Warn when --generate-hashes output is uninstallable

[jcushman]

pip-compile --generate-hashes can generate a requirements.txt file that will be rejected by pip install, in at least two ways:

(1) When unsafe packages are left out (#806):

$ pip-compile --generate-hashes
#
# This file is autogenerated by pip-compile
# To update, run:
#
#    pip-compile --generate-hashes
#
markdown==3.1 \
    --hash=sha256:fc4a6f69a656b8d858d7503bda633f4dd63c2d70cf80abdc6eafa64c4ae8c250 \
    --hash=sha256:fe463ff51e679377e3624984c829022e2cfb3be5518726b06f608a07a3aad680
$ pip install -r requirements.txt
Collecting markdown==3.1 (from -r requirements.txt (line 7))
  Using cached https://files.pythonhosted.org/packages/f5/e4/d8c18f2555add57ff21bf25af36d827145896a07607486cc79a2aea641af/Markdown-3.1-py2.py3-none-any.whl
Collecting setuptools>=36 (from markdown==3.1->-r requirements.txt (line 7))
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    setuptools>=36 from https://files.pythonhosted.org/packages/ec/51/f45cea425fd5cb0b0380f5b0f048ebc1da5b417e48d304838c02d6288a1e/setuptools-41.0.1-py2.py3-none-any.whl#sha256=c7769ce668c7a333d84e17fe8b524b1c45e7ee9f7908ad0a73e1eda7e6a5aebf (from markdown==3.1->-r requirements.txt (line 7))

(2) When unhashable URL requirements are included:

$ pip-compile --generate-hashes
#
# This file is autogenerated by pip-compile
# To update, run:
#
#    pip-compile --generate-hashes
#
-e git+https://github.com/jazzband/pip-tools@7d86c8d3ecd1faa6be11c7ddc6b29a30ffd1dae3#egg=pip-tools
click==7.0 \
    --hash=sha256:2335065e6395b9e67ca716de5f7526736bfa6ceead690adf616d925bdc622b13 \
    --hash=sha256:5b94b49521f6456670fdb30cd82a4eca9412788a93fa6dd6df72c94d5a8ff2d7
first==2.0.2 \
    --hash=sha256:8d8e46e115ea8ac652c76123c0865e3ff18372aef6f03c22809ceefcea9dec86 \
    --hash=sha256:ff285b08c55f8c97ce4ea7012743af2495c9f1291785f163722bd36f6af6d3bf
six==1.12.0 \
    --hash=sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c \
    --hash=sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73
$ pip install -r requirements.txt
Obtaining pip-tools from git+https://github.com/jazzband/pip-tools@7d86c8d3ecd1faa6be11c7ddc6b29a30ffd1dae3#egg=pip-tools (from -r requirements.txt (line 7))
ERROR: The editable requirement pip-tools from git+https://github.com/jazzband/pip-tools@7d86c8d3ecd1faa6be11c7ddc6b29a30ffd1dae3#egg=pip-tools (from -r requirements.txt (line 7)) cannot be installed when requiring hashes, because there is no single file to hash.

This PR prints warning messages in the generated requirements.txt file for both of those situations, and also prints a warning message to stderr at the end:

$ pip-compile --generate-hashes
#
# This file is autogenerated by pip-compile
# To update, run:
#
#    pip-compile --generate-hashes
#
# WARNING: pip install will require the following package to be hashed.
# Consider using a hashable URL like https://github.com/jazzband/pip-tools/archive/SOMECOMMIT.zip
-e git+https://github.com/jazzband/pip-tools@7d86c8d3ecd1faa6be11c7ddc6b29a30ffd1dae3#egg=pip-tools
click==7.0 \
    --hash=sha256:2335065e6395b9e67ca716de5f7526736bfa6ceead690adf616d925bdc622b13 \
    --hash=sha256:5b94b49521f6456670fdb30cd82a4eca9412788a93fa6dd6df72c94d5a8ff2d7
first==2.0.2 \
    --hash=sha256:8d8e46e115ea8ac652c76123c0865e3ff18372aef6f03c22809ceefcea9dec86 \
    --hash=sha256:ff285b08c55f8c97ce4ea7012743af2495c9f1291785f163722bd36f6af6d3bf
markdown==3.1 \
    --hash=sha256:fc4a6f69a656b8d858d7503bda633f4dd63c2d70cf80abdc6eafa64c4ae8c250 \
    --hash=sha256:fe463ff51e679377e3624984c829022e2cfb3be5518726b06f608a07a3aad680
six==1.12.0 \
    --hash=sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c \
    --hash=sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73

# WARNING: The following packages were not pinned, but pip requires them to be
# pinned when the requirements file includes hashes. Consider using the --allow-unsafe flag.
# setuptools==41.0.1        # via markdown
[to stderr:]
The generated requirements file may be rejected by pip install. See # WARNING lines for details.

Note that the warning message text is static; this doesn't attempt to suggest a fixed URL for Github or similar VCS URLs, though that would be possible as an enhancement.

Here's an image of the output with color:

Tests are included for the two warning situations.

Changelog-friendly one-liner: Warn when pip-compile --generate-hashes output is uninstallable

Contributor checklist

• Provided the tests for the changes.
• Requested a review from another contributor.
• Gave a clear one-line description in the PR (that the maintainers can add to CHANGELOG.md on release).
• Assign the PR to an existing or new milestone for the target version (following Semantic Versioning).

[codecov]

Codecov Report

Merging #814 into master will increase coverage by 0.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #814      +/-   ##
==========================================
+ Coverage   98.83%   98.84%   +0.01%     
==========================================
  Files          36       36              
  Lines        2153     2172      +19     
  Branches      276      279       +3     
==========================================
+ Hits         2128     2147      +19     
  Misses         15       15              
  Partials       10       10

Impacted Files	Coverage Δ
tests/test_writer.py	100% <100%> (ø)	⬆️
piptools/writer.py	100% <100%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 804d780...4b79946. Read the comment docs.

[codecov]

Codecov Report

Merging #814 into master will decrease coverage by 0.03%.
The diff coverage is 97.05%.

@@            Coverage Diff            @@
##           master    #814      +/-   ##
=========================================
- Coverage   98.83%   98.8%   -0.04%     
=========================================
  Files          36      36              
  Lines        2153    2177      +24     
  Branches      276     279       +3     
=========================================
+ Hits         2128    2151      +23     
  Misses         15      15              
- Partials       10      11       +1

Impacted Files	Coverage Δ
tests/test_writer.py	100% <100%> (ø)	⬆️
piptools/writer.py	99.13% <95%> (-0.87%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a938fd3...766cef0. Read the comment docs.

[codecov]

Codecov Report

Merging #814 into master will increase coverage by 0.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #814      +/-   ##
==========================================
+ Coverage   98.83%   98.84%   +0.01%     
==========================================
  Files          36       36              
  Lines        2153     2172      +19     
  Branches      276      279       +3     
==========================================
+ Hits         2128     2147      +19     
  Misses         15       15              
  Partials       10       10

Impacted Files	Coverage Δ
tests/test_writer.py	100% <100%> (ø)	⬆️
piptools/writer.py	100% <100%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 804d780...4b79946. Read the comment docs.

[atugushev]

LGTM 👍