get-pip icon indicating copy to clipboard operation
get-pip copied to clipboard
verified publisher icon pypa

python get-pip.py --require-hashes (without --src hack)

Open graingert opened this issue 9 years ago • 14 comments

  • Pip version: None
  • Python version: 3.5
  • Operating System: various

Description:

I'm trying to bootstrap "pip setuptools wheel" with require hashes without using a hack.

What I've run:

tee requirements.txt <<HEREDOC
pip==8.1.2 \\
    --hash=sha256:6464dd9809fb34fc8df2bf49553bb11dac4c13d2ffa7a4f8038ad86a4ccb92a1 \\
    --hash=sha256:4d24b03ffa67638a3fa931c09fd9e0273ffa904e95ebebe7d4b1a54c93d7b732
setuptools==21.0.0 \\
    --hash=sha256:fb6378f65eb630281227720ae80276f38c1a1f16969eca499435c0ff2a815fe6 \\
    --hash=sha256:bdf0b7660f6673868d60d929e267e583bddc0e9623c71197b1ad79610c2ebe93 \\
    --hash=sha256:9ccd2f4eda0fb1af157eb2007e94bc53a48ea8c10f613e8cd7081d3d25f2991f
wheel==0.29.0 \\
    --hash=sha256:ea8033fc9905804e652f75474d33410a07404c1a78dd3c949a66863bd1050ebd \\
    --hash=sha256:1ebb8ad7e26b448e9caa4773d2357849bf80ff9e313964bcaf79cbf0201a1648
HEREDOC

python get-pip.py --require-hashes --no-wheel --no-setuptools -rrequirements.txt --src

This is a massive hack, because I'm using --src to 'comment' out the extra "pip" to avoid the dreaded DoubleRequirement error , getting get-pip.py to run,

pip.main(['install', '--upgrade', '--require-hashes', '--no-wheel', '--no-setuptools', '-rrequirements.txt', '--src', 'pip'])

Because "--src" is noop when there's no "-e"

graingert avatar May 13 '16 11:05 graingert

Thanks for filing this issue! It seems like no one got to actually responding to this issue before.

Is this still an issue? I'm not sure I understand what you're trying to do here -- is it that you're trying to install pip, setuptools and wheel while validating their hashes, using pip? What scenario is giving you the DoubleRequirementError?

Aside, using pip.main was never a supported way of using pip and in pip 10, that usage will now be broken.

Thanks and sorry for the wait.

pradyunsg avatar Mar 05 '18 09:03 pradyunsg

I'm trying to install pip setuptools and wheel and validate their hashes. I can use --src to get pip to only see one pip

graingert avatar Mar 05 '18 09:03 graingert

Could you report this over at pypa/get-pip.py?

It's really an issue related to that.

pradyunsg avatar May 11 '18 14:05 pradyunsg

@graingert Did you ever come up with a solution for this? I'm running into the same issue.

jdtriska avatar May 25 '18 17:05 jdtriska

@jdtriska nope, and I've not got around to reporting it to the right project, could you do it for me?

graingert avatar May 25 '18 17:05 graingert

Since the issue belongs to another project, it can be closed IMO. :)

gutsytechster avatar May 30 '20 10:05 gutsytechster

Or we can let someone with the permission to transfer the issue there (I don’t).

uranusjr avatar May 30 '20 23:05 uranusjr

Just double checked: this is still an issue with the new resolver.

$ cat requirements.txt
pip==8.1.2 \
    --hash=sha256:6464dd9809fb34fc8df2bf49553bb11dac4c13d2ffa7a4f8038ad86a4ccb92a1 \
    --hash=sha256:4d24b03ffa67638a3fa931c09fd9e0273ffa904e95ebebe7d4b1a54c93d7b732
setuptools==21.0.0 \
    --hash=sha256:fb6378f65eb630281227720ae80276f38c1a1f16969eca499435c0ff2a815fe6 \
    --hash=sha256:bdf0b7660f6673868d60d929e267e583bddc0e9623c71197b1ad79610c2ebe93 \
    --hash=sha256:9ccd2f4eda0fb1af157eb2007e94bc53a48ea8c10f613e8cd7081d3d25f2991f
wheel==0.29.0 \
    --hash=sha256:ea8033fc9905804e652f75474d33410a07404c1a78dd3c949a66863bd1050ebd \
    --hash=sha256:1ebb8ad7e26b448e9caa4773d2357849bf80ff9e313964bcaf79cbf0201a1648
$ python get-pip.py -r requirements.txt --require-hashes
Collecting pip
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    pip from https://files.pythonhosted.org/packages/fe/ef/60d7ba03b5c442309ef42e7d69959f73aacccd0d86008362a681c4698e83/pip-21.0.1-py3-none-any.whl#sha256=37fd50e056e2aed635dec96594606f0286640489b0db0ce7607f7e51890372d5

pradyunsg avatar Feb 21 '21 11:02 pradyunsg

This is no longer an issue for me as I've decommissioned all the platforms that didn't have a new enough pip to support --require-hashes

graingert avatar Feb 21 '21 11:02 graingert

Also for people still using such platforms I'd recommend using the virtualenv.pyz bootstrap: https://virtualenv.pypa.io/en/latest/installation.html#via-zipapp

graingert avatar Feb 21 '21 11:02 graingert

Also for people still using such platforms I'd recommend using the virtualenv.pyz bootstrap: https://virtualenv.pypa.io/en/latest/installation.html#via-zipapp

Thanks. This article went useful for me on a local project.

DiddiLeija avatar Jun 15 '21 18:06 DiddiLeija

ACFrOgBuWT6wZjpBCfkVd5oVgMfnt5zsQz-nXYLkeeKe0TU-TrQyhLLYbdeSj0mrh1n3f_i_C3-wcWCrI-2GbeK6eSC9AO5y7xPw_u-k80F732WOAUI_p9NKK6FIdHMaR8RCCodv5CRMdghdsNhprYGUZY-EBjaCSqiE7SJAow==.pdf

don7maldosa avatar Dec 27 '23 04:12 don7maldosa

^^^ Spam? 😕

stdedos avatar Jan 11 '24 16:01 stdedos

And also - Is there a "script" to generate me requirements.txt that I need, in order to do

python get-pip.py --prefix=/usr/local/ --require-hashes -rrequirements.txt --src

replicatably in the future?

(idk if I care about --no-wheel --no-setuptools, and whether it affects what I'm asking for)

stdedos avatar Jan 11 '24 16:01 stdedos