https://caremad.io/2013/07/setup-vs-requirement/
Also, unfortunately pip's parser for requirements.txt isn't public, like much of its internals at the moment, which means AIUI it's likely that the parsing code here is going to be brittle if it uses it, or miss edge cases if it doesn't. (I haven't read this carefully yet though).
During development and integration testing, I want to get the latest version of my dependencies that I should be compatible with, so I use SemVer matching (somepackage~=1.2.3) in setup.py.
For deployment, I want to use the exact dependency packages that the code was tested against. So after automated testing is complete, it runs "pip wheel" to build wheels of my package and all its dependencies and put them into a directory, then that is the artefact I use to recreate the package in production. Much more reliable than requirement.txt, since it doesn't assume that PyPI or internet access is available, and it doesn't care if upstream authors silently update packages without changing the version number.
The last scenario is unit-testing, because sometimes tests have extra dependencies the rest of the code doesn't share, like a mock library or other test helper. In theory, these extra things could be put in setup.py's "tests_require" option, but then they'd only be installed if you run tests with "python setup.py test", and they'd also be installed with "easy_install", which is terrible. I'm thinking maybe I should use setuptools' "feature" syntax, so you only get the test dependencies if you install with the [test] feature.
You write a requirements.in text file where you list libraries by just their name, and then run "pip-compile requirements.in" and it will output a requirements.txt.
It also has a function called "pip-sync" which will then install/update everything in the requirements.txt file.
> Also, unfortunately pip's parser for requirements.txt isn't public
I am not sure what you mean by "isn't public." The API is "private" or the parser is proprietary? or the API is not isolated to its own (like Ansible's command line parser is stuck inside a giant function). If the second I would be super surprise.
But I am with the repo author. I think we just need one format, one way to do things. The implementation however, needs to be discussed as the example code is pretty redundant in the effort, would be much nicer if we can just provide the path in setup.py and pip reads off setup.py and consume requirements.txt. For god sake this is dependency declaration, ain't package management.
There is an ongoing effort to extract all its logic into separated packages [1], thought.
Honestly, I wish you'd picked a different tag-line though (riffing on `requests` no doubt). Unlike `requests`, your solution only works for a subset of deployment situations, because - as already pointed out - `setup.py` and `requirements.txt` are for different things.
One of the best examples for this I've seen is to use both to deploy to a server with no internet connectivity. For development the dependencies are installed from `setup.py`. Then, before deploying, all dependencies are downloaded via `pip download`. Put the dependencies on the server, finally, use `requirements.txt` with `--no-index` and `--find-links` to install. Definitely an interesting setup, but needs must. Unfortunately, your solution doesn't support `--no-index`, `--find-links` and a few others.
You may want to have a look at tools like `pbr` (Python Build Reasonableness) [1], which has an interesting way of dealing with some hard problems. It also shows how to use `setup_requires` so you don't have to have `requirements.py` hanging around in your repo.
For example, Python's lack of support for nested dependencies means that it can be extremely difficult to use small "utility" libraries like six as subdependencies without running into potential problems from conflicting version requirements from other dependencies.
Additionally, Python's management of different types of dependencies is very weak, specifically with regard to setup.py and requirements.txt. npm has (among other things) very nice explicit concepts of development dependencies and regular dependencies, in addition to application shrink-wraps, which gives library maintainers very easy ways to split out different kinds of dependencies, or lock down all dependencies and subdependencies, using the same set of tools.
While I can say that the current version of pip, especially in conjunction with pip-tools, is significantly better than earlier iterations of Python packaging, I strongly hold that Python packaging is substantially worse than at least one other prominent example.
And don't get me started on eggs. I guess the nice thing about Python is that the packaging genuinely seems to be improving year-to-year, although still limited by design decisions and backwards compatibility.
Anyway, thanks for this; I've had a pretty informative morning searching for "npm vs pip". I'm not a Javascript dev, and when I've tried to use it I've struggled with the sheer bloat, even e.g. npm vs bower. Even though I'm a bit jealous of npm now, I'll take pip over package management in the usual enterprise juggernauts (C, C#, Perl or Java) any day!
`requirements.py` doesn't stand to be "the" universal solution to Python dependency problem. It's more like a sugar syntax for "simple" setups.
But more seriously, good idea in thinking that things should already be this way. The dual maintainance of the dependency list between setup.py and requirements.txt unfortunately leads to a lot of packages being left out of one or the other, or a package that works great from source that has a broken setup.py (which usually applies to everything I do).
A setup.py command for installing deps from setup.py would, to me, seem a bit more logical - but things already exist the way they do.
In the end though, it's a bit weird to deviate from the standard norms of package installation, at least in Python circles, which may introduce some confusion -- contrast this with Javascript circles that replace "the one true way" about every 3 months :)
I know this isn't perfect for now, `requirements` could evolve!
Who's the copyright holder? How can I contact that person? What's the copyright year? Licensing software with MIT licence is trivial: http://choosealicense.com/licenses/mit/
Depending on the project, if I really care about the legal status of the code I use, I may contact the author to clarify this kind of thing, but sometimes it is too much hassle. Just look at it as a critical bug in your software, and fix it.
On a more personal note I started to dislike the "* for humans", it's been overused.
