John Snow <js...@redhat.com> writes: > On Wed, Mar 26, 2025 at 2:08 AM Markus Armbruster <arm...@redhat.com> wrote: > >> John Snow <js...@redhat.com> writes: >> >> > A few transitive dependencies were left floating; as a result, pip's >> > dependency solver can pull in newer dependencies, which we don't >> > want. Pin them down. >> > >> > Signed-off-by: John Snow <js...@redhat.com> >> >> What problem exactly does this fix? Make target check-minreqs? >> > > I'm not sure it's a "problem" as such, but an inconsistency. Yes, it's with > check-minreqs -- without this patch, pip is free to choose newer versions > of these dependencies as appropriate. Though unlikely at this point, in > theory, new dependency updates could be selected by pip and invalidate the > concept of an entirely fixed/pinned virtual environment. > > That these transitive dependencies were not frozen initially was an > oversight. > > check-minreqs is supposed to build the exact same venv every time without > fail. Without this change, it's *possible* that it might do something > different on release day if someone releases a new package. No good, > probably.
I see. You've been spoiling me with really nice commit messages... If you'd like to push this one to that level, I'd suggest to start with a short paragraph explaining why we pin versions for check-minreq, then state the issue being fixed: we missed some pins. [...]
