On 17 Jul 2014, at 11:41, Matthew Westcott wrote:
So, as a compromise, how about we keep the packages in there, but use a '>=' rule so that they pick up the latest version? The downside is that new versions can be released at any time, and we can no longer guarantee that local and live installations of a site are running the same version - which is bad news if the packages introduce breaking changes (hellooo elasticsearch!). But then again, that already happens to some extent (e.g. packages that define their own dependencies using >=) and it doesn't seem to have been a problem up to now.
Having pondered the '>=' versus '==' conundrum some more, I'm starting to think that the "best practice" for requirements files as codified by the Two Scoops book has some room for improvement. The root of the problem is that the requirements file has two conflicting purposes:
- a description of the range of package versions that our app is able to work with, presented as a list of constraints which pip has to solve: e.