[Rainymood]

Did you ever try poetry[1]?

It is a great tool that I use in all my projects. It effectively solves dependency management for me in a very easy to use way.

Dependency management using requirements.txt used to give me such a headache, now I just have a pyproject.toml that I know works.

    [tool.poetry.dependencies]
    python = ">=3.8,<3.9"
    pandas = "^1.4.3"

This basically means: Use the version of python between 3.8 and 3.9 and use any version higher than 1.4.3 for pandas.

What I like about poetry is that it makes sure that the whole dependency graph of the packages that you add is correct. If it can not solve the graph, then it fails fast and it fails hard, which is a good thing.

This is probably a very bad explainer of what poetry does, but be sure to check it out! :)

[1] https://python-poetry.org/

[ak217]

Poetry has a major issue with its lockfiles when working with active projects. It generates a top level dependency listing checksum, which causes any two PRs/branches that independently update the top level requirements to conflict with each other.

The related issue, https://github.com/python-poetry/poetry/issues/496, has been open for 4 years with no movement.

The other issue with Poetry is that it uses its own pyproject.toml dependency listing format instead of the one standardized in the relevant PEP (https://peps.python.org/pep-0621/). This is understandable for historical reasons (Poetry was first written before this was standardized), but Poetry should have been updated to support the standard format.

A relatively minor issue, but the poetry shell command is also a footgun. It's presented as a way to configure your shell to activate the virtualenv for the project. In reality it's a very slow, barely functional terminal emulator running on top of your terminal, which will cause problems for any programs that assume a working terminal or talk to the tty directly.

[wyuenho]

https://twitter.com/SDisPater/status/1521932867214921728

poetry shell is also not a term emulator, it's just a subshell with some environment variables setup for your project. Once you are in, it's just a regular shell. If anything is slow, it's where you add or remove a dependency, but it's probably faster than you editing requirements.txt, clearing out your virtualenv and then reinstalling everything again.

[ak217]

https://github.com/python-poetry/poetry/blob/master/src/poet...

The process spawned by `poetry shell` is a terminal emulator driven by the pexpect and cleo packages. It hijacks and proxies the user's keystrokes before sending them to the underlying terminal.

[wyuenho]

Cleo creates "subcommands" in a git like manner, whereas pexpect spawns a subshell. That cleo Terminal class you see is only a viewport.

A terminal emulator will be something substantially more complex such as libvterm. If it ain't handling terminfo, it ain't a terminal emulator.

https://launchpad.net/libvterm

[ak217]

That is the point I was making. It's not a proper terminal emulator, instead it's a half-assed one. If it gets between the user's keystrokes and the host shell, it should be a proper emulator. Otherwise it should set up the environment and get out of the way.

[wyuenho]

Poetry is good, I'll hit a bug in poetry from time to time but it's improving quickly.

Direnv is better, direnv layout will automatically create a hidden virtualenv directory on your work tree and sets up your path when you cd into it. The only downside is it doesn't seem to work on Windows.

[athorax]

I don't see the link between poetry and direnv? Poetry is about solving python's dependency issues, direnv doesn't seem to have anything to do with that

[wyuenho]

Set up direnv, and then:

  cd /your/project && echo "layout python" > .envrc && direnv allow

Give it a go then tell me what the point is for any of these poetry/pipenv/hatch/flit/pdm/pyflow thingy if neither you or your teammates work on Windows.

[Tainnor]

That will only take care of setting up and loading the correct virtualenv. Which you may prefer to "poetry shell" or "poetry run", since it's more automatic, but that's not the main reason for using poetry.

The main reason to use poetry is sane dependency management the way it exists for most other ecosystems (bundler, cargo, npm, maven, gradle, ...). In particular, that includes lockfiles.

[wyuenho]

Use direnv to take care of the virtualenv part of functionality poetry offers, use pip-tools to deal with the dependency management/reproducible build part. Or if you like, straight up pip freeze.

Use pyenv to install all the different python versions you need.

Ideally, all of these functionality should bundled in one tool, but the only thing that's available is pyflow, which don't stop blowing up with an exception for me.

[Tainnor]

Then you're not recommending direnv as a poetry replacement, you're recommending direnv + pip-tools + pyenv. That's a different matter.

[skrtskrt]

Yeah im a huge poetry fan for dep management but i never use “shell” or any of its virtualenv management features

[barefeg]

When your project depends on a module version and that module depends on another one (sub dependency), it’s very common that re-installing the same module version in a new environment will cause something to break because the sub dependency was updated. This is not something that direnv solves therefore those other tools are still needed.

[wyuenho]

pip freeze > requirements.txt

[barefeg]

Then you lose track of which are actual dependencies and which are sub dependencies

[plonk]

Isn't that the same as adding version constraints to setuptools' setup.cfg? [1] pip will use these in its dependency resolver.

You can also constrain the Python version in there if you want.

[1] https://setuptools.pypa.io/en/latest/userguide/quickstart.ht...

[zelphirkalt]

Maybe it is the same, but the idea is to take that selected version of the dependency and store a hash checksum for it, so that one can later get the exact same dependencies. Poetry only does not source setup.cfg, but its tool-specific config file. This way it stays out of the way of any other tool.

[orzig]

pip-tools can hash as well: https://pip-tools.readthedocs.io/en/latest/#using-hashes

Using a tool specific config file seems like a design choice with upsides and downsides, which I respect

[westurner]

A Pipfile can store hashes for multiple versions of a package built for multiple architectures; whereas requirements.txt can only store the hash of one version of the package on one platform.

Can a requirements.txt or a Pipfile store cryptographically-signed hashes for each dependency? Which tool would check that not PyPI-upload but package-builder-signing keys validate?

FWIU, nobody ever added GPG .asc signature support to Pip? What keys would it trust for which package? Should twine download after upload and check the publisher and PyPI-upload signatures?

[zelphirkalt]

Are cryptographically-signed hashes really necessary in this case (why?)? What would be the secret, which is used for signing?

[westurner]

If the hashes are retrieved over the same channel as the package (i.e. HTTPS), and that channel is unfortunately compromised, why wouldn't a MITM tool change those software package artifact hash checksums too?

Only if the key used to sign the package / package manifest with per-file hashes is or was retrieved over a different channel (i.e. WKD, HKP (HTTPS w/w/o Certificate Pinning (*))), and the key is trusted to sign for that package, then install the software package artifact and assign file permissions and extended filesystem attributes.

[crucialfelix]

Hatch is also interesting and very similar to Poetry.

https://hatch.pypa.io/latest/

In comparison to poetry I think it includes more advanced multi-environment and multi-python-version support and a tox-like testing matrix. It probably gets a little too complex there.

It also works with pyproject.toml

If anyone else has experience with Hatch vs Poetry please share!

[wyuenho]

You can't lock your dependencies with Hatch.

https://hatch.pypa.io/latest/meta/faq/#libraries-vs-applicat...

[Doxin]

> What I like about poetry is that it makes sure that the whole dependency graph of the packages that you add is correct.

As does pip these days.

[frafra]

I tried, thanks! :) And I also suggest to evaluate PDM https://pdm.fming.dev/

[IanCal]

I've been using PDM recently and although there have been a few issues I really like just cd'ing into a directory, running "python" and the correct set of packages being available.

[wyuenho]

Take a look at this:

https://direnv.net/man/direnv-stdlib.1.html#codelayout-pytho...

[datatrashfire]

My least favorite part about poetry is how slow it is.

[Tainnor]

I seem to remember that some part of poetry's slowness is due to how the python index works and is therefore a problem shared by all such tools.

That said, I've used both pipenv and poetry, and I had projects where pipenv would simply time out when trying to resolve packages. I haven't seen the same behaviour with poetry (indeed, that was the reason I migrated one project from pipenv to poetry after I just had to give up with the former).