From 7fe491f7a45f8723ad788ac63621b4ea44eaa25a Mon Sep 17 00:00:00 2001
From: Galen Andrew <galenandrew@google.com>
Date: Fri, 19 Aug 2022 09:37:38 -0700
Subject: [PATCH] Update the conventions used to specify the version of a
 Python dependency.

* For packages that have a stable release, we use a version that is compatible with that release (e.g. `~=x.y`).
* For packages that do not have a stable release, we use a version that matches a release that has been tested (e.g. `==x.y.z`).

Additionally, added documentation to the requirements.txt.

PiperOrigin-RevId: 468720651
---
 requirements.txt | 45 ++++++++++++++++++++++++++++++++++-----------
 setup.py         | 20 ++++++++++----------
 2 files changed, 44 insertions(+), 21 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 59aeb8f..d9f0515 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,14 +1,37 @@
-absl-py~=1.0.0
-attrs~=21.4.0
-dm-tree~=0.1.7
-dp-accounting~=0.1.2
-matplotlib~=3.3.4
-mpmath~=1.2.1
-numpy~=1.23.2
-pandas~=1.4.3
-scikit-learn~=1.0.2
-scipy~=1.7.1
-tensorflow-datasets~=4.5.2
+# Requirements for Tensorflow Privacy.
+#
+# If you add a dependency here, also add the dependency to setup.py.
+#
+# *   For packages that have a stable release, we use a version that is
+#     compatible with that release (e.g. `~=x.y`). See
+#     https://peps.python.org/pep-0440/#compatible-release for more information.
+# *   For packages that do not have a stable release, we use a version that
+#     matches a release that has been tested (e.g. `==x.y.z`). See
+#     https://peps.python.org/pep-0440/#version-matching for more information.
+#
+# This assumes that the packages follows Semantic Versioning, see
+# https://semver.org/. If a package follows a different versioning scheme or
+# requires unique handling, we use a different version specifier and comment the
+# versioning scheme or reasoning.
+#
+# Note: As of 2022-08-17 there is bug in `pip` when multiple packages use the
+# compatible release operator `~=` to specify a version and one of those
+# versions ends in `0`. See https://github.com/pypa/pip/issues/9613 for more
+# information. In this case, use the equivalent clause `>=x.0,==x.*` instead of
+# `~=x.0`.
+
+
+absl-py>=1.0,==1.*
+attrs~=21.4
+dm-tree==0.1.7
+dp-accounting==0.1.2
+matplotlib~=3.3
+mpmath~=1.2
+numpy~=1.23
+pandas~=1.4
+scikit-learn>=1.0,==1.*
+scipy~=1.7
+tensorflow-datasets~=4.5
 tensorflow-estimator~=2.4
 tensorflow-probability~=0.15
 tensorflow~=2.4
diff --git a/setup.py b/setup.py
index 464f01e..249f8c0 100644
--- a/setup.py
+++ b/setup.py
@@ -27,16 +27,16 @@ setup(
     url='https://github.com/tensorflow/privacy',
     license='Apache-2.0',
     install_requires=[
-        'absl-py~=1.0.0',
-        'attrs~=21.4.0',
-        'dm-tree~=0.1.7',
-        'dp-accounting~=0.1.2',
-        'matplotlib~=3.3.4',
-        'numpy~=1.23.2',
-        'pandas~=1.4.3',
-        'scikit-learn~=1.0.2',
-        'scipy~=1.7.1',
-        'tensorflow-datasets~=4.5.2',
+        'absl-py~=1.0',
+        'attrs~=21.4',
+        'dm-tree==0.1.7',
+        'dp-accounting==0.1.2',
+        'matplotlib~=3.3',
+        'numpy~=1.23',
+        'pandas~=1.4',
+        'scikit-learn~=1.0',
+        'scipy~=1.7',
+        'tensorflow-datasets~=4.5',
         'tensorflow-estimator~=2.4',
         'tensorflow-probability~=0.15',
         'tensorflow~=2.4',