why I will never use python-poetry

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome to another video uh this one has been requested many times Anthony why not choose poetry but today I'm going to go over the technical reasons why I don't use poetry but also a brand new trust issue with poetry that I will go into detail at the end uh but anyway let's jump into it okay so my old reasons for not using poetry were basically summed up in two main things the first is it's not really necessary and the second is that it makes some incorrect well I don't want to say incorrect it makes them inconvenient defaults for revisioning uh let me just show you kind of a getting started with poetry and I'll point out some of the problems that I've run into along the way and note that last time I did this uh I also ran into essentially three bugs in the first five minutes of me trying to use poetry which steered me away from it pretty severely as well now two of the three have been addressed uh so I don't know maybe that's not a valid criticism but anyway uh let's get started uh we're gonna make a virtual amp and we're going to pip install poetry and this will actually point out the first issue that I have with poetry and that it's pretty complicated it pulls in quite a lot of dependencies to do what it needs to do uh you know what pip freeze it essentially needs 50 dependencies to do what it needs to but okay maybe you know some of the things have other dependencies and and that's understandable 50 dependencies isn't necessarily a problem uh but it can quickly become one um but that's that's again not not the actual criticism here uh the first is the decision with versioning in poetry I'm going to run poetry in it and just set up a very basic package I'm just going to let it use all the defaults and not really uh mess with it and we're also going to do poetry add a package so we're going to add a dependency to our library and uh it will install it and add it I'm sure that's all a fine and dandy the problem that I have is its defaults to how it manages dependencies if you're not familiar with the carrot here on the versioning this is essentially shorthand for greater than or equal to 3.8 and less than four the same is true for uh config V here as well I believe this one is greater than or equal to 3.3.0 and less than 3.4.0 it might also be the major version either way uh what this implicitly does is it adds less than qualifiers to all of your dependencies and that's the default Behavior and the problem I have with this is if you're working with libraries and you install a bunch of different libraries you're going to run into conflicts over and over and over uh one example of this that has really frustrated me in the past is the requests Library which very carefully selects its dependencies more like an application and less like a library even though request probably fits into the library category much more than it does the application one and this means like whenever you are a lib3 or any of those other libraries bump you have to manage a whole bunch of conflicts between all of your libraries that you may have uh and so I think this this carrot versioning it kind of makes sense for applications I don't even think it makes sense for applications but uh it frustrates me a lot I think it's a really poor choice of defaults that's kind of the the biggest technical reason the other is I just think it's not really necessary uh pip has a dependency resolver now so if we uh virtual MVM you know if we have our very simple requirements.in requirements.in with our dependencies in it I usually like to only use greater than or equal to or not even bother and just allow it to go to the latest so let's say we had you know config fee pre-commit Pi test added some dependencies in here we can pip install requirements.in people now manage all the conflicts oh Dash R people manage all of our conflicts for us we can pretty easily do pip freeze dash dash all to give us our requirements.txt and then when we need to install things we can install from this Frozen requirements file with all the dependencies we need and there's also tools that automate this my favorite one of these is PIP tools which does this process kind of magically for you poetry also does something similar to this with its poetry.lock but I think you know just using pip is way simpler than pulling in 50 things to do essentially the same thing but anyway that's not what today's video about today is about how the maintainers of poetry have done some pretty severe damage to trust via a deprecation approach I say deprecation in the loosest form of terms because it wasn't really a deprecation it was more of a breaking change without any sort of notice uh and we're gonna jump into that and kind of describe what happened here and why to me it is so eroding of trust uh so the basis of this and it has been reverted so there's there's been some you know outcry and you know fixes of this but I think that it was proposed and approved and merged and released by two of the core devs of poetry kind of concerns me a lot but anyway let me describe to you what this quote-unquote deprecation was for get poetry.pi if you're not familiar with get poetry.pi it's kind of a way to bootstrap poetry and the maintainers have been trying to get rid of it understandably it's probably not the best way to bootstrap into something you know you might want something like a zip app or some other distributable adhesive software rather than a curl python script run python script is root sort of thing um but the intention was to start uh discouraging the use of this get poetry.pi script in version 1.2.0 uh specifically 1.2 Alpha One was I believe the first time that this was truly deprecated and the way that this was approached was if it detected uh your scriptures running in CI which many CI providers export this environment variable to indicate that they're in CI what it would do is it would print this warning which is great that's what you should do for a deprecation you should print the warning but it would also five percent of the time error which you should either always there or always thought error a five percent just you know adding flakiness to a system intentionally especially in a CI system is kind of a recipe for disaster but the other part about this is if you weren't in CI it would just outright fail uh you could of course work around it with an environment variable but uh it would always fail essentially giving users zero migration time between a thing that worked and a thing that's deprecated and now failing uh now usually the approach to deprecation that I prefer is you know it's working then the next thing you do is you add a message that indicates that it will change in the future you allow some bake period for people to recognize the message and change based on of it in a released version yes yes they added this to an alpha release and I don't think many people actually adopted the alpha release but after that period of time has elapsed then you can remove the original functionality or you know make a breaking change of course the exception here is security related things and you know security related things kind of break the mold of all sorts of semantic versioning and deprecation periods and all that other stuff but going from immediately passing to immediately failing me is not acceptable and having a random number generator for whether it's going to succeed in CI is certainly a decision uh but I don't know I'll let you make your own decisions but I'm definitely not going to use poetry because of this um but you know my workflow with Pip and pip tools works fine for me and uh you know you can also get hashes out of pip tools as well so if you want that part of it a little bit more uh you know sanity and that's in that respect that's another approach there hopefully you found this interesting if there are additional things you'd like me to explain leave a comment below or reach out to me on the various platforms but thank you all for watching and I will see you in the next one
Info
Channel: anthonywritescode
Views: 55,795
Rating: undefined out of 5
Keywords:
Id: Gr9o8MW_pb0
Channel Id: undefined
Length: 9min 8sec (548 seconds)
Published: Fri Sep 30 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.