Page MenuHomePhabricator
Create Task
Maniphest T128110

[spike] investigate the using python wheels for dependencies in prod
Closed, ResolvedPublic
Actions

Description

Generally, operations does not want us to use pip & pypi in production. One alterative is to distribute dependencies as a set of python eggs. However, installing a package via an egg results in arbitrary code execution. Recently, we have been considering using Debian files to capture our dependencies, but that proved to be overly complex. Python wheels (binary distribution) provide an alternative to eggs that does not require arbitrary code execution. So, it would be great if we could use wheels instead.

This task is done when someone tries to build all of the [dependencies for running ores-wikimedia-config](https://github.com/wiki-ai/ores-wikimedia-config/blob/master/requirements.txt) and reports how it works out.

Python wheels: http://pythonwheels.com/

Note that building wheels is trivial for pure-python libraries. How hard is it to generate wheels for sklearn, scipy, numpy, etc?

Related Objects

Event Timeline

Halfak created this task.Feb 25 2016, 6:20 PM
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 25 2016, 6:20 PM
Halfak renamed this task from [spike] investigate the process for creating a wheels for clib-based dependencies to [spike] investigate the using python wheels for dependencies in prod.Mar 1 2016, 8:08 PM
Halfak updated the task description. (Show Details)
Halfak updated the task description. (Show Details)
Halfak added a comment.Mar 1 2016, 8:11 PM

Might be helpful: http://stackoverflow.com/questions/24353267/build-wheel-for-a-package-like-scipy-lacking-dependency-declaration

schana subscribed.Mar 2 2016, 8:47 PM
Halfak moved this task from Parked to Completed on the Machine-Learning-Team (Active Tasks) board.Mar 2 2016, 11:13 PM
yuvipanda subscribed.Mar 2 2016, 11:24 PM

I built all the wheels, and can get ores dev_server to start with it (haven't actually tried using it, but I suppose it starting is good enough?).

Things to note:

  • needs a newer version of pip than available on debian
  • pip3 wheels --wheel-dir=<path> --process-dependency-links -r requirements.txt will generate all the required wheels for requirements.txt into the <path>
  • --process-dependency-links is deprecated - so we might need to make the requirements.txt in ores-wikimedia-config fully recursive (the output of pip freeze)
  • we should also consider adding hashes to packages in requirements.txt for extra security and reproducibiltiy.
Halfak assigned this task to yuvipanda.Mar 5 2016, 4:20 PM
yuvipanda added a comment.Mar 7 2016, 6:42 PM

Have confirmed that we need --process-dependency-links is both needed and deprecated. We should make the ores-wikimedia-config requirements.txt fully recursive.

I

yuvipanda mentioned this in T107493: Python packaging for getting ORES into production.Mar 7 2016, 6:45 PM
yuvipanda closed this task as Resolved.Mar 7 2016, 6:55 PM

T129109 is outcome of this spike.

Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:44 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL