-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Locked info for local wheel should contain hash of the wheel file itself #2394
Comments
Any workaround until this is fixed? Using |
Found a workaround: changing the name of the package to a random string (or any string that's not a valid pypi package) prevents pipenv from searching the hash in pypi, but the installation works because a local wheel does not seem to need a correct package name. This fails:
But this works:
And this should too (haven't tested it tho):
|
This is also an issue for downloaded wheels that are not from pypi, and thus should not be compared to it. pipenv attempts to compare to hashes on pypi which just doesn't make sense, nor is it security, since Also seen in #3053 #2863 and #2757 TLDR;If the wheel is local/an external file, not a pypi file, the hash should represent that file or not be there at all, but should not be the hash of pypi Works
Just showing an example of setting up an environment, pretending I'm "starting over", and then "I want to reinstall what's in the Pipfile/Pipfile.lock". But in this case, the zip file is left alone, in peace, like you would expect. Also works as expected
Does not work as intended
And I can't even get past that, without using @Laski 's workaround, which I can't figure out from the Other incomplete workarounds#Egg
Will not actually work. The Editing
|
I can confirm @Laski 's workaround is the easiest way to deal with this for now. |
- Fixes #2394 Signed-off-by: Dan Ryan <[email protected]>
From #2390. Take googleappenginepipeline for example, here’s the lock file
The hash
cef7f04172870db661c8ae26fc1417b1bb30bdcd0019b1cdd15c5c4cd3c0ae1c
is the source archive’s hash from PyPI, but that does not match the wheel’s, and causes an failure when you runpipenv sync
:The solution to this, I think, is to include the wheel file’s hash with those from PyPI. The user should be responsible for providing a legit wheel file during locking, and if (s)he does, this hash can be used to ensure the wheel file used during
sync
is also legit.The text was updated successfully, but these errors were encountered: