Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

python get-pip.py --require-hashes (without --src hack) #73

Open
graingert opened this issue May 13, 2016 · 14 comments
Open

python get-pip.py --require-hashes (without --src hack) #73

graingert opened this issue May 13, 2016 · 14 comments
Labels
enhancement help wanted

Comments

@graingert
Copy link

  • Pip version: None
  • Python version: 3.5
  • Operating System: various

Description:

I'm trying to bootstrap "pip setuptools wheel" with require hashes without using a hack.

What I've run:

tee requirements.txt <<HEREDOC
pip==8.1.2 \\
    --hash=sha256:6464dd9809fb34fc8df2bf49553bb11dac4c13d2ffa7a4f8038ad86a4ccb92a1 \\
    --hash=sha256:4d24b03ffa67638a3fa931c09fd9e0273ffa904e95ebebe7d4b1a54c93d7b732
setuptools==21.0.0 \\
    --hash=sha256:fb6378f65eb630281227720ae80276f38c1a1f16969eca499435c0ff2a815fe6 \\
    --hash=sha256:bdf0b7660f6673868d60d929e267e583bddc0e9623c71197b1ad79610c2ebe93 \\
    --hash=sha256:9ccd2f4eda0fb1af157eb2007e94bc53a48ea8c10f613e8cd7081d3d25f2991f
wheel==0.29.0 \\
    --hash=sha256:ea8033fc9905804e652f75474d33410a07404c1a78dd3c949a66863bd1050ebd \\
    --hash=sha256:1ebb8ad7e26b448e9caa4773d2357849bf80ff9e313964bcaf79cbf0201a1648
HEREDOC

python get-pip.py --require-hashes --no-wheel --no-setuptools -rrequirements.txt --src

This is a massive hack, because I'm using --src to 'comment' out the extra "pip" to avoid the dreaded DoubleRequirement error , getting get-pip.py to run,

pip.main(['install', '--upgrade', '--require-hashes', '--no-wheel', '--no-setuptools', '-rrequirements.txt', '--src', 'pip'])

Because "--src" is noop when there's no "-e"
@graingert graingert changed the title python get-pip.py --require-hashes (without logging to pip) python get-pip.py --require-hashes (without --src hack) May 13, 2016
@pradyunsg
Copy link
Member

Thanks for filing this issue! It seems like no one got to actually responding to this issue before.

Is this still an issue? I'm not sure I understand what you're trying to do here -- is it that you're trying to install pip, setuptools and wheel while validating their hashes, using pip? What scenario is giving you the DoubleRequirementError?

Aside, using pip.main was never a supported way of using pip and in pip 10, that usage will now be broken.

Thanks and sorry for the wait.

@graingert
Copy link
Author

I'm trying to install pip setuptools and wheel and validate their hashes. I can use --src to get pip to only see one pip

@pradyunsg
Copy link
Member

Could you report this over at pypa/get-pip.py?

It's really an issue related to that.

@jdtriska
Copy link

@graingert Did you ever come up with a solution for this? I'm running into the same issue.

@graingert
Copy link
Author

@jdtriska nope, and I've not got around to reporting it to the right project, could you do it for me?

@gutsytechster
Copy link

Since the issue belongs to another project, it can be closed IMO. :)

@uranusjr
Copy link
Member

Or we can let someone with the permission to transfer the issue there (I don’t).

@pradyunsg pradyunsg transferred this issue from pypa/pip Aug 30, 2020
@pradyunsg
Copy link
Member

Just double checked: this is still an issue with the new resolver.

$ cat requirements.txt
pip==8.1.2 \
    --hash=sha256:6464dd9809fb34fc8df2bf49553bb11dac4c13d2ffa7a4f8038ad86a4ccb92a1 \
    --hash=sha256:4d24b03ffa67638a3fa931c09fd9e0273ffa904e95ebebe7d4b1a54c93d7b732
setuptools==21.0.0 \
    --hash=sha256:fb6378f65eb630281227720ae80276f38c1a1f16969eca499435c0ff2a815fe6 \
    --hash=sha256:bdf0b7660f6673868d60d929e267e583bddc0e9623c71197b1ad79610c2ebe93 \
    --hash=sha256:9ccd2f4eda0fb1af157eb2007e94bc53a48ea8c10f613e8cd7081d3d25f2991f
wheel==0.29.0 \
    --hash=sha256:ea8033fc9905804e652f75474d33410a07404c1a78dd3c949a66863bd1050ebd \
    --hash=sha256:1ebb8ad7e26b448e9caa4773d2357849bf80ff9e313964bcaf79cbf0201a1648
$ python get-pip.py -r requirements.txt --require-hashes
Collecting pip
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    pip from https://files.pythonhosted.org/packages/fe/ef/60d7ba03b5c442309ef42e7d69959f73aacccd0d86008362a681c4698e83/pip-21.0.1-py3-none-any.whl#sha256=37fd50e056e2aed635dec96594606f0286640489b0db0ce7607f7e51890372d5

@graingert
Copy link
Author

This is no longer an issue for me as I've decommissioned all the platforms that didn't have a new enough pip to support --require-hashes

@graingert
Copy link
Author

Also for people still using such platforms I'd recommend using the virtualenv.pyz bootstrap: https://virtualenv.pypa.io/en/latest/installation.html#via-zipapp

@DiddiLeija
Copy link
Member

Also for people still using such platforms I'd recommend using the virtualenv.pyz bootstrap: https://virtualenv.pypa.io/en/latest/installation.html#via-zipapp

Thanks. This article went useful for me on a local project.

@pradyunsg pradyunsg mentioned this issue Oct 22, 2021
Closed
@don7maldosa

This comment was marked as spam.

Sign in to view
@stdedos
Copy link

stdedos commented Jan 11, 2024

^^^ Spam? 😕

@stdedos
Copy link

stdedos commented Jan 11, 2024

And also - Is there a "script" to generate me requirements.txt that I need, in order to do

python get-pip.py --prefix=/usr/local/ --require-hashes -rrequirements.txt --src

replicatably in the future?

(idk if I care about --no-wheel --no-setuptools, and whether it affects what I'm asking for)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@stdedos @graingert @uranusjr @jdtriska @pradyunsg @gutsytechster @DiddiLeija @don7maldosa