#5376 [6.0 release blocker]: Remove the need for max version pins in dependencies
Opened a year ago by ngompa. Modified 3 months ago

We currently have maximum version pins in our Python dependencies, which causes serious problems for releasing to distributions and further maintenance.

build(requirements): pin python package versions
https://pagure.io/pagure/c/c9376756f7097d66f5ea6b06a95ab00d80298b63

These pins basically break shipping on Fedora 37+ and openSUSE Tumbleweed.

build(requirements): pin 'itsdangerous' to < 2.1
https://pagure.io/pagure/c/7d6573a31c17bff662f618f923dd0eb6e5c9b385

The pin for itsdangerous basically means we can't ship Pagure in Fedora 38+ or openSUSE Tumbleweed.


Why were these maximum pins added? Specifying a range of dependency versions or a minimum version when you for sure know that other versions won't work and/or creating separate lockfiles for use in CI that are automatically updated is one thing, but I don't understand this approach.

Besides the reasons that Neal mentioned, maximum version pins pose a security risk. Case in point, cryptography is pinned to <= 36.0.0, but that version is vulnerable to CVEs.

Why were these maximum pins added?

As interim solution as part of getting the unit tests working again, see https://pagure.io/pagure/pull-request/5365

Besides the reasons that Neal mentioned, maximum version pins pose a security risk. Case in point, cryptography is pinned to <= 36.0.0, but that version is vulnerable to CVEs.

We hit a catch-22, new PR's were not merged because the unit tests were always failing, no one could really tell if it was because of issue that came from higher python package versions or the actual change within the PR.

So I pushed for upper limits to get the unit tests running again after investing a few weeks into it. Working unit tests allowing us since then to merge new PRs, which is for now more valuable and required to work on further improvements and to get rid of tech depths.

It requires a second, or even third or fourth, iteration to remove the max pins and move to require none specific or a minimum versions only.

Metadata Update from @wombelix:
- Issue assigned to wombelix

3 months ago

A lot removed with https://pagure.io/pagure/pull-request/5463 already. I'll work on more version pin removals.

Log in to comment on this ticket.

Metadata