Potential dependency conflicts between bless and boto3

[NeolithEra]

Hi, as shown in the following full dependency graph of bless, bless requires boto3 (the latest version)， while the installed version of kmsauth(0.3.0) requires boto3>=1.2.0,<2.0.0.

According to Pip's “first found wins” installation strategy, boto3 1.9.193 is the actually installed version.

Although the first found package version boto3 1.9.193 just satisfies the later dependency constraint （boto3>=1.2.0,<2.0.0), it will lead to a build failure once developers release a newer version of bleach.

Dependency tree--------

bless-master<version range:>
| +-boto3<version range:>
| +-cryptography<version range:>
| +-ipaddress<version range:>
| +-kmsauth<version range:>
| | +-boto3<version range:>=1.2.0,<2.0.0>
| +-marshmallow<version range:>

Suggestion

1. Fix your direct dependencies to be boto3==1.9.193 and kmsauth==0.3.0, to remove this conflict.
   I have checked this revision will not affect your downstream projects now.

2. Ask your upstream project kmsauth to loose the version range of boto3 to be >=1.2.0.

Thanks for your attention.
Best,
Neolith

[NeolithEra]

@russell-lewis hi, please let me know which solution you prefer 1 or 2.
Then, I would like to submit a PR to solve this problem.

[russell-lewis]

Are there plans for boto3 to jump to a 2.x release? I didn't find anything with a quick google search.

But yeah, I'd be biased to fixing the kmsauth version pinning.

The provided makefile for BLESS actually relies on the pined versions in the requirements.txt so by default it is actually pulling in boto3==1.9.151 and kmsauth==0.3.0.

[NeolithEra]

Ok, I see.
@russell-lewis I can submit a PR to keep the consistency between setup.py and requirements.txt, to remove this potencial conflicts for the users of bless.