buskill-app icon indicating copy to clipboard operation
buskill-app copied to clipboard
verified publisher icon BusKill

Separate Dependencies and Code

Open maltfield opened this issue 4 years ago • 4 comments

Problem: Right now we're storing all of the app's dependencies directly in this repo, which has made it balloon in-size, which is only going to get worse with time.

This issue will track the task to find a solution to this problem.

The solution:

  1. Should not depend on downloading resources through the Internet, unless those resources have been cryptographically signed with a pinned, trustworthy key such that the authenticity of the release can be verified, even if the infrastructure from which we're downloading or the connection to that infrastructure is compromised

  2. Should not cause builds to fail in the future in-case our dependency is not longer available for download (404).

For more info on why PyPi fails at security the supply chain (unlike apt for example), see:

  • https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises
  • https://security.stackexchange.com/a/234098
  • https://security.stackexchange.com/questions/234052/where-can-i-find-a-list-of-all-government-agencies-with-cas-in-pki-root-stores

maltfield avatar Nov 29 '21 20:11 maltfield

Originally my plan was to just 3TOFU the dependencies once and only store a SHA256SUMS file in the repo. That way it's lightweight and I don't risk comprimising the app's builds with Supply Chain vulnerabilities.

However, ^ this solution ended-up breaking my build pipelines when an asset 404'd (only the newer, unsigned asset was available).

  • https://github.com/BusKill/buskill-app/commit/3053de5e83bbcfc1ced7af321e0c7237c7179903

To make builds future-proof, I decided to just include the dependencies directly in the repo.

maltfield avatar Nov 29 '21 21:11 maltfield

Another theoretical solution to this problem of "how to securely authenticate an asset after download that's not signed" is an append-only, distributed log of hashes of the asset. A few things come to mind, but they've mostly all been abandoned, are unfinished, or don't directly apply here:

  • https://wiki.mozilla.org/Security/Binary_Transparency
  • https://github.com/transparencylog/tl
  • https://en.wikipedia.org/wiki/Certificate_Transparency

But this doesn't provide future-proof protection from a dependency becoming 404'd.

maltfield avatar Nov 29 '21 21:11 maltfield

So one solution is to store our dependencies as artifacts in a container register. Then we can also sign them using a tool like cosign. Our build script could safely download/authenticate the artiacts with the sget command

  • https://github.com/sigstore/cosign#blobs
  • https://blog.sigstore.dev/a-safer-curl-bash-7698c8125063

This could work, but it seems like a sprawling, bleeding-edge solution that may or may not get deprecated within the next 5 years.

maltfield avatar Nov 29 '21 21:11 maltfield

Today I was working on upgrading python 3.7 to 3.12 and updating many other dependencies. Rather than further baloon this repo, I went ahead and created a new repo buskill-app-deps

I'm not so trusting of GitHub CI checking out another repo, so I've decided to create a SHA256SUMS in that new repo's deps/ dir, and I'll sign it with our release key. Once I update all the build scripts, I delete all the depends from this repo with the exception of the .asc files with upstream devs PGP keys (including our own release signing key)

maltfield avatar Mar 22 '24 02:03 maltfield

I've since finished and closed the most-recent fix-the-builds issue, which included moving all the dependencies for all 3x platform build scripts outside this repo:

  • https://github.com/BusKill/buskill-app/issues/78

I think we're about ready to close this ticket, but I realized that I never actually deleted the depends from this repo. I'll do that now.

Note that I won't delete small files like upstream dev's gpg public keys. I'm only going to delete large payload files.

maltfield avatar Jul 24 '24 21:07 maltfield

All 3x builds were successful after moving the dependencies outside this repo.

  • https://github.com/BusKill/buskill-app/actions/runs/10084283950

This ticket is complete.

maltfield avatar Jul 24 '24 21:07 maltfield

I'm re-opening this, as it appears that (after deleting the depends above) our macos build did, in-fact break.

The most-recent build prior to me deleting the depends from this repo (and its build logs) are here:

  • https://github.com/BusKill/buskill-app/actions/runs/10084066193/job/27882068107
  • https://github.com/BusKill/buskill-app/releases/tag/10084066193_mac

And the next build -- after I deleted the depends from this repo (and its build logs) are here:

  • https://github.com/BusKill/buskill-app/releases/tag/10084283950_mac
  • https://github.com/BusKill/buskill-app/actions/runs/10084283950/job/27882750255

While the former opened fine, the later produces the following error on-launch

 % /Users/maltfield/Desktop/buskill-1721856354.app/Contents/MacOS/buskill ; exit;
Traceback (most recent call last):
  File "main.py", line 36, in <module>
    import packages.buskill
  File "PyInstaller/loader/pyimod02_importers.py", line 419, in exec_module
  File "buskill/__init__.py", line 22, in <module>
ModuleNotFoundError: No module named 'certifi'
[25813] Failed to execute script 'main' due to unhandled exception: No module named 'certifi'
[25813] Traceback:
Traceback (most recent call last):
  File "main.py", line 36, in <module>
    import packages.buskill
  File "PyInstaller/loader/pyimod02_importers.py", line 419, in exec_module
  File "buskill/__init__.py", line 22, in <module>
    import urllib.request, re, json, certifi, sys, os, math, shutil, tempfile, random, gnupg, configparser
ModuleNotFoundError: No module named 'certifi'
 
 
[Process completed]

maltfield avatar Jul 25 '24 21:07 maltfield

ok, it looks like our build script simply references old versions of the depends; hopefully we can just bump them up

2024-07-24T21:29:37.4167510Z Successfully installed pip-24.0
2024-07-24T21:29:37.4710780Z ++ pwd
2024-07-24T21:29:37.4714220Z + /tmp/venv/bin/python3 -m pip install --ignore-installed --upgrade --cach
e-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/
 build/deps/setuptools-49.1.0-py3-none-any.whl
2024-07-24T21:29:37.9264050Z WARNING: Requirement 'build/deps/setuptools-49.1.0-py3-none-any.whl' looks like a filename, but the file does not exist
2024-07-24T21:29:37.9363660Z Looking in links: file:///Users/runner/work/buskill-app/buskill-app/build/deps/
2024-07-24T21:29:37.9481790Z Processing ./build/deps/setuptools-49.1.0-py3-none-any.whl
2024-07-24T21:29:37.9518740Z ERROR: Could not install packages due to an OSError: [Errno 2] No such file or directory: '/Users/runner/work/buskill-app/buskill-app/build/deps/setuptools-49.1.0-py3-none-any.whl'

user@buskill:~/sandbox/buskill-app-deps/build/deps$ ls | grep -i setup
setuptools-69.1.1-py3-none-any.whl
user@buskill:~/sandbox/buskill-app-deps/build/deps$ ls | grep -i wheel
wheel-0.42.0-py3-none-any.whl
user@buskill:~/sandbox/buskill-app-deps/build/deps$

maltfield avatar Jul 25 '24 22:07 maltfield

I updated the build script to use the versions of setuptools and wheel that are actually present in the new deps repo, but I'm still getting an error about certifi on the latest build:

  • https://github.com/BusKill/buskill-app/releases/tag/10102587452_mac
  • https://github.com/BusKill/buskill-app/actions/runs/10102587452/job/27938446435

I'm not sure if it's related, but I see in the build logs that the attempt to install the Kivy depend also failed:

2024-07-25T22:45:45.1971880Z + /tmp/venv/bin/python3 -m pip install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/wheel-0.42.0-py3-none-any.whl
2024-07-25T22:45:45.6892510Z Looking in links: file:///Users/runner/work/buskill-app/buskill-app/build/deps/
2024-07-25T22:45:45.7004800Z Processing ./build/deps/wheel-0.42.0-py3-none-any.whl
2024-07-25T22:45:45.7693070Z Installing collected packages: wheel
2024-07-25T22:45:45.8290930Z Successfully installed wheel-0.42.0
2024-07-25T22:45:45.8944480Z + [[ 13 -eq 10 ]]
2024-07-25T22:45:45.8951090Z ++ pwd
2024-07-25T22:45:45.8956000Z + /tmp/venv/bin/python3 -m pip install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/Kivy-2.3.0-cp312-cp312-macosx_10_9_universal2.whl
2024-07-25T22:45:46.4065520Z Looking in links: file:///Users/runner/work/buskill-app/buskill-app/build/deps/
2024-07-25T22:45:46.4180050Z Processing ./build/deps/Kivy-2.3.0-cp312-cp312-macosx_10_9_universal2.whl
2024-07-25T22:45:46.5336950Z Processing ./build/deps/Kivy_Garden-0.1.5-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T22:45:46.5415590Z Processing ./build/deps/docutils-0.20.1-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T22:45:46.5523190Z Processing ./build/deps/pygments-2.17.2-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T22:45:46.5664150Z Processing ./build/deps/requests-2.31.0-py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T22:45:46.5788570Z INFO: pip is looking at multiple versions of requests to determine which version is compatible with other requirements. This could take a while.
2024-07-25T22:45:46.6322010Z ERROR: Could not find a version that satisfies the requirement charset-normalizer<4,>=2 (from requests) (from versions: none)
2024-07-25T22:45:46.6324030Z ERROR: No matching distribution found for charset-normalizer<4,>=2

maltfield avatar Jul 25 '24 22:07 maltfield

ok, I think it is related. Here's the output from the build log of the most recent version that worked

  • https://github.com/BusKill/buskill-app/actions/runs/10084066193/job/27882068107
2024-07-24T21:11:51.6387960Z + /tmp/venv/bin/python3 -m pip install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/Kivy-2.3.0-cp312-cp312-macosx_10_9_universal2.whl
2024-07-24T21:11:52.1015040Z Looking in links: file:///Users/runner/work/buskill-app/buskill-app/build/deps/
2024-07-24T21:11:52.1126710Z Processing ./build/deps/Kivy-2.3.0-cp312-cp312-macosx_10_9_universal2.whl
2024-07-24T21:11:52.2229490Z Processing ./build/deps/Kivy_Garden-0.1.5-py3-none-any.whl (from Kivy==2.3.0)
2024-07-24T21:11:52.2300150Z Processing ./build/deps/docutils-0.20.1-py3-none-any.whl (from Kivy==2.3.0)
2024-07-24T21:11:52.2396680Z Processing ./build/deps/pygments-2.17.2-py3-none-any.whl (from Kivy==2.3.0)
2024-07-24T21:11:52.2525030Z Processing ./build/deps/requests-2.31.0-py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-24T21:11:52.2643210Z INFO: pip is looking at multiple versions of requests to determine which version is compatible with other requirements. This could take a while.
2024-07-24T21:11:52.2697070Z Processing ./build/deps/requests-2.24.0-py2.py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-24T21:11:52.2855700Z Processing ./build/deps/chardet-3.0.4-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-24T21:11:52.2935830Z Processing ./build/deps/idna-2.10-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-24T21:11:52.3016850Z Processing ./build/deps/urllib3-1.25.9-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-24T21:11:52.3109980Z Processing ./build/deps/certifi-2024.2.2-py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-24T21:11:52.4364420Z Installing collected packages: chardet, urllib3, pygments, idna, docutils, certifi, requests, Kivy-Garden, Kivy
2024-07-24T21:11:54.9349370Z Successfully installed Kivy-2.3.0 Kivy-Garden-0.1.5 certifi-2024.2.2 chardet-3.0.4 docutils-0.20.1 idna-2.10 pygments-2.17.2 requests-2.24.0 urllib3-1.25.9

And here's the output after I deleted the rereqs (and the build broke)

  • https://github.com/BusKill/buskill-app/actions/runs/10084283950/job/27882750255
2024-07-24T21:29:38.5405730Z + /tmp/venv/bin/python3 -m pip install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/Kivy-2.3.0-cp312-cp312-macosx_10_9_universal2.whl
2024-07-24T21:29:39.0079530Z Looking in links: file:///Users/runner/work/buskill-app/buskill-app/build/deps/
2024-07-24T21:29:39.0190050Z Processing ./build/deps/Kivy-2.3.0-cp312-cp312-macosx_10_9_universal2.whl
2024-07-24T21:29:39.1264580Z Processing ./build/deps/Kivy_Garden-0.1.5-py3-none-any.whl (from Kivy==2.3.0)
2024-07-24T21:29:39.1337330Z Processing ./build/deps/docutils-0.20.1-py3-none-any.whl (from Kivy==2.3.0)
2024-07-24T21:29:39.1436060Z Processing ./build/deps/pygments-2.17.2-py3-none-any.whl (from Kivy==2.3.0)
2024-07-24T21:29:39.1564450Z Processing ./build/deps/requests-2.31.0-py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-24T21:29:39.1680090Z INFO: pip is looking at multiple versions of requests to determine which version is compatible with other requirements. This could take a while.
2024-07-24T21:29:39.2203210Z ERROR: Could not find a version that satisfies the requirement charset-normalizer<4,>=2 (from requests) (from versions: none)
2024-07-24T21:29:39.2205310Z ERROR: No matching distribution found for charset-normalizer<4,>=2

...so it appears that charset-normalizaer is failing, which is blocking installing of other kivy depends, including certifi

maltfield avatar Jul 25 '24 23:07 maltfield

oh, it looks like it actually gave-up before and reverted from requests-2.31.0 to requests-2.24.0.

2024-07-24T21:11:52.2525030Z Processing ./build/deps/requests-2.31.0-py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-24T21:11:52.2643210Z INFO: pip is looking at multiple versions of requests to determine which version is compatible with other requirements. This could take a while.
2024-07-24T21:11:52.2697070Z Processing ./build/deps/requests-2.24.0-py2.py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)

I'm going to try to restore requests-2.24.0 and see if it fixes this issue

maltfield avatar Jul 25 '24 23:07 maltfield

Ugh, that didn't work. Here's the build after I made requests-2.24.0 available

  • https://github.com/BusKill/buskill-app/actions/runs/10102858506/job/27939214374
2024-07-25T23:15:19.1942030Z + /tmp/venv/bin/python3 -m pip install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/Kivy-2.3.0-cp312-cp312-macosx_10_9_universal2.whl
2024-07-25T23:15:19.8133120Z Looking in links: file:///Users/runner/work/buskill-app/buskill-app/build/deps/
2024-07-25T23:15:19.8279880Z Processing ./build/deps/Kivy-2.3.0-cp312-cp312-macosx_10_9_universal2.whl
2024-07-25T23:15:19.9771070Z Processing ./build/deps/Kivy_Garden-0.1.5-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T23:15:19.9870190Z Processing ./build/deps/docutils-0.20.1-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T23:15:20.0005280Z Processing ./build/deps/pygments-2.17.2-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T23:15:20.0196720Z Processing ./build/deps/requests-2.31.0-py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:15:20.0381060Z INFO: pip is looking at multiple versions of requests to determine which version is compatible with other requirements. This could take a while.
2024-07-25T23:15:20.0465760Z Processing ./build/deps/requests-2.24.0-py2.py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:15:20.1342180Z ERROR: Cannot install Kivy-Garden because these package versions have conflicting dependencies.
2024-07-25T23:15:20.1344980Z 
2024-07-25T23:15:20.1345670Z The conflict is caused by:
2024-07-25T23:15:20.1346900Z     requests 2.31.0 depends on charset-normalizer<4 and >=2
2024-07-25T23:15:20.1348080Z     requests 2.24.0 depends on chardet<4 and >=3.0.2
2024-07-25T23:15:20.1348900Z 
2024-07-25T23:15:20.1349160Z To fix this you could try to:
2024-07-25T23:15:20.1350210Z 1. loosen the range of package versions you've specified
2024-07-25T23:15:20.1351390Z 2. remove package versions to allow pip attempt to solve the dependency conflict
2024-07-25T23:15:20.1352240Z 
2024-07-25T23:15:20.1353590Z ERROR: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts

maltfield avatar Jul 25 '24 23:07 maltfield

So, I didn't delete any package named charset-normalizer. In fact, this package is already available in the deps repo

user@buskill:~/sandbox/buskill-app-deps/build/deps$ ls | grep -i char
charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
user@buskill:~/sandbox/buskill-app-deps/build/deps$

...but the command does say that it installed these depds along with kivy

Successfully installed Kivy-2.3.0 Kivy-Garden-0.1.5 certifi-2024.2.2 chardet-3.0.4 docutils-0.20.1 idna-2.10 pygments-2.17.2 requests-2.24.0 urllib3-1.25.9

The most curious item being chardet, which is one of the packages that I removed from this repo. Let's restore it and see if that fixes this.

maltfield avatar Jul 25 '24 23:07 maltfield

Well now it's not happy about idna.

  • https://github.com/BusKill/buskill-app/actions/runs/10102958900/job/27939479221
2024-07-25T23:25:37.8556430Z + /tmp/venv/bin/python3 -m pip install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/Kivy-2.3.0-cp312-cp312-macosx_10_9_universal2.whl
2024-07-25T23:25:38.3232860Z Looking in links: file:///Users/runner/work/buskill-app/buskill-app/build/deps/
2024-07-25T23:25:38.3343510Z Processing ./build/deps/Kivy-2.3.0-cp312-cp312-macosx_10_9_universal2.whl
2024-07-25T23:25:38.4412460Z Processing ./build/deps/Kivy_Garden-0.1.5-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T23:25:38.4483160Z Processing ./build/deps/docutils-0.20.1-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T23:25:38.4579130Z Processing ./build/deps/pygments-2.17.2-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T23:25:38.4710310Z Processing ./build/deps/requests-2.31.0-py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:25:38.4826240Z INFO: pip is looking at multiple versions of requests to determine which version is compatible with other requirements. This could take a while.
2024-07-25T23:25:38.4879500Z Processing ./build/deps/requests-2.24.0-py2.py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:25:38.5039540Z Processing ./build/deps/chardet-3.0.4-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:25:38.5582300Z ERROR: Cannot install Kivy-Garden because these package versions have conflicting dependencies.
2024-07-25T23:25:38.5584190Z 
2024-07-25T23:25:38.5584540Z The conflict is caused by:
2024-07-25T23:25:38.5585300Z     requests 2.31.0 depends on charset-normalizer<4 and >=2
2024-07-25T23:25:38.5586080Z     requests 2.24.0 depends on idna<3 and >=2.5
2024-07-25T23:25:38.5586510Z 
2024-07-25T23:25:38.5586660Z To fix this you could try to:
2024-07-25T23:25:38.5587310Z 1. loosen the range of package versions you've specified
2024-07-25T23:25:38.5588260Z 2. remove package versions to allow pip attempt to solve the dependency conflict
2024-07-25T23:25:38.5588970Z 
2024-07-25T23:25:38.5590050Z ERROR: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts

We actually already have idna-3.6 in the deps repo, but it says that it wants <v3. I could do 3TOFU to fight with a newer version of all of these, but let's just use what we know already works.

maltfield avatar Jul 25 '24 23:07 maltfield

And now it's urllib3

  • https://github.com/BusKill/buskill-app/actions/runs/10103054950/job/27939740443
2024-07-25T23:35:49.1099700Z + /tmp/venv/bin/python3 -m pip install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/Kivy-2.3.0-cp312-cp312-macosx_10_9_universal2.whl
2024-07-25T23:35:49.5941940Z Looking in links: file:///Users/runner/work/buskill-app/buskill-app/build/deps/
2024-07-25T23:35:49.6063690Z Processing ./build/deps/Kivy-2.3.0-cp312-cp312-macosx_10_9_universal2.whl
2024-07-25T23:35:49.7175370Z Processing ./build/deps/Kivy_Garden-0.1.5-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T23:35:49.7248690Z Processing ./build/deps/docutils-0.20.1-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T23:35:49.7354570Z Processing ./build/deps/pygments-2.17.2-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T23:35:49.7495620Z Processing ./build/deps/requests-2.31.0-py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:35:49.7624340Z INFO: pip is looking at multiple versions of requests to determine which version is compatible with other requirements. This could take a while.
2024-07-25T23:35:49.7679570Z Processing ./build/deps/requests-2.24.0-py2.py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:35:49.7853540Z Processing ./build/deps/chardet-3.0.4-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:35:49.7938220Z Processing ./build/deps/idna-2.10-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:35:49.8491350Z ERROR: Cannot install Kivy-Garden because these package versions have conflicting dependencies.
2024-07-25T23:35:49.8493640Z 
2024-07-25T23:35:49.8493830Z The conflict is caused by:
2024-07-25T23:35:49.8494780Z     requests 2.31.0 depends on charset-normalizer<4 and >=2
2024-07-25T23:35:49.8495720Z     requests 2.24.0 depends on urllib3!=1.25.0, !=1.25.1, <1.26 and >=1.21.1
2024-07-25T23:35:49.8496340Z 
2024-07-25T23:35:49.8496500Z To fix this you could try to:
2024-07-25T23:35:49.8497160Z 1. loosen the range of package versions you've specified
2024-07-25T23:35:49.8498130Z 2. remove package versions to allow pip attempt to solve the dependency conflict
2024-07-25T23:35:49.8498850Z 
2024-07-25T23:35:49.8499950Z ERROR: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts

maltfield avatar Jul 25 '24 23:07 maltfield

Alright, now the kivy -> certifi install looks good in the build logs

  • https://github.com/BusKill/buskill-app/actions/runs/10103115733/job/27939906379
2024-07-25T23:43:22.6020760Z + /tmp/venv/bin/python3 -m pip install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/Kivy-2.3.0-cp312-cp312-macosx_10_9_universal2.whl
2024-07-25T23:43:23.1337170Z Looking in links: file:///Users/runner/work/buskill-app/buskill-app/build/deps/
2024-07-25T23:43:23.1460200Z Processing ./build/deps/Kivy-2.3.0-cp312-cp312-macosx_10_9_universal2.whl
2024-07-25T23:43:23.2645910Z Processing ./build/deps/Kivy_Garden-0.1.5-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T23:43:23.2725750Z Processing ./build/deps/docutils-0.20.1-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T23:43:23.2835120Z Processing ./build/deps/pygments-2.17.2-py3-none-any.whl (from Kivy==2.3.0)
2024-07-25T23:43:23.2981830Z Processing ./build/deps/requests-2.31.0-py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:43:23.3111660Z INFO: pip is looking at multiple versions of requests to determine which version is compatible with other requirements. This could take a while.
2024-07-25T23:43:23.3173790Z Processing ./build/deps/requests-2.24.0-py2.py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:43:23.3353050Z Processing ./build/deps/chardet-3.0.4-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:43:23.3446000Z Processing ./build/deps/idna-2.10-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:43:23.3539290Z Processing ./build/deps/urllib3-1.25.9-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:43:23.3642280Z Processing ./build/deps/certifi-2024.2.2-py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
2024-07-25T23:43:23.5252380Z Installing collected packages: chardet, urllib3, pygments, idna, docutils, certifi, requests, Kivy-Garden, Kivy
2024-07-25T23:43:26.4301920Z Successfully installed Kivy-2.3.0 Kivy-Garden-0.1.5 certifi-2024.2.2 chardet-3.0.4 docutils-0.20.1 idna-2.10 pygments-2.17.2 requests-2.24.0 urllib3-1.25.9

maltfield avatar Jul 25 '24 23:07 maltfield

...and I confirmed that, in fact, the latest build does open successfully on our mac mini

  • https://github.com/BusKill/buskill-app/releases/tag/10103115733_mac

maltfield avatar Jul 25 '24 23:07 maltfield

Deps have been deleted again, closing this issue as completed

maltfield avatar Jul 26 '24 00:07 maltfield