You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "potiuk (via GitHub)" <gi...@apache.org> on 2023/10/24 10:39:08 UTC

[PR] Upgrade `pip` to 23.3.1 [airflow]

potiuk opened a new pull request, #35150:
URL: https://github.com/apache/airflow/pull/35150

   <!--
    Licensed to the Apache Software Foundation (ASF) under one
    or more contributor license agreements.  See the NOTICE file
    distributed with this work for additional information
    regarding copyright ownership.  The ASF licenses this file
    to you under the Apache License, Version 2.0 (the
    "License"); you may not use this file except in compliance
    with the License.  You may obtain a copy of the License at
   
      http://www.apache.org/licenses/LICENSE-2.0
   
    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.
    -->
   
   <!--
   Thank you for contributing! Please make sure that your code changes
   are covered with tests. And in case of new features or big changes
   remember to adjust the documentation.
   
   Feel free to ping committers for the review!
   
   In case of an existing issue, reference it using one of the following:
   
   closes: #ISSUE
   related: #ISSUE
   
   How to write a good git commit message:
   http://chris.beams.io/posts/git-commit/
   -->
   
   
   
   <!-- Please keep an empty line above the dashes. -->
   ---
   **^ Add meaningful description above**
   Read the **[Pull Request Guidelines](https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst#pull-request-guidelines)** for more information.
   In case of fundamental code changes, an Airflow Improvement Proposal ([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals)) is needed.
   In case of a new dependency, check compliance with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x).
   In case of backwards incompatible changes please leave a note in a newsfragment file, named `{pr_number}.significant.rst` or `{issue_number}.significant.rst`, in [newsfragments](https://github.com/apache/airflow/tree/main/newsfragments).
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Upgrade `pip` to 23.3.1 [airflow]

Posted by "potiuk (via GitHub)" <gi...@apache.org>.
potiuk commented on code in PR #35150:
URL: https://github.com/apache/airflow/pull/35150#discussion_r1369988440


##########
Dockerfile:
##########
@@ -48,7 +48,7 @@ ARG AIRFLOW_VERSION="2.7.2"
 
 ARG PYTHON_BASE_IMAGE="python:3.8-slim-bullseye"
 
-ARG AIRFLOW_PIP_VERSION=23.3
+ARG AIRFLOW_PIP_VERSION=23.3.1

Review Comment:
   We do not realy want that. Pinning `pip` to specific version and manually upgrading it when new version gets released via PR is a deliberate decision.
   
   Here is the reasoning:
   
   Bumping `pip` verssion is a rare event (usually a bit faster for .1 version to accomodate for teething problems but then it slows down), and `pip` does not follow Semver but some modified Calver (23 = year , 3 = quarter, 1 = number of release - patchlevel- in the quarter). 
   
   Even patchlevel releases in the past introduced breaking changes that broke our builds, and those releases are relatively infrequent, and I prefer to keep the "exact" version of `pip` in our image due to that.  While technically https://pip.pypa.io/en/stable/development/release-process/ the `patchlevel` releases should just be `bugfixes` it happened in the past that they were breaking for us (and others) - this was also sometimes connected with other dependencies used in the Python build toolchain (think setuptools, Cython etc.).
   
   This is pretty special case as `pip` release has the potential of totally breaking our CI / builds - the algorithm for dependency resolution that `pip` has is big part of our `automated constraints update` toolchain, also `pip` maintainers are (rightfully I think) more concerned about following new PEPs than breaking compatibility and there were quite a number of breaking changes resulitng from implementing new PEPs for example -  so we should adjust and make the upgrade to even "patchlevel" as a manual effort. Usually there are max 2 upgrades for the `patchlevel` version.
   
   Also one more reason - keeping it "fixed" produces much more (from Python point of view) reproducible Docker images. While our images are not fully reproducible when built (for example they can get newer Python patchlevel or newer OS dependencies, haivng fixed PIP and constraints, makes the rebuild fairly consistent when it comes to `python` depenedncies. This will become really crucial when we complete our SBOM work (we work on it as part of Security improvements with @hussein-awala @eladkal and @pierrejeambrun) - and once we fix `pip` - the SBOMs for Python side of released Airflow version are very strictly "pinned" - i.e. for each version of Airflow you will be able to deterministically say "This is the version of dependencies that x.y.z version of Airflow (same for providers)" that Airflow has been released with" - and this will be the base for anyone looking at SBOM information to determine if they should upgrade anything or not due to security issues. That's why it's pretty 
 important to keep all Python dependendencies (including `pip`) fixed per version of Airlfow. 
   
   We are doing it via constraints in Airflow, but `pip` is used to manage the constrainst so this is a bit chicken-egg problem. Strict-pinning `pip` in images helps to achieve really `reproducible` state of dependencies.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Upgrade `pip` to 23.3.1 [airflow]

Posted by "potiuk (via GitHub)" <gi...@apache.org>.
potiuk commented on code in PR #35150:
URL: https://github.com/apache/airflow/pull/35150#discussion_r1369988440


##########
Dockerfile:
##########
@@ -48,7 +48,7 @@ ARG AIRFLOW_VERSION="2.7.2"
 
 ARG PYTHON_BASE_IMAGE="python:3.8-slim-bullseye"
 
-ARG AIRFLOW_PIP_VERSION=23.3
+ARG AIRFLOW_PIP_VERSION=23.3.1

Review Comment:
   We do not realy want that. Pinning `pip` to specific version and manually upgrading it when new version gets released via PR is a deliberate decision.
   
   Here is the reasoning:
   
   Bumping `pip` verssion is a rare event (usually a bit faster for .1 version to accomodate for teething problems but then it slows down), and `pip` does not follow Semver but some modified Calver (23 = year , 3 = quarter, 1 = number of release - patchlevel- in the quarter). 
   
   Even patchlevel releases in the past introduced breaking changes that broke our builds, and those releases are relatively infrequent, and I prefer to keep the "exact" version of `pip` in our image due to that.  While technically https://pip.pypa.io/en/stable/development/release-process/ the `patchlevel` releases should just be `bugfixes` it happened in the past that they were breaking for us (and others) - this was also sometimes connected with other dependencies used in the Python build toolchain (think setuptools, Cython etc.).
   
   This is pretty special case as `pip` release has the potential of totally breaking our CI / builds - the algorithm for dependency resolution that `pip` has is big part of our `automated constraints update` toolchain, also `pip` maintainers are (rightfully I think) more concerned about following new PEPs than breaking compatibility and there were quite a number of breaking changes resulitng from implementing new PEPs for example -  so we should adjust and make the upgrade to even "patchlevel" as a manual effort. Usually there are max 2 upgrades for the `patchlevel` version.
   
   Also one more reason - keeping it "fixed" produces much more (from Python point of view) reproducible Docker images. While our images are not fully reproducible when built (for example they can get newer Python patchlevel or newer OS dependencies, haivng fixed PIP and constraints, makes the rebuild fairly consistent when it comes to `python` depenedncies. This will become really crucial when we complete our SBOM work (we work on it as part of Security improvements with @hussein-awala @eladkal and @pierrejeambrun) - and once we fix `pip` - the SBOMs for Python side of released Airflow version are very strictly "pinned" - i.e. for each version of Airflow you will be able to deterministically say "This is the version of dependencies that x.y.z version of Airflow has (same for providers)" that Airflow has been released with" - and this will be the base for anyone looking at SBOM information to determine if they should upgrade anything or not due to security issues. That's why it's pre
 tty important to keep all Python dependendencies (including `pip`) fixed per version of Airlfow. 
   
   We are doing it via constraints in Airflow, but `pip` is used to manage the constrainst so this is a bit chicken-egg problem. Strict-pinning `pip` in images helps to achieve really `reproducible` state of dependencies.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Upgrade `pip` to 23.3.1 [airflow]

Posted by "ephraimbuddy (via GitHub)" <gi...@apache.org>.
ephraimbuddy commented on code in PR #35150:
URL: https://github.com/apache/airflow/pull/35150#discussion_r1370262585


##########
Dockerfile:
##########
@@ -48,7 +48,7 @@ ARG AIRFLOW_VERSION="2.7.2"
 
 ARG PYTHON_BASE_IMAGE="python:3.8-slim-bullseye"
 
-ARG AIRFLOW_PIP_VERSION=23.3
+ARG AIRFLOW_PIP_VERSION=23.3.1

Review Comment:
   Thanks for the thorough explanation. Really makes sense



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Upgrade `pip` to 23.3.1 [airflow]

Posted by "potiuk (via GitHub)" <gi...@apache.org>.
potiuk commented on PR #35150:
URL: https://github.com/apache/airflow/pull/35150#issuecomment-1777157583

   Seems it works nicely :) 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Upgrade `pip` to 23.3.1 [airflow]

Posted by "potiuk (via GitHub)" <gi...@apache.org>.
potiuk merged PR #35150:
URL: https://github.com/apache/airflow/pull/35150


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Upgrade `pip` to 23.3.1 [airflow]

Posted by "ephraimbuddy (via GitHub)" <gi...@apache.org>.
ephraimbuddy commented on code in PR #35150:
URL: https://github.com/apache/airflow/pull/35150#discussion_r1369965114


##########
Dockerfile:
##########
@@ -48,7 +48,7 @@ ARG AIRFLOW_VERSION="2.7.2"
 
 ARG PYTHON_BASE_IMAGE="python:3.8-slim-bullseye"
 
-ARG AIRFLOW_PIP_VERSION=23.3
+ARG AIRFLOW_PIP_VERSION=23.3.1

Review Comment:
   Should we use `~=23.3.1` so it will automatically update to the next patch when building the image



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Upgrade `pip` to 23.3.1 [airflow]

Posted by "ephraimbuddy (via GitHub)" <gi...@apache.org>.
ephraimbuddy commented on code in PR #35150:
URL: https://github.com/apache/airflow/pull/35150#discussion_r1369965114


##########
Dockerfile:
##########
@@ -48,7 +48,7 @@ ARG AIRFLOW_VERSION="2.7.2"
 
 ARG PYTHON_BASE_IMAGE="python:3.8-slim-bullseye"
 
-ARG AIRFLOW_PIP_VERSION=23.3
+ARG AIRFLOW_PIP_VERSION=23.3.1

Review Comment:
   Should we use `~=23.3.1` so it will automatically update to the next minor when building the image



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org