Skip to content

Switch optional requirement to psycopg2 package #6707

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Switch optional requirement to psycopg2 package #6707

wants to merge 1 commit into from

Conversation

jdufresne
Copy link
Contributor

@jdufresne jdufresne commented May 23, 2019
edited
Loading

The psycopg2 project recommends not using the psycopg2-binary package.
Here are the relevant warnings:

http://initd.org/psycopg/docs/install.html#binary-install-from-pypi

Note: The psycopg2-binary package is meant for beginners to start
playing with Python and PostgreSQL without the need to meet the build
requirements.

If you are the maintainer of a publish package depending on psycopg2
you shouldn’t use ‘psycopg2-binary’ as a module dependency. For
production use you are advised to use the source distribution.

Note: The binary packages come with their own versions of a few C
libraries, among which libpq and libssl, which will be used regardless
of other libraries available on the client: upgrading the system
libraries will not upgrade the libraries used by psycopg2. Please
build psycopg2 from source if you want to maintain binary
upgradeability.

Warning: The psycopg2 wheel package comes packaged, among the others,
with its own libssl binary. This may create conflicts with other
extension modules binding with libssl as well, for instance with the
Python ssl module: in some cases, under concurrency, the interaction
between the two libraries may result in a segfault. In case of doubts
you are advised to use a package built from source.

@jdufresne
Switch optional requirement to psycopg2 package
1f59856 
The psycopg2 project recommends _not_ using the psycopg2-binary package.
Here are the relevant warnings:

​http://initd.org/psycopg/docs/install.html#binary-install-from-pypi

> Note: The psycopg2-binary package is meant for beginners to start
> playing with Python and PostgreSQL without the need to meet the build
> requirements.
>
> If you are the maintainer of a publish package depending on psycopg2
> you shouldn’t use ‘psycopg2-binary’ as a module dependency. For
> production use you are advised to use the source distribution.
>
> Note: The binary packages come with their own versions of a few C
> libraries, among which libpq and libssl, which will be used regardless
> of other libraries available on the client: upgrading the system
> libraries will not upgrade the libraries used by psycopg2. Please
> build psycopg2 from source if you want to maintain binary
> upgradeability.
>
> Warning: The psycopg2 wheel package comes packaged, among the others,
> with its own libssl binary. This may create conflicts with other
> extension modules binding with libssl as well, for instance with the
> Python ssl module: in some cases, under concurrency, the interaction
> between the two libraries may result in a segfault. In case of doubts
> you are advised to use a package built from source.
@xordoquy
Copy link
Collaborator

This is fine to me as I we use it for testing purposes and helps shorten the test setup time by skipping compilation time.

@xordoquy xordoquy closed this May 23, 2019
@jdufresne
Copy link
Contributor Author

In addition to the reasons stated above, I think there is value in testing against actual packages that end users will use rather than an alternatively packaged version. It is more representative of real life use.

I'm not sure the compilation is all that much real overhead.

Here are additional security/packaging issues being raised: psycopg/psycopg2#912

@xordoquy
Copy link
Collaborator

I do hear you and I have faced that issue on a project a couple of month ago.
It's only there so that we can test some Postgres specific type and the binary package is good enough for that.
If the test suite breaks because of that, we'll switch then or would consider mocking the module to let the test suite run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jdufresne @xordoquy