-
Notifications
You must be signed in to change notification settings - Fork 638
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
18.0.1 files re-released on Jun 27 with new hashes #1304
Comments
Indeed, two manylinux2010 wheels were uploaded by accident when I published 18.0.2. No files have been removed or replaced, though. Can I see your pipenv to see how it matched an existing and available wheel, but decided there was an error because a different wheel also existed? I'm guessing there might be a bug (or possible improvement, at least) in pip or pipenv when validating hashes of packages, if it can download different files even when there is a hash match. |
We're having the same issue. Package was added to Pipfile.lock some time ago and it has hashes for old files stored, so it refuses to install a file with a hash that doesn't match. I don't think it's a bug, it's intended behaviour in case files are replaced maliciously on the hosted server... Can you replace the packages with their previous versions? I imagine this will break for anyone who doesn't have the old packages cached (or clears their cache). The contents of Pipfile.lock for this package:
The file pipenv is trying to install for us: |
Our Pipfile looks like the following with packages that have nothing to do with pyzmq ellided:
The relevant section of our Pipfile.lock generated off the above looks exactly like the one @pbudzon generated. @minrk I agree it seems like Pipenv should also be tracking the "flavor" of wheel installed in the lock file so that it attempts to compare hashes for that same package, not a different one that appeared after the fact. |
what version of pipenv are folks using? This sounds like a pipenv bug (shouldn't it just ignore new files that don't match the provided hashes), but I cannot reproduce it. What version of pipenv do you have? |
I have |
Ah, silly me. I was testing on macOS, where the new wheels aren't install candidates. Can reproduce on linux. I'll investigate this a little longer so I can report the bug to pyenv, then I'll pull the new wheels. |
This also broke my Docker builds for my Jupyter deployments. Is this really a pipenv bug though? |
Not exactly. I tracked it down and it's not a bug in pipenv, but rather in pip. Rather than doing the logical, safe thing when given a spec of version + hashes (only considering hash matches for install), pip ignores hashes when picking which artifact to install, and then balking if it chooses an artifact that wasn't in the approved list, despite plenty of matches being available. This makes it impossible to use pip + hashes to bless fewer than all artifacts on PyPI, and requires pipfiles to be kept up-to-date if additional artifacts are added, when they ought to be safely ignored, defeating a big part of what I thought was the point of pipfiles, which is freezing a collection of known-good artifacts. The issue discusses some of the technical complications why this isn't implemented yet (mainly that picking a single artifact to download happens before hashes can be checked), so it will be nontrivial to do the right thing, but it looks like it'll get worked out. For now, I've pulled the wheels since they don't help anything anyway, yet. |
In fact, there's even a fix already in the works: pypa/pip#6464 |
Pipenv started complaining that the hashes for pyzmq 18.0.1 changed upstream on pypi from what we had in a lock file for one of our projects. Sure enough, two of the packages on pypi have today's date unlike the rest of them from March.
https://pypi.org/project/pyzmq/18.0.1/#files
I'm not sure if old packages were overwritten or if these are new flavors that Pipenv suddenly decided to pick up.
Just a small FYI.
The text was updated successfully, but these errors were encountered: