Pin current Python 2 dependencies at <= latest working version

[Ben Sturmfels]

Our dependencies are rapidly dropping Python 2 support which, due to our loose specification of versions in setup.py, means Python 2 installation may break at any time. For some reason, Pip doesn't seem to figure this out properly in my experience.

I suggest that for 0.10.0, the likely last Python 2 release, we pin the highest version for those dependencies to the latest Python 2 working versions, including dependencies of dependencies.

[Ben Sturmfels]

I've now tested the Python 2 install process as per the deployment docs and fixed all the broken dependencies by pinning them in setup.py. This fixes the installation process *right now* on Python 2. The problem is that packages are dropping Python 2 support all over the place and due to our (deliberate) loose dependency version specifications and the loose sub-dependency version specifications, it's one horrible mess. But it works right now.

Next up I'll be pinning all the currently installed Python 2 packages and all dependencies.

[Ben Sturmfels]

I've now run bin/pip freeze --local on the working Python 2 install and copied all those dependencies into the Python 2 conditional in setup.py. It's pretty horrible, but should prevent unpredictable Python 2 breakages at a later date.

The downside is that using == pinning will stop people getting security updates.

I think it's a necessary tradeoff though.

[Boris Bobrov]

Can we do <= for current major versions? I mean if we have nicepackage version 1.2.3 now, maybe we could pin nicepackage <= 1.2.999

[Ben Sturmfels]

Excellent idea! I was thinking about like nicepackage<1.3 but feeling too lazy to do the work. Your approach is much easier. A quick keyboard macro and ... done. A couple like pytz don't follow semantic versioning, but should work nonetheless.

I've just tested that in a Dockerfile modified to run similarly to the install docs and works nicely.