This recent breakage reinforced for us, why the Pulp team decided to require upper- and lower-bounds on all requirements. If we’d enforced that on test_requirements.txt, we wouldn’t have come in on a Monday to find All The Things were broken in our CI
Part of the response to this instance included discussing whether we should be more restrictive - by using, say,
pip-compile or a related tool to always specify the exact versions we’re using/testing against. The problem that arises with that, is it means that the Pulp team would need to cut a new release any time any dependency released a bug fix, for any reason. This puts us between “our users” and “reasonable security fixes”, for example, in a way that doesn’t feel…appropriate.
The consensus of the discussion can be summed up as “requiring upper- and lower- bounds the way we do is certainly imperfect, but it’s a reasonable compromise between ‘unexpected breakage’ and ‘allow for bugfixes’”. We will certainly be keeping an eye on how well that compromise is working, as Pulp moves forward.
Have an opinion? Let us know what you think!