pip icon indicating copy to clipboard operation
pip copied to clipboard

Published 20 hours ago verified publisher icon pypa

suggestion: shouldn't pip lock also provide the size of objects ?

Open stonebig opened this issue 6 months ago • 8 comments

What's the problem this feature will solve?

to reduce the risk of sha-256 collision, providing the size of the file could be interesting. also this is in PEP-0751 included "mousebender" example: https://peps.python.org/pep-0751/

created-by = 'mousebender'

[[packages]]
name = 'attrs'
version = '25.1.0'
requires-python = '>=3.8'
wheels = [
  {name = 'attrs-25.1.0-py3-none-any.whl', upload-time = 2025-01-25T11:30:10.164985+00:00, url = 'https://files.pythonhosted.org/packages/fc/30/d4986a882011f9df997a55e6becd864812ccfcd821d64aac8570ee39f719/attrs-25.1.0-py3-none-any.whl', size = 63152, hashes = {sha256 = 'c75a69e28a550a7e93789579c22aa26b0f5b83b75dc4e08fe092980051e1090a'}},
]`

Describe the solution you'd like

provide also the size of the packages , when generating "pip lock"

Alternative Solutions

doing it by hand in a post treatment

Additional context

using "pip lock" to generate a reference and safe pylock.toml file for WinPython distribution

typical code:

rem to get pylock.toml in a ok place...
cd/D %LOCKDIR%

python.exe -m pip freeze>%req%
findstr /v "winpython" %req% > %wanted_req%

rem pip lock from pypi, from the frozen req
python.exe -m pip lock --no-deps  -c C:\WinP\constraints.txt -r "%wanted_req%" -o %pip_lock_web%

rem pip lock from local WheelHouse, from the frozen req
python.exe -m pip lock --no-deps --no-index --trusted-host=None  --find-links=C:\WinP\packages.srcreq -c C:\WinP\constraints.txt -r  "%wanted_req%" -o %pip_lock_local%


rem generating also classic requirement with hash-256, from obtained pylock.toml
python.exe -c "from winpython import wheelhouse as wh;wh.pylock_to_req(r'%pip_lock_web%', r'%req_lock_web%')"
python.exe -c "from winpython import wheelhouse as wh;wh.pylock_to_req(r'%pip_lock_local%', r'%req_lock_local%')"

rem compare the two (result from pypi and local Wheelhouse must be equal)
fc  "%req_lock_web%" "%req_lock_local%"

Code of Conduct

stonebig avatar May 13 '25 18:05 stonebig

It could. A PR to do this is welcome.

sbidoul avatar May 13 '25 19:05 sbidoul

let see if I can

stonebig avatar May 13 '25 20:05 stonebig

gave it a try with github free integrated AI, but it's a game of CI patience.

not sure also if I take the size from the right place when local

stonebig avatar May 15 '25 20:05 stonebig

Please don't submit AI-generated code as a PR.

pfmoore avatar May 15 '25 21:05 pfmoore

Please don't submit AI-generated code as a PR.

As I'm using "free" AIs:

  • I know the code is to verify, eventually re-normalize to the project practice.
  • I find using several AIs is super usefull:
    • to understand the code base, where the todo changes are in the pip code haystack
    • to more easily detect the errors and bad answers between AIs
  • I try to keep the code minimalist and simple, not intelligent
  • you notice I tried to fit my pull request in @sbidoul comments

So... can I continue with that use of AI ?

stonebig avatar May 18 '25 14:05 stonebig

I have no objection if you want to use AIs to help you write code. But if you submit AI-written code, then is it your code? In other words, do you have the right to license it to the pip project? What if it turns out the AI produced a copy of someone else's code?

Also, have you reviewed the code as well as you would have if you'd written it yourself? Are you certain there are no bugs in it?

I'd prefer that if you want to use AIs, you use them to assist you to write the code you submit.

pfmoore avatar May 18 '25 20:05 pfmoore

I have no objection if you want to use AIs to help you write code. But if you submit AI-written code, then is it your code? In other words, do you have the right to license it to the pip project? What if it turns out the AI produced a copy of someone else's code?

sure, so the code must be stupid

Also, have you reviewed the code as well as you would have if you'd written it yourself? Are you certain there are no bugs in it?

At this moment:

  • AI do more errors than me, create more documentation and tests, and tends to have various style
  • I do not do the same errors, have a standard style, hate writing documentation and tests (procrastination)
  • like for orthographic errors, it makes the overall code less buggy as ones sees the error of the other

I'd prefer that if you want to use AIs, you use them to assist you to write the code you submit.

This is what I do, yet you can forsee the situation is changing:

  • from writing code, the world moves to writing prompts, that are then compiled to source code python,
  • more and more, we will have to find other ways to check the ocean of source code that AI will generate.

It's going to be a problem for Pip and open source:

  • how to get good code not tainted as you fear
  • when 100% of developer already use AI all the time.

There is no more "clean room from AI" developers anymore, except maybe at sqlite.org

stonebig avatar May 25 '25 08:05 stonebig

Can y’all go somewhere else to argue about this please? If this affects the implementation, the PR thread is more suitable. Otherwise it should have its own issue thread.

uranusjr avatar May 26 '25 06:05 uranusjr