pip-tools icon indicating copy to clipboard operation
pip-tools copied to clipboard

Published 20 hours ago verified publisher icon jazzband

pip-compile doesn't provide hashes for wheels hosted by simple index servers

Open stefansjs opened this issue 2 years ago • 4 comments

pip-compile doesn't compute hashes for all index servers, which leads to pip install failure. Specifically, any index server that provides hashes from its json API, will prevent pip-compile for checking if other installation candidates are available from other index servers.

Environment Versions

  1. OS Type
  2. Python version: $ python -V
  3. pip version: $ pip --version
  4. pip-tools version: $ pip-compile --version

Steps to replicate

  1. host a simple index server
  2. add wheels for source packages in pypi, e.g. avro-python3==1.9.2.1
  3. list this requirement in requirements.in
  4. run pip-compile --generate-hashes -i 'http://<my local index server>.com/' --extra-index-url https://pypi.org/simple
  5. run pip install -r requirements.txt

Expected result

The hashes should include the wheel in the local index server.

Actual result

Only hashes from pypi.org are listed in requirements.txt.

Looking at the implementation, it looks like piptools first tries to get hashes from the first index server that implements the json API. The first server that responds with a json blob is taken as the only hash candidates. Files are not manually hashed for any missing files.

In this case, because some files are on pypi, which implements the json API, other index servers are able to provide valid installation candidates to pip, but piptools does not bother to hash them, thus causing a pip installation failure due to the missing hashes.

stefansjs avatar Nov 15 '21 18:11 stefansjs

I've got a PR underway. I'm just trying to make sure I add enough test coverage first.

stefansjs avatar Nov 16 '21 16:11 stefansjs

@stefansjs I'm running into this limitation as well. Any updates on progress? Could I offer assistance?

snmishra avatar Jan 25 '22 18:01 snmishra

@snmishra I just got back to this PR. It sat on my back burner for a little longer than I'd like to admit. So far my feature is implemented on https://github.com/stefansjs/pip-tools/tree/all_hashes but I don't think it has enough test coverage to ensure that my implementation is right in all cases.

If it's easier, maybe I should start the PR and we can discuss changes in that CR discussion. Do you think that's the best way to discuss?

stefansjs avatar Jan 25 '22 19:01 stefansjs

@stefansjs Sounds good

snmishra avatar Jan 25 '22 21:01 snmishra

Any News here?!?

jedie avatar Nov 20 '22 16:11 jedie

Any News here?!?

@jedie The work is in progress, see related PR https://github.com/jazzband/pip-tools/pull/1556.

atugushev avatar Nov 20 '22 18:11 atugushev