#5441 requirements.txt calls for very outdated pygit2 version
Closed: Fixed 5 months ago by wombelix. Opened 8 months ago by ferdnyc.

See also #5306.

The current requirements.txt restricts the pygit2 package version:

pygit2 >= 0.26.0, <=1.8.0

There are several problems with this:

  1. It is a very out-of-date pygit2 version, as the current release is 1.13.3
  2. pygit2-1.8.0 depends on libgit2-1.3, which is extremely old and lacks many security fixes
  3. There is no downloadable Python 3.12 Linux wheel for pygit2==1.8.0, so it must be built from source
  4. Building from source requires a compatible libgit2-devel, and since Fedora 39 only provides libgit2-1.7.1, pygit2-1.8.0 can't be compiled from source on Fedora 39.

It seems, from the documentation (again, see #5306) that there might be an assumption that pygit2 and libgit2 use the same versioning — IOW, the intention might be to restrict pygit2 to a version based on libgit2-1.8 or earlier.

If so, that's not done correctly, as the pygit2 versions that use libgit2-1.7.1 are currently pygit2==1.13.0 through pygit2==1.13.3.


It looks like commit c937675 created this mess:

commit c9376756
Author: Dominik Wombacher <dominik@wombacher.cc>
Date:   2023-01-18 17:57:28 +0100

    build(requirements): pin python package versions

    Package version pinning in all requirements files introduced.
    Necessary for a stable and reproducible testing environment.
    Also to provide clear guidance about tested package versions.
    Maximum package versions defined based on common ground between:
    rpm - F34, F36, CentOS8 Stream, pip - F34, F36 and FreeBSD 13.1.

Unfortunately, done in such a heavy-handed manner, pinning versions (especially major versions) is a terrible idea fraught with problems. Chief among them: the assumption that the same older package versions can be used with any newer Python version. pygit2 handily proves why that's not the case. You'd need to pin a separate version of pygit2 for each supported Python version, for this to actually work.

(Besides, as the pip documentation explains, true repeatable installs require full == pinning, not <= pinning.)

there might be an assumption that pygit2 and libgit2 use the same versioning — IOW, the intention might be to restrict pygit2 to a version based on libgit2-1.8 or earlier.

If so, that's not done correctly, as the pygit2 versions that use libgit2-1.7.1 are currently pygit2==1.13.0 through pygit2==1.13.3.

(Based on the above commit, I was wrong about this. Though, #5306 shows that the documentation still makes that assumption.)

This is essentially part of #5376.

Metadata Update from @ngompa:
- Issue set to the milestone: 6.0
- Issue tagged with: debt

8 months ago

Metadata Update from @wombelix:
- Issue assigned to wombelix

5 months ago

This issue will be fixed with https://pagure.io/pagure/pull-request/5463, to be reviewed and merged soon.

Metadata Update from @wombelix:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 months ago

Log in to comment on this ticket.

Metadata
Related Pull Requests
  • #5442 Closed 5 months ago