Problem
This particular module (python-apt) is only available on PyPi with version 0.7.8. However, this release appears to have been a mistake!
One of the developers & Debian package maintainers for python-apt has stated the following:
Aargh, not this whole PyPI thing again. Nobody ever officially
uploaded python-apt there. It is tightly coupled with APT, and
not supposed to be distributed in any fashion other than via
Debian packages.
There is no, and has never been any support for PyPi. And I can
say that I have absolutely no interest in duplicating work there.
Source: Debian "Deity" Mailing List 2016-11-22 msg#00094
You can install python-apt from apt, we do not provide python-apt on pip. I recently got control over the pypi entry and need to do something with it. I'm not keen on providing python-apt outside of the distro, though (python-apt and apt versions x.y need to match), so I'd rather just get rid of it, so people stop with questions about outdated versions.
Source: python-apt#1883451
So at least for this dependency, it appears that we're out of luck when resolving dependencies python-natively via pip + PyPi. Luckily, the upstream project is hosted on the salsa.debian.org GitLab instance, and pip supports git+ SCM urls now, among other options.
Solutions:
Generally, there are many solutions for resolving such a dependency. The concerns you are trying to address are:
- Where is this package being provided from?
- System OS package manager
- Arbitrary Upstream Release URL
- Development SCM Repo
- Forked Git Repo with bugfixes
- etc...
- What Version will you be installing?
- Compatibility concerns:
- Must be
>= 2.0.0
- Forked repo / feature branch with some bugfix
- API Compatibility: Not greater than
2.x / Semantic Versioning
- Development:
- Just use latest & greatest ( bleeding edge )
- Use a specific version for my platform or system (e.g.: system OS package, my local forked version in a development directory)
- QA / Testing:
- Test against a specific version
- Test against latest (e.g.: nightly builds)
- Test against a version provided by a system OS release
- How should the dependency be resolved?
- "abstract" dependency on
pip-module-name + version constraint
- Allows for some flexibility later on with where to gather (URL / PyPi / Artifactory) and what version is allowed to satisfy the constraint.
- User can always override these if needed by specifying arguments to
pip, installing using a specific virtualenv, etc...
- "concrete" dependency on a specific URL + package-name + version
- Extreme case: Locking to a specific URL + version +
sha1 / sha256 / sha** with checksum verification to ensure exact location & file integrity.
- Less flexible, but most assuredly locked to an exact and precise version & source.
- Are you developing an "application" or a "library" / Python module?
- Do the dependencies need to be installed via
pip using setup.py install_requires = [...] style resolution? (library)
- Do the dependencies need to be installed by the application installer via
pip install -r requirements.txt? (application)
- How will your project be released?
- Who will be installing the package, and how will their system be allowed to resolve the dependency?
- Is this going to be released on PyPi as a library, or elsewhere as an application? (some rules of thumb follow)
- Generally speaking:
- A library tends to want to have wide open ended version specifiers
- An application wants very specific dependencies to ensure stability (lots of dependencies means lots of generally untested version permutations!)
- Use
setup.py to specify the library dependencies for PyPi
- Use
requirements.txt to specify an application's dependencies
- Is this going to be packaged as a native OS package? (e.g.:
.deb, .rpm, .apk, etc...)
- The native package manager has dependency resolution too... perhaps use this to ensure native compatibility!
- What other OS platforms will your package support & how will those platforms resolve the dependency?
So, most generally we can see that there are various concerns all relating to the desired specificity of where and how these dependencies get resolved and installed. There is no "one size fits all" solution here... There are Pros and Cons, and only many different solutions that fall somewhere on the spectrum of:
more specific <---------------------> less specific
reliable compatibility reliable installability
less testing permutations more (possibly un-vetted) testing permutations
limited platform support more platform support (when more permutations are well tested)
dependable known configurations less dependable known configurations
less platform tolerant more tolerant and agnostic of platforms
more OS native less OS native
Latest & Greatest from GitLab Upstream Repo
One solution to the python-apt package issue is to use this git+ URL feature in requirements.txt. This is great for development against the upstream version of python-apt from GitLab. To further isolate installation from the system OS provided version of python-apt, a virtualenv or pip install --user may be desired. For example:
requirements.txt:
--index-url https://pypi.python.org/simple/
-e git+https://salsa.debian.org/apt-team/python-apt.git#egg=python-apt
-e .
This can be used by an example project with setup.py containing:
[...SNIP...] # Boilerplate stuff here
setup(
#[...SNIP...] # Other setup() args here
platforms=['linux'],
# Reference:
# - https://github.com/pypa/interoperability-peps/pull/30/files#r184839487
# sudo apt install python3-apt apt-rdepends apt
# os_requires=[
# ['python3-apt', type='packagename', target='run', os='ubuntu'],
# ['apt-rdepends', type='packagename', target='run', os='ubuntu'],
# ['apt', type='packagename', target='run', os='ubuntu']
# ['libapt-pkg-dev', type='packagename', target='build', os='ubuntu']
# ]
# Build-deps for apt-python via git SCM: sudo apt install libapt-pkg-dev
python_requires='>=3.5',
install_requires=[
'python-apt (>= 2.0)',
# rest of your dependencies here
#[... SNIP ...]
],
package_dir={'': 'lib'},
scripts=_glob('bin/*'),
#[...SNIP...]
)
Note: os_requires isn't actually supported yet, but is proposed for a PEP. This might help in the future for external dependencies on packages. It would help in situations like this where a python module is not distributed via PyPi / pip, but instead is only provided via apt / .deb packages on the OS.
Set up your virtualenv or use pip3 install --user if you wish, then continue.
Using the git+ requirements feature results in the following when running pip3 install -r requirements.txt:
$ pip3 install -r requirements.txt
Looking in indexes: https://pypi.python.org/simple/
Obtaining file:///../example-project (from -r requirements.txt (line 4))
Obtaining python-apt from git+https://salsa.debian.org/apt-team/python-apt.git#egg=python-apt (from -r requirements.txt (line 3))
Updating ./example-project-venv/src/python-apt clone
Running command git fetch -q --tags
Running command git reset --hard -q c97d4159beae2f9cd42d55d3dff9c37f5c69aa44
ERROR: example-project 0.0.1 has requirement python-apt>=2.0, but you'll have python-apt 0.0.0 which is incompatible.
Installing collected packages: python-apt, example-project
Running setup.py develop for python-apt
Running setup.py develop for example-project
Successfully installed example-project python-apt
Note: You'll probably want to install runtime & build / setup.py dependencies for python-apt first:
# Runtime deps (e.g.: Ubuntu 20.04 needs python3-apt, <20.04 needs python-apt):
sudo apt install python3-apt apt
# python-apt pip install deps (also for setup.py / development)
sudo apt install libapt-pkg-dev
Alternative: dependency_links (Note: may be deprecated)
If you are developing a library type module, and also wish to use GitLab as source for python-apt you may want to consider using dependency_links in setup.py to provide the git+ or http(s) tarball release URL rather than in requirements.txt. This is helpful to distinguish an "application" python project from a "library" Python module project. It all depends on what your project's install process looks like. (e.g.: do you want to pip install -r requirements.txt, or just pip install example-module, or python[3] setup.py {sdist,bdist,bdist_rpm, etc...}. It could also be helpful to specify a custom URL for a forked version of python-apt. However, this method is likely to be deprecated sometime soon (if not partially already in new versions of pip). You may want to consider other options for future-proofing your dependency specifications such as PEP 508 or pip install --find-links ... instead.
Also, the "application" vs "library" distinction can be important here, as well as the concepts of "abstract" vs. "concrete" dependencies. A quick summary might be:
This split between abstract and concrete is an important one. It was
what allows the PyPI mirroring infrastructure to work. It is what
allows a company to host their own private package index. It is even
what enables you to fork a library to fix a bug or add a feature and
use your own fork. Because an abstract dependency is a name and an
optional version specifier you can install it from PyPI or from
Crate.io, or from your own filesystem. You can fork a library, change
the code, and as long as it has the right name and version specifier
that library will happily go on using it.
Setuptools has a feature similar to the Go example. It’s called
dependency links and it looks like this:
setup(
# ...
dependency_links = [
"http://packages.example.com/snapshots/",
"http://example2.com/p/bar-1.0.tar.gz",
], ) ```
This “feature” of setuptools removes the abstractness of its
dependencies and hardcodes an exact url from which you can fetch the
dependency from. Now very similarly to Go if we want to modify
packages, or simply fetch them from a different server we’ll need to
go in and edit each package in the dependency chain in order to update
the dependency_links.
Source: caremad.io Blog Post: setup.py vs requirements.txt
For this python-apt example, we might use something like this to lock a "concrete dependency" on v2.0.0:
setup(
# [...SNIP...]
dependency_links = [
"https://salsa.debian.org/apt-team/python-apt/-/archive/2.0.0/python-apt-2.0.0.tar.gz#egg=python-apt"
],
# [...SNIP...]
) `
Note: This "mis-feature" was briefly removed, and then brought back given some usefulness in specifying private package dependency URLs. However, currently pip --process-dependency-links flag has been deprecated, so its' usefulness is probably limited to older versions of Python 2 + pip.
Newer versions of pip now have URL support for PEP 508 syntax. This is probably the most future-proof method for specifying concrete and abstract dependencies with a complex grammar (See PEP 508 for details). Packages can now be specified in many ways, including custom URLs.
For example, to lock python-apt to v2.0.0 with optional sha256 checksum:
setup(
# [...SNIP...]
install_requires=[
'python-apt@https://salsa.debian.org/apt-team/python-apt/-/archive/2.0.0/python-apt-2.0.0.tar.gz#sha256=1ddbd3eb7cbc1ded7e0e8a2dd75219f0c59c7e062c6e6bfd5c8ff6f656c59a4e',
# [...SNIP...]
],
# [...SNIP...]
)
requirements.txt:
--index-url https://pypi.python.org/simple/
-e .
Then, pip install -r requirements.txt still works without any extra flags:
$ ./example-project-venv/bin/python3 ./example-project-venv/bin/pip3 install -r requirements.txt
Looking in indexes: https://pypi.python.org/simple/
Obtaining file://./src/pub/example-project (from -r requirements.txt (line 4))
Requirement already satisfied: graph-tools>=1.5 in ./example-project-venv/lib/python3.8/site-packages (from example-project==0.0.1->-r requirements.txt (line 4)) (1.5)
Collecting python-apt@ https://salsa.debian.org/apt-team/python-apt/-/archive/2.0.0/python-apt-2.0.0.tar.gz#sha256=1ddbd3eb7cbc1ded7e0e8a2dd75219f0c59c7e062c6e6bfd5c8ff6f656c59a4e
Using cached https://salsa.debian.org/apt-team/python-apt/-/archive/2.0.0/python-apt-2.0.0.tar.gz (458 kB)
Building wheels for collected packages: python-apt
Building wheel for python-apt (setup.py) ... done
Created wheel for python-apt: filename=python_apt-0.0.0-cp38-cp38-linux_x86_64.whl size=2040980 sha256=79eeb0d1bb9e3c9785acb68f164a3f72a5777539137d180e9ded7558d2547a49
Stored in directory: ~/.cache/pip/wheels/c4/09/b5/36fc8c9a1ebe8786620db922f1495da200dce187ee7c618993
Successfully built python-apt
Installing collected packages: python-apt, example-project
Attempting uninstall: example-project
Found existing installation: example-project 0.0.1
Uninstalling example-project-0.0.1:
Successfully uninstalled example-project-0.0.1
Running setup.py develop for example-project
Successfully installed example-project python-apt-0.0.0
Alternative: pip install --find-links ...
Another alternative method for installing a "concrete dependency" locked to a specific version is to pass --find-links to pip install with a released tarball file. This method might be helpful for explicitly installing a specific version given a release URL. For example, using python-apt v2.0.0:
$ ./example-project-venv/bin/python3 ./example-project-venv/bin/pip3 install --find-links 'https://salsa.debian.org/apt-team/python-apt/-/archive/2.0.0/python-apt-2.0.0.tar.gz' -r requirements.txt
Looking in indexes: https://pypi.python.org/simple/
Looking in links: https://salsa.debian.org/apt-team/python-apt/-/archive/2.0.0/python-apt-2.0.0.tar.gz
Obtaining file://./example-project (from -r requirements.txt (line 4))
Requirement already satisfied: graph-tools>=1.5 in ./example-project-venv/lib/python3.8/site-packages (from example-project==0.0.1->-r requirements.txt (line 4)) (1.5)
Collecting python-apt>=2.0
Downloading https://salsa.debian.org/apt-team/python-apt/-/archive/2.0.0/python-apt-2.0.0.tar.gz (458 kB)
|████████████████████████████████| 458 kB 614 kB/s
WARNING: Requested python-apt>=2.0 from https://salsa.debian.org/apt-team/python-apt/-/archive/2.0.0/python-apt-2.0.0.tar.gz (from example-project==0.0.1->-r requirements.txt (line 4)), but installing version 0.0.0
Building wheels for collected packages: python-apt
Building wheel for python-apt (setup.py) ... done
Created wheel for python-apt: filename=python_apt-0.0.0-cp38-cp38-linux_x86_64.whl size=2040783 sha256=d0a8f88c04f202e948b9855837140517d9b2bd3cef72e626221614552a476780
Stored in directory: ~/.cache/pip/wheels/8a/07/e9/b3c3328bac08c030a5b1e754e01e327b62fd26f9baedf07c15
Successfully built python-apt
ERROR: example-project 0.0.1 has requirement python-apt>=2.0, but you'll have python-apt 0.0.0 which is incompatible.
Installing collected packages: python-apt, example-project
Attempting uninstall: python-apt
Found existing installation: python-apt 0.0.0
Uninstalling python-apt-0.0.0:
Successfully uninstalled python-apt-0.0.0
Attempting uninstall: example-project
Found existing installation: example-project 0.0.1
Uninstalling example-project-0.0.1:
Successfully uninstalled example-project-0.0.1
Running setup.py develop for example-project
Successfully installed example-project python-apt-0.0.0
Base System Debian Package
On Debian & Ubuntu, there are two .deb packages you'll see on the various distribution versions: python3-apt and python-apt (for Python2).
These packages are managed by the APT package manager, and thus are installed in the system location: /usr/lib/python3/dist-packages or /usr/lib/python2.7/dist-packages for Python3 & Python2.7 respectively.
This dist-packages path, and other Python packaging conventions are explained well in this post:
The system has installed Python packages in the global dist-packages directory of each Python version and created symbolic links:
/usr/lib/python2.7/dist-packages/numpy
/usr/lib/python3/dist-packages/numpy
ls -ls /usr/include/numpy
#-> ../lib/python2.7/dist-packages/numpy/core/include/numpy
ls -l /usr/include/python2.7/numpy
#->../../lib/python2.7/dist-packages/numpy/core/include/numpy
ls -l /usr/include/python3.5/numpy
#-> ../../lib/python3/dist-packages/numpy/core/include/numpy
Note the good use of dist-packages instead of site-packages which should be reserved for the system Python.
So, if you're looking to use the base-OS system level version of python3-apt then you'd want to make sure that this path is on your sys.path or PYTHONPATH so import apt will work. Whereas, if you wanted to use the site-packages location, or a virtualenv location... those would have to exist on sys.path / PYTHONPATH instead.
Unfortunately, as mentioned before, there is not yet an official way to state a dependency on an OS package providing a certain version of a python module. However, as long as you're managing your python runtime environment's import path(s), you should be able to use the correct version from the OS package that lives in the dist-packages directory.
