-
-
Notifications
You must be signed in to change notification settings - Fork 615
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pip-compile doesn't provide hashes for wheels hosted by simple index servers #1536
Comments
Get json from all index servers instead of just the first, then computes hashes on all remaining index links not already returned from servers.
I've got a PR underway. I'm just trying to make sure I add enough test coverage first. |
@stefansjs I'm running into this limitation as well. Any updates on progress? Could I offer assistance? |
@snmishra I just got back to this PR. It sat on my back burner for a little longer than I'd like to admit. So far my feature is implemented on https://github.com/stefansjs/pip-tools/tree/all_hashes but I don't think it has enough test coverage to ensure that my implementation is right in all cases. If it's easier, maybe I should start the PR and we can discuss changes in that CR discussion. Do you think that's the best way to discuss? |
@stefansjs Sounds good |
Any News here?!? |
I run into: piwheels/packages#473 (Missing hashes from piwheel) and there is jazzband/pip-tools#1536 for the real problem. But, just add piwheel as extra-index fix the problem and hashes from there packages just added. Fine.
Hm. Strange, i have just add piwheels as extra urls in pip-compile call to add the package hashes from there, too?!? |
pip-compile doesn't compute hashes for all index servers, which leads to pip install failure. Specifically, any index server that provides hashes from its json API, will prevent pip-compile for checking if other installation candidates are available from other index servers.
Environment Versions
$ python -V
$ pip --version
$ pip-compile --version
Steps to replicate
pip-compile --generate-hashes -i 'http://<my local index server>.com/' --extra-index-url https://pypi.org/simple
Expected result
The hashes should include the wheel in the local index server.
Actual result
Only hashes from pypi.org are listed in requirements.txt.
Looking at the implementation, it looks like piptools first tries to get hashes from the first index server that implements the json API. The first server that responds with a json blob is taken as the only hash candidates. Files are not manually hashed for any missing files.
In this case, because some files are on pypi, which implements the json API, other index servers are able to provide valid installation candidates to pip, but piptools does not bother to hash them, thus causing a pip installation failure due to the missing hashes.
The text was updated successfully, but these errors were encountered: