-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[regression] resolvelib-based dependency processing of constraints with hashes fails to "see" the exact pins #9243
Comments
Actually, here's a smaller repro, with just one dependency: $ cat pyparsing-req.in
pyparsing
$ cat pyparsing-req.txt
pyparsing==2.4.7 \
--hash=sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1 \
--hash=sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b
$ python -m pip --use-feature=2020-resolver install -r pyparsing-req.in -c pyparsing-req.txt
Requirement already satisfied: pyparsing in ~/.pyenv/versions/3.9.0/lib/python3.9/site-packages (from -r pyparsing-req.in (line 1)) (2.4.7)
WARNING: You are using pip version 20.2.3; however, version 20.3.1 is available.
You should consider upgrading via the '~/.pyenv/versions/3.9.0/bin/python -m pip install --upgrade pip' command.
$ python -m pip uninstall pyparsing
Found existing installation: pyparsing 2.4.7
Uninstalling pyparsing-2.4.7:
Would remove:
~/.pyenv/versions/3.9.0/lib/python3.9/site-packages/pyparsing-2.4.7.dist-info/*
~/.pyenv/versions/3.9.0/lib/python3.9/site-packages/pyparsing.py
Proceed (y/n)? y
Successfully uninstalled pyparsing-2.4.7
$ python -m pip --use-feature=2020-resolver install -r pyparsing-req.in -c pyparsing-req.txt
Collecting pyparsing
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
pyparsing from https://files.pythonhosted.org/packages/8a/bb/488841f56197b13700afd5658fc279a2025a39e22449b7cf29864669b15d/pyparsing-2.4.7-py2.py3-none-any.whl#sha256=ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b (from -r pyparsing-req.in (line 1))
WARNING: You are using pip version 20.2.3; however, version 20.3.1 is available.
You should consider upgrading via the '~/.pyenv/versions/3.9.0/bin/python -m pip install --upgrade pip' command. Basically, pip "sees" the |
Previous discussion: #9020 |
@uranusjr I saw that but I'm not sure it discusses exactly this case. Also, it doesn't look like there's an agreement among the pip maintainers on how this should actually work but nevertheless, I wanted to ensure this case is documented because it's important to me personally. It's a quite common paradigm among the pip-tools users that, among other things, showcases embedding |
We're running into this at work, we have formerly working constraints files paired with requirements that explicitly pin exactly the versions/hashes that pip output says is missing. |
@pradyunsg is there a decision that needs to be made to get this going? It's not clear if it is accepted as a regression and a PR is welcome or not. |
From a previous comment:
That ticket was closed with a documentation update, so I guess that applies here as well. |
I took a quick look at the code. The fix should not be too difficult, but requires some refactoring to not get messy. I don’t personally want to invest time doing that before the legacy resolver is removed. |
I'm on board for fixing the logic in the hash checking, to check that exactly 1 candidate is available, instead of checking that the requirement it got is a pin. Beyond that, I don't have any thoughts. |
This is necessary because the most recent versions of pip have a bug with using `-c` having `--require-hashes` or entries with extras. Ref: pypa/pip#9243
I've quickly looked into this, and found that Code ref: pip/src/pip/_internal/resolution/resolvelib/factory.py Lines 324 to 345 in 9d25d2a
Additional info / clarifying my use caseMy use case is having a
|
|
Thanks for the clarification, I must have confused this.
The
|
Yes I think fixing |
I’d be happy to help if someone wants to work on a pull request for this. |
Maybe because of this: #10625 (comment) ? Also template in +++template.req.specifier = specifier
+++template.hash_options = hashes._allowed
func = functools.partial(
self._make_candidate_from_link,
link=ican.link,
extras=extras,
template=template,
name=name,
version=ican.version,
) It works after this changes. |
Reopening since #10962 was reverted. See 0c28452#r70774971 and the subsequent issue for the details. |
Bumps [pip](https://github.com/pypa/pip) from 22.0.4 to 22.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>22.1 (2022-05-11)</h1> <h2>Process</h2> <ul> <li>Enable the <code>importlib.metadata</code> metadata implementation by default on Python 3.11 (or later). The environment variable <code>_PIP_USE_IMPORTLIB_METADATA</code> can still be used to enable the implementation on 3.10 and earlier, or disable it on 3.11 (by setting it to <code>0</code> or <code>false</code>).</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Revert <code>[#9243](pypa/pip#9243) <https://github.com/pypa/pip/issues/9243></code>_ since it introduced a regression in certain edge cases. (<code>[#10962](pypa/pip#10962) <https://github.com/pypa/pip/issues/10962></code>_)</li> <li>Fix missing <code>REQUESTED</code> metadata when using URL constraints. (<code>[#11079](pypa/pip#11079) <https://github.com/pypa/pip/issues/11079></code>_)</li> <li><code>pip config</code> now normalizes names by converting underscores into dashes. (<code>[#9330](pypa/pip#9330) <https://github.com/pypa/pip/issues/9330></code>_)</li> </ul> <h1>22.1b1 (2022-04-30)</h1> <h2>Process</h2> <ul> <li>Start migration of distribution metadata implementation from <code>pkg_resources</code> to <code>importlib.metadata</code>. The new implementation is currently not exposed in any user-facing way, but included in the code base for easier development.</li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Drop <code>--use-deprecated=out-of-tree-build</code>, according to deprecation message. (<code>[#11001](pypa/pip#11001) <https://github.com/pypa/pip/issues/11001></code>_)</li> </ul> <h2>Features</h2> <ul> <li>Add option to install and uninstall commands to opt-out from running-as-root warning. (<code>[#10556](pypa/pip#10556) <https://github.com/pypa/pip/issues/10556></code>_)</li> <li>Include Project-URLs in <code>pip show</code> output. (<code>[#10799](pypa/pip#10799) <https://github.com/pypa/pip/issues/10799></code>_)</li> <li>Improve error message when <code>pip config edit</code> is provided an editor that doesn't exist. (<code>[#10812](pypa/pip#10812) <https://github.com/pypa/pip/issues/10812></code>_)</li> <li>Add a user interface for supplying config settings to build backends. (<code>[#11059](pypa/pip#11059) <https://github.com/pypa/pip/issues/11059></code>_)</li> <li>Add support for Powershell autocompletion. (<code>[#9024](pypa/pip#9024) <https://github.com/pypa/pip/issues/9024></code>_)</li> <li>Explains why specified version cannot be retrieved when <em>Requires-Python</em> is not satisfied. (<code>[#9615](pypa/pip#9615) <https://github.com/pypa/pip/issues/9615></code>_)</li> <li>Validate build dependencies when using <code>--no-build-isolation</code>. (<code>[#9794](pypa/pip#9794) <https://github.com/pypa/pip/issues/9794></code>_)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Fix conditional checks to prevent <code>pip.exe</code> from trying to modify itself, on Windows. (<code>[#10560](pypa/pip#10560) <https://github.com/pypa/pip/issues/10560></code>_)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/3c953322c6683b3f0f4d465d9fa361de55358462"><code>3c95332</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/bd54382b59b45975fd4ea00533fb92bd85e3b98d"><code>bd54382</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/c86f9f12594c0e05ed2de31a652bc1eaadb970d1"><code>c86f9f1</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11044">#11044</a> from uranusjr/importlib-metadata-backend-in-3.11</li> <li><a href="https://github.com/pypa/pip/commit/bd9bcef8b3262c513a0dd614731cfe8db8d64125"><code>bd9bcef</code></a> Enable importlib.metadata backend on Python 3.11</li> <li><a href="https://github.com/pypa/pip/commit/cb24fb4052ca8ab8009866b0de61980c81a7e13c"><code>cb24fb4</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11085">#11085</a> from pypa/revert-10962-fix-hashes</li> <li><a href="https://github.com/pypa/pip/commit/6ad9a21a43b7fe5d436472de2492069c4541bf06"><code>6ad9a21</code></a> 📰</li> <li><a href="https://github.com/pypa/pip/commit/cf3696a81b341925f82f20cb527e656176987565"><code>cf3696a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11080">#11080</a> from sbidoul/requested-with-constraints</li> <li><a href="https://github.com/pypa/pip/commit/bab5bfce502be78318ab2a3b364b4923d657c854"><code>bab5bfc</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11073">#11073</a> from wimglenn/issue-9330</li> <li><a href="https://github.com/pypa/pip/commit/ae1c2e35e493d7a07cb0d300451625629ae07ce9"><code>ae1c2e3</code></a> Grammar fix in changelog</li> <li><a href="https://github.com/pypa/pip/commit/8d51b8365501132c4f9fe929aa40bd66c9eaa60e"><code>8d51b83</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11087">#11087</a> from mkniewallner/fix-version-changelog</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/22.0.4...22.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=22.0.4&new-version=22.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 22.0.4 to 22.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>22.1 (2022-05-11)</h1> <h2>Process</h2> <ul> <li>Enable the <code>importlib.metadata</code> metadata implementation by default on Python 3.11 (or later). The environment variable <code>_PIP_USE_IMPORTLIB_METADATA</code> can still be used to enable the implementation on 3.10 and earlier, or disable it on 3.11 (by setting it to <code>0</code> or <code>false</code>).</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Revert <code>[#9243](pypa/pip#9243) <https://github.com/pypa/pip/issues/9243></code>_ since it introduced a regression in certain edge cases. (<code>[#10962](pypa/pip#10962) <https://github.com/pypa/pip/issues/10962></code>_)</li> <li>Fix missing <code>REQUESTED</code> metadata when using URL constraints. (<code>[#11079](pypa/pip#11079) <https://github.com/pypa/pip/issues/11079></code>_)</li> <li><code>pip config</code> now normalizes names by converting underscores into dashes. (<code>[#9330](pypa/pip#9330) <https://github.com/pypa/pip/issues/9330></code>_)</li> </ul> <h1>22.1b1 (2022-04-30)</h1> <h2>Process</h2> <ul> <li>Start migration of distribution metadata implementation from <code>pkg_resources</code> to <code>importlib.metadata</code>. The new implementation is currently not exposed in any user-facing way, but included in the code base for easier development.</li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Drop <code>--use-deprecated=out-of-tree-build</code>, according to deprecation message. (<code>[#11001](pypa/pip#11001) <https://github.com/pypa/pip/issues/11001></code>_)</li> </ul> <h2>Features</h2> <ul> <li>Add option to install and uninstall commands to opt-out from running-as-root warning. (<code>[#10556](pypa/pip#10556) <https://github.com/pypa/pip/issues/10556></code>_)</li> <li>Include Project-URLs in <code>pip show</code> output. (<code>[#10799](pypa/pip#10799) <https://github.com/pypa/pip/issues/10799></code>_)</li> <li>Improve error message when <code>pip config edit</code> is provided an editor that doesn't exist. (<code>[#10812](pypa/pip#10812) <https://github.com/pypa/pip/issues/10812></code>_)</li> <li>Add a user interface for supplying config settings to build backends. (<code>[#11059](pypa/pip#11059) <https://github.com/pypa/pip/issues/11059></code>_)</li> <li>Add support for Powershell autocompletion. (<code>[#9024](pypa/pip#9024) <https://github.com/pypa/pip/issues/9024></code>_)</li> <li>Explains why specified version cannot be retrieved when <em>Requires-Python</em> is not satisfied. (<code>[#9615](pypa/pip#9615) <https://github.com/pypa/pip/issues/9615></code>_)</li> <li>Validate build dependencies when using <code>--no-build-isolation</code>. (<code>[#9794](pypa/pip#9794) <https://github.com/pypa/pip/issues/9794></code>_)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Fix conditional checks to prevent <code>pip.exe</code> from trying to modify itself, on Windows. (<code>[#10560](pypa/pip#10560) <https://github.com/pypa/pip/issues/10560></code>_)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/3c953322c6683b3f0f4d465d9fa361de55358462"><code>3c95332</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/bd54382b59b45975fd4ea00533fb92bd85e3b98d"><code>bd54382</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/c86f9f12594c0e05ed2de31a652bc1eaadb970d1"><code>c86f9f1</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11044">#11044</a> from uranusjr/importlib-metadata-backend-in-3.11</li> <li><a href="https://github.com/pypa/pip/commit/bd9bcef8b3262c513a0dd614731cfe8db8d64125"><code>bd9bcef</code></a> Enable importlib.metadata backend on Python 3.11</li> <li><a href="https://github.com/pypa/pip/commit/cb24fb4052ca8ab8009866b0de61980c81a7e13c"><code>cb24fb4</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11085">#11085</a> from pypa/revert-10962-fix-hashes</li> <li><a href="https://github.com/pypa/pip/commit/6ad9a21a43b7fe5d436472de2492069c4541bf06"><code>6ad9a21</code></a> 📰</li> <li><a href="https://github.com/pypa/pip/commit/cf3696a81b341925f82f20cb527e656176987565"><code>cf3696a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11080">#11080</a> from sbidoul/requested-with-constraints</li> <li><a href="https://github.com/pypa/pip/commit/bab5bfce502be78318ab2a3b364b4923d657c854"><code>bab5bfc</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11073">#11073</a> from wimglenn/issue-9330</li> <li><a href="https://github.com/pypa/pip/commit/ae1c2e35e493d7a07cb0d300451625629ae07ce9"><code>ae1c2e3</code></a> Grammar fix in changelog</li> <li><a href="https://github.com/pypa/pip/commit/8d51b8365501132c4f9fe929aa40bd66c9eaa60e"><code>8d51b83</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11087">#11087</a> from mkniewallner/fix-version-changelog</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/22.0.4...22.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=22.0.4&new-version=22.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
22.1.2 (2022-05-31) =================== Bug Fixes --------- - Revert <pypa/pip#10979> since it introduced a regression in certain edge cases. - Fix an incorrect assertion in the logging logic, that prevented the upgrade prompt from being presented. 22.1.1 (2022-05-20) =================== Bug Fixes --------- - Properly filter out optional dependencies (i.e. extras) when checking build environment distributions. - Change the build environment dependency checking to be opt-in. - Allow using a pre-release version to satisfy a build requirement. This helps manually populated build environments to more accurately detect build-time requirement conflicts. 22.1 (2022-05-11) ================= Process ------- - Enable the ``importlib.metadata`` metadata implementation by default on Python 3.11 (or later). The environment variable ``_PIP_USE_IMPORTLIB_METADATA`` can still be used to enable the implementation on 3.10 and earlier, or disable it on 3.11 (by setting it to ``0`` or ``false``). Bug Fixes --------- - Revert <pypa/pip#9243> since it introduced a regression in certain edge cases. - Fix missing ``REQUESTED`` metadata when using URL constraints. - ``pip config`` now normalizes names by converting underscores into dashes.
At least, until pypa/pip#9243 is fixed.
…o devel This patch attempts to integrate a forgotten constraints file into the tox setup. The idea is to make PEP 517 builds reproducible. The python-build tool (PEP 517 front-end) parses the build requirements from `pyproject.toml` and `pip install`s them into an ephemeral temporary virtualenv. Unfortunately, this tool does not expose any interface to pin those requirements. But the underlying tool, pip, supports setting CLI options through env vars. So the `--constraint` option corresponds to `PIP_CONSTRAINT` env var which this change relies on. The constraints file can be regenerated as follows: $ python -c 'from pathlib import Path; from sys import argv; from tomli import loads; print("\n".join(loads(Path(argv[1]).read_text())["build-system"].get("requires", [])))' pyproject.toml | python3 -m piptools compile --allow-unsafe --generate-hashes --strip-extras --output-file requirements-build.txt - This change temporarily disables including hashes into the constraints file per pypa/pip#9243. It also sticks to generating the pins under the lowest-supported Python version which is Python 3.6 to address pypa/pip#11321.
Can't install with hashes with pipx 1.5.0, the workaround does not work anymore. upstream issue: pypa/pip#9243
What did you want to do?
Use pip-tools generated requirements.txt + constraints.txt pair with hashes via
pip install -r requirements.txt -c constraints.txt
. It seems to be unintentionally broken with the new resolvelib-based dependency resolver and works with the old one.This seems to be related to #8792 but PR #8839 that claims to fix it doesn't add the specific case I'm presenting here to tests and so it is probably overlooked.
Please find the repro below. Note that I'm adding an unconstrainted direct env dep to
myst.in
and generate the concrete pins with hashes inmyst.txt
for simplicity but the case I've actually hit in the wild was with>= 0.10.0
(that shouldn't matter here).STR + Output
Additional information
Example crash: https://github.com/ansible/pylibssh/pull/157/checks?check_run_id=1511500384#step:9:15.
The text was updated successfully, but these errors were encountered: