Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Can we consider --editable a bad practice?

May 26, 2021
Christoph Görn
Related topics:
Artificial intelligenceCI/CDPython
Related products:
Red Hat OpenShift

Share:

    Using editable dependencies is becoming more popular, especially if you want to install from a version control system. But --editable is not without dangers. This article discusses why using editable dependencies should be considered a bad practice, and why it's a particularly bad practice for data scientists using Project Thoth.

    The use case for editable dependencies

    With Python’s pip and with pipenv, you can install dependencies in an editable form. As an example, imagine you wanted to fix a bug. You could install the package from a version control system in an editable way:

    pipenv install -e git+https://github.com/requests/requests.git#egg=requests

    Now, you can create the changes to fix the bug and test them on your local machine.

    Over time, however, we have seen practices that are generally acceptable, but not good for data scientists to follow. One of these practices is to include an application's dependencies in an editable way. If your goal is to change the package itself, like a developer or open source contributor would, --editable is indeed a good practice. But let's focus on why editable dependencies are bad in the context of data science.

    Note: Red Hat's now+Next blog includes posts that discuss technologies that are under active development in upstream open source communities and at Red Hat. We believe in sharing early and often the things we're working on, but we want to note that unless otherwise stated the technologies and how-tos shared here aren't part of supported products, nor promised to be in the future.

    Editable dependencies and Project Thoth

    Project Thoth is working on a number of software stacks running in Jupyter notebooks, which themselves are run as a container in the context of Open Data Hub. The software stack being run is considered immutable: It’s coming from a container image and has been built up-front, so the container image is read-only.

    While the dependencies could have been installed as editable during the container build, the resulting container image will be immutable. Therefore, these dependencies typically should not be edited because they are the known and trusted versions. They are intended to be included as-is in the immutable container images when built by Red Hat OpenShift using Tekton pipelines.

    --editable breaks provenance checks

    Editable installs are editable versions of a specific package—they can be easily adjusted locally and there is no direct way of controlling what is present in the package source code once it's been adjusted. Also, any package dependency adjustments cannot be tracked. Putting a repeatable and traceable build pipeline in place using editable installs opens the door for untrackable changes.

    Using an editable dependency catapults us back into a bygone era, where every deployment is maintained like fine china instead of paper plates: There is no way to tell what software is being executed!

    We strongly recommend using so-called provenance checks to verify the origin of the software package going into a deployment.

    --editable breaks recommendations

    Thoth analyzes dependencies and aggregates information about them, so it has extensive knowledge about which packages are “good” or “bad” with respect to various aspects of the software. Examples include performance indications, Python security issue scores from Bandit, and CVE information.

    Packages coming from a local filesystem, or coming randomly from the internet, can introduce malicious or unpredictable behavior. Therefore, we strongly recommend looking at all packages going into a deployment and having a justification for each one.

    --editable leads to unpredictable software stacks

    As source code introduced by editable installs can have additional adjustments, we simply do not recommend using editable installs for any purpose other than local development or debugging an application.

    Conclusion: Work toward predictable software stacks

    Always use sources you have vetted and trust, and use properly packaged Python packages released on package indexes conforming to Python Enhancement Proposal (PEP) standards. Use these practices to ensure your applications do not introduce any unpredictable issues.

    The CI/CD pipelines in the Operate First initiative are a good place to find resources. With Project Thoth and our services like the Khebhut GitHub marketplace and thamos, we support this mindset and offer a rich knowledge graph as a foundation for your package selection, and ultimately for your decision for what you put into production.

    Last updated: June 14, 2023

    Related Posts

    • AI software stack inspection with Thoth and TensorFlow

    Recent Posts

    • More Essential AI tutorials for Node.js Developers

    • How to run a fraud detection AI model on RHEL CVMs

    • How we use software provenance at Red Hat

    • Alternatives to creating bootc images from scratch

    • How to update OpenStack Services on OpenShift

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue