pip-sync will happilly uninstall all packages if requirements.txt is empty

[takeda]

This perhaps might be argued to be a feature, since pip-sync supposed to uninstall anything that is not in requirements.txt but this is dangerous in scenarios when an earlier operation has failed and caused requirements.txt to be empty. I'm wondering whether this safety measure could be added, if someone needs the behavior, maybe they can specify --force?

Environment Versions

1. OS Type: N/A
2. Python version: $ python -V: N/A
3. pip version: $ pip --version: 18.0
4. pip-tools version: $ pip-compile --version: 2.0.2

Steps to replicate

1. echo -n > test.txt
2. pip-sync test.txt
3. pip list

Expected result

Operation would fail

Actual result

All packages were uninstalled

[georgek]

Seems like pip-sync is doing the right thing to me. Always check the input to your programs before you run them.

[takeda]

Heh, since I wrote this PR I ended up liking this behavior and started using pip-sync /dev/null to cleanup the environment, before installing something else.

My concern when filling this PR was using pip-sync in CMS code (salt, chef, puppet etc) for the purpose of deployment in case precious step failed and produced an empty file. Maybe an option --fail-on-empty could be used as a safety measure.

[georgek]

Why not check the previous file with another tool like wc? Unix philosophy: do one thing and do it well.

[atugushev]

I think we can ask if a user wants to continue. For example:

if file_is_empty and not click.confirm('Do you want to uninstall all packages?'):
    sys.exit(0)

[georgek]

Personally I'm against training users that commands can't do something dangerous. They'll get a shock when rm -rf / doesn't ask if they are sure.

Another concern is what if I really do want to do this? We'll need another option like --yes for running it in a non-interactive environment like CI.

[atugushev]

Another concern is what if I really do want to do this? We'll need another option like --yes for running it in a non-interactive environment like CI.

That makes sense. But I don't mind honestly, for I remember how I got myself into this trap once and deleted all packages in the env.

[AndydeCleyre]

Uninstalling all packages is exactly what I expect and desire to happen when I pip-sync against an empty file.

[georgek]

A nicer option would be to add an "opt-in" feature, ie. an --ask flag similar to how nmcli or portage (Gentoo package manager) works. Users can then use this in an alias if they wish for it to be enabled on their interactive command line but it won't affect CI or users who don't like such features.

I think --ask would simply be --dry-run, but with the option to continue with a real run.

[atugushev]

I'll close this based on the above which was implemented in #913, but please let us know if it doesn't resolve your issue. Thanks!