Skip to content

suggestion: shouldn't pip lock also provide the size of objects ? #13393

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
stonebig opened this issue May 13, 2025 · 8 comments · May be fixed by #13395
Open
1 task done

suggestion: shouldn't pip lock also provide the size of objects ? #13393

stonebig opened this issue May 13, 2025 · 8 comments · May be fixed by #13395
Labels
state: awaiting PR Feature discussed, PR is needed type: feature request Request for a new feature

Comments

@stonebig
Copy link
Contributor

stonebig commented May 13, 2025
edited
Loading

What's the problem this feature will solve?

to reduce the risk of sha-256 collision, providing the size of the file could be interesting.
also this is in PEP-0751 included "mousebender" example: https://peps.python.org/pep-0751/

created-by = 'mousebender'

[[packages]]
name = 'attrs'
version = '25.1.0'
requires-python = '>=3.8'
wheels = [
  {name = 'attrs-25.1.0-py3-none-any.whl', upload-time = 2025-01-25T11:30:10.164985+00:00, url = 'https://files.pythonhosted.org/packages/fc/30/d4986a882011f9df997a55e6becd864812ccfcd821d64aac8570ee39f719/attrs-25.1.0-py3-none-any.whl', size = 63152, hashes = {sha256 = 'c75a69e28a550a7e93789579c22aa26b0f5b83b75dc4e08fe092980051e1090a'}},
]`

Describe the solution you'd like

provide also the size of the packages , when generating "pip lock"

Alternative Solutions

doing it by hand in a post treatment

Additional context

using "pip lock" to generate a reference and safe pylock.toml file for WinPython distribution

typical code:

rem to get pylock.toml in a ok place...
cd/D %LOCKDIR%

python.exe -m pip freeze>%req%
findstr /v "winpython" %req% > %wanted_req%

rem pip lock from pypi, from the frozen req
python.exe -m pip lock --no-deps  -c C:\WinP\constraints.txt -r "%wanted_req%" -o %pip_lock_web%

rem pip lock from local WheelHouse, from the frozen req
python.exe -m pip lock --no-deps --no-index --trusted-host=None  --find-links=C:\WinP\packages.srcreq -c C:\WinP\constraints.txt -r  "%wanted_req%" -o %pip_lock_local%


rem generating also classic requirement with hash-256, from obtained pylock.toml
python.exe -c "from winpython import wheelhouse as wh;wh.pylock_to_req(r'%pip_lock_web%', r'%req_lock_web%')"
python.exe -c "from winpython import wheelhouse as wh;wh.pylock_to_req(r'%pip_lock_local%', r'%req_lock_local%')"

rem compare the two (result from pypi and local Wheelhouse must be equal)
fc  "%req_lock_web%" "%req_lock_local%"

Code of Conduct
@stonebig stonebig added type: feature request Request for a new feature S: needs triage Issues/PRs that need to be triaged labels May 13, 2025
@stonebig stonebig changed the title shouldn't pip lock also provide the size ? shouldn't pip lock also provide the size of objects ? May 13, 2025
@stonebig stonebig changed the title shouldn't pip lock also provide the size of objects ? suggestion: shouldn't pip lock also provide the size of objects ? May 13, 2025
@sbidoul sbidoul added state: awaiting PR Feature discussed, PR is needed and removed S: needs triage Issues/PRs that need to be triaged labels May 13, 2025
@sbidoul
Copy link
Member

sbidoul commented May 13, 2025

It could. A PR to do this is welcome.

@stonebig
Copy link
Contributor Author

let see if I can

@stonebig stonebig linked a pull request May 15, 2025 that will close this issue
Open
@stonebig
Copy link
Contributor Author

stonebig commented May 15, 2025
edited
Loading

gave it a try with github free integrated AI, but it's a game of CI patience.

not sure also if I take the size from the right place when local

@pfmoore
Copy link
Member

pfmoore commented May 15, 2025

Please don't submit AI-generated code as a PR.

@stonebig
Copy link
Contributor Author

stonebig commented May 18, 2025
edited
Loading

Please don't submit AI-generated code as a PR.

As I'm using "free" AIs:

  • I know the code is to verify, eventually re-normalize to the project practice.
  • I find using several AIs is super usefull:
    • to understand the code base, where the todo changes are in the pip code haystack
    • to more easily detect the errors and bad answers between AIs
  • I try to keep the code minimalist and simple, not intelligent
  • you notice I tried to fit my pull request in @sbidoul comments

So... can I continue with that use of AI ?

@pfmoore
Copy link
Member

pfmoore commented May 18, 2025

I have no objection if you want to use AIs to help you write code. But if you submit AI-written code, then is it your code? In other words, do you have the right to license it to the pip project? What if it turns out the AI produced a copy of someone else's code?

Also, have you reviewed the code as well as you would have if you'd written it yourself? Are you certain there are no bugs in it?

I'd prefer that if you want to use AIs, you use them to assist you to write the code you submit.

@stonebig
Copy link
Contributor Author

stonebig commented May 25, 2025
edited
Loading

I have no objection if you want to use AIs to help you write code. But if you submit AI-written code, then is it your code? In other words, do you have the right to license it to the pip project? What if it turns out the AI produced a copy of someone else's code?

sure, so the code must be stupid

Also, have you reviewed the code as well as you would have if you'd written it yourself? Are you certain there are no bugs in it?

At this moment:

  • AI do more errors than me, create more documentation and tests, and tends to have various style
  • I do not do the same errors, have a standard style, hate writing documentation and tests (procrastination)
  • like for orthographic errors, it makes the overall code less buggy as ones sees the error of the other

I'd prefer that if you want to use AIs, you use them to assist you to write the code you submit.

This is what I do, yet you can forsee the situation is changing:

  • from writing code, the world moves to writing prompts, that are then compiled to source code python,
  • more and more, we will have to find other ways to check the ocean of source code that AI will generate.

It's going to be a problem for Pip and open source:

  • how to get good code not tainted as you fear
  • when 100% of developer already use AI all the time.

There is no more "clean room from AI" developers anymore, except maybe at sqlite.org

@uranusjr
Copy link
Member

uranusjr commented May 26, 2025
edited
Loading

Can y’all go somewhere else to argue about this please? If this affects the implementation, the PR thread is more suitable. Otherwise it should have its own issue thread.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
state: awaiting PR Feature discussed, PR is needed type: feature request Request for a new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add size to pylock.toml stonebig/pip
4 participants
@uranusjr @sbidoul @pfmoore @stonebig