-
Notifications
You must be signed in to change notification settings - Fork 139
Conversation
00d238a
to
7618066
Compare
The 2020 resolver is OK with multiple requirements files, but it does not consider hashes at all in constraints files. This issue is being discussed in pypa/pip#8792, where there is general agreement that hashes in constraints files should be loaded. The questions are around what happens when there are multiple declarations for the same version but with different sets of hashes. Update 1 - Also, we could work around the issue by using |
7618066
to
5157de5
Compare
A fix for pypa/pip#8792 has merged, but has not been released. My test project at https://github.com/jwhitlock/pip-resolver-demo continues to fail. I'll wait for the fix to get into a released version to re-file. ReadTheDocs.org started adding |
5157de5
to
6d5a289
Compare
Read The Docs was randomly setting |
Install python libraries with pip 20.2 and the 2020-resolver planned for the 20.3 release.
1cc4d92
to
a0645b6
Compare
Thanks to @pradyunsg
Force push to rebase on origin/main, and then add @pradyunsg's suggested change. The test now keeps pip 20.2.3, but this release doesn't have the fixes from pypa/pip#8839, so the install continues to fail in the same way. |
I filed the new issue pypa/pip#9020 last week, and got some feedback. The devs say that the restriction is that constraints plus hashes must be an exact match. For example, Django 3.0 has a requirement of I'm going to follow @willkg's strategy in mozilla-services/socorro#5595 and switch to |
Moved to issue #1407. |
Install python libraries with pip 20.2 and the 2020-resolver planned for the 20.3 release. See the changes to the pip dependency resolver in 20.2 (2020)
This fails for me when installing in the docker image, and when installing on macOS in a virtualenv. It succeeds when the default resolver in pip 20.2 is used.
The error with
--use-feature=2020-resolver
is:However,
idna==2.10
, with hashes, is defined in requirements/constraints.txt.I'm going to submit this to the pip developers as a potential use case for the 2020-resolver, so here's some background. There are two scenarios when we install requirements:
To handle this, we have 4 requirements files:
requests[security]
, andurllib3[secure]
)[extra]
specifiersWe specify hashes in all four files, using hashin to populate them.
Our requirements files include other files:
default.txt
:-c constraints.txt
,-r docs.txt
,-r shared.txt
docs.txt
:-c constraints.txt
,-r shared.txt
shared.txt
: Nonecontraints.txt
: NoneThis allows us to define each requirement exactly once, and ensure that docs are built with the same versions in the development environment and CI as on ReadTheDocs.
This allows us to install requirements with
pip install -r requirements/default.txt
for development or for creating Docker images, andpip install -r requirements/docs.txt
on ReadTheDocs. It works with the default resolver through pip 20.2. Withpip --use-feaature=2020-resolver
, it seems that the hash checker gets confused about some constraints.It seems to be related to constraints that are required in two paths from two different files (determined with
pipdeptree
). For example,idna
is included twice:Sphinx
(docs.txt
)requests
(shared.txt
)idna
(constraints.txt
)geoip2
(default.txt
)aiohttp
(constraints.txt
)yarl
(constraints.txt
)idna
(constraints.txt
)I've also seen
chardet
have the--require-hashes mode
when installing in a virtualenv (system packages allowed) on macOS. It has similar multiple requires paths:Sphinx
(docs.txt
)requests
(shared.txt
)chardet
(constraints.txt
)geoip2
(default.txt
)aiohttp
(constraints.txt
)chardet
(constraints.txt
)