Will Kahn-Greene [:willkg] ET needinfo? me Reporter
	Description • 7 years ago

Pip 7.1+ supports a constraints file which allows you to constrain which versions of dependencies are allowed to be installed. We can use this in conjunction with our requirements file such that we put first-order dependencies in the requirements file and all the things they depend on in the constraints file.

Then deploys install only the things we need (first-order dependencies and the specific set of things they need) without us having to spend a lot of time maintaining the files.

https://pip.pypa.io/en/stable/user_guide/#constraints-files

This bug covers switching to requirements.txt + constraints.txt.

	Will Kahn-Greene [:willkg] ET needinfo? me Reporter
	Comment 1 • 7 years ago

It's very likely this will affect deploys. However, I'm pretty sure the RPM building code is in the Socorro repo, so it's possible all the changes we need to make will be in the socorro repo.

	Will Kahn-Greene [:willkg] ET needinfo? me Reporter
	Comment 2 • 7 years ago

Mike mentioned this earlier today. I'm going to assign this to him for now and let him pass it off to someone else as he so desires.

	[github robot]
	Comment 4 • 7 years ago

Commits pushed to master at https://github.com/mozilla-services/socorro

https://github.com/mozilla-services/socorro/commit/a0c807c8cbb2040b29bc929848b64e453165427b
Fix bug 1407449: Use a constraints file for our Python requirements.

This splits the requirements.txt file into two:

- requirements/default.txt, which contains direct dependencies that are used by
  Socorro.
- requirements/constraints.txt, which contains dependencies of the direct
  dependencies, and the hashes that we accept for them.

bootstrap.sh was updated to use this new format for the existing infrastructure,
and Dockerfile was updated for the new infrastructure.

The following dependencies were removed because they were either not used, or
were dependencies of another dependency that was not used:

- argparse
- BeautifulSoup
- certifi
- cffi
- cryptograph
- futures
- google
- gunicorn
- honcho
  - A Procfile existed in the repo root to be used by honcho, but it is
    out-of-date (it refers to the old middleware) and was also removed.
- idna
- ipaddress
- mercurial
- ndg
- Paste
- path
- pgxnclient
  - This was only used by scripts/json-enhancements.sh, which is not used
    anymore and was also removed, along with its entry in Makefile.
- pycparser
- pyOpenSSL
- sqlalchemy
- toposort
- uritemplate
- wsgiref

The following dependencies were moved to requirements/constraints.txt as they
are not direct dependencies:

- configobj
- configparser
- cssselect
- decorator
- django-jsonfield
- enum34
- httplib2
- Mako
- MarkupSafe
- mccabe
- py
- pyasn1
- pyasn1-modules
- pycodestyle
- pyflakes
- python-editor
- rsa
- sasl
- simplejson
- six
- thrift
- urllib3

https://github.com/mozilla-services/socorro/commit/38cf1d99efc3a2d8848b50ba2225bfa050e8f0e8
Merge pull request #4062 from Osmose/constraints

Fix bug 1407449: Use a constraints file for our Python requirements.