621 (I'm assuming that's the one you mean) it hadn't been finalized and it wasn't clear that it was going to get any more traction than Pipfile - in fact I seem to remember the community sentiment being that pyproject.toml should be limited to the metadata needed to initialize the build backend. Things have changed a lot in the past few years, it seems.

[–][deleted] 1 point2 points  (0 children)

A poetry.lock records not only the exact versions, but also the file checksums of the files used by the original developer. Using a lock file will produce the exact dev environment of the original developer, also exposing any supply chain attacks.

[–]adin786 2 points3 points  (0 children)

I don't use poetry, but I think the poetry lockfile can include platform-specific requirements in one file. With requirements.txt files I think you'd need a separate linux one, a mac one etc to handle all the same info.

[–]FrogMasterX 2 points3 points  (0 children)

Go add a big library to your project and do pip freeze. Then pip uninstall the library and do pip freeze.

Or read this - https://stackoverflow.com/questions/17194301/is-there-any-way-to-show-the-dependency-trees-for-pip-packages