Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Download source regression in 10.25 #5444

Closed
stumpylog opened this issue Oct 26, 2022 · 2 comments · Fixed by #5448
Closed

Download source regression in 10.25 #5444

stumpylog opened this issue Oct 26, 2022 · 2 comments · Fixed by #5448
Labels
triage Type: Bug 🐛 This issue is a bug. Type: Regression This issue is a regression of a previous behavior.

Comments

@stumpylog
Copy link
Contributor

Issue description

When installing packages from the same lock file, 10.25 will fail with hash check error, while 10.12 will succeed.

Expected result

Both should install the packages.

Actual result

Based on what I can tell, the lockfile includes the SHAs for the .whl and the .tar.gz from PyPi. However, it actually downloads the wheel from PiWheels instead, which has a different SHA, not listed in the lock file.

So it's kind these steps happening

  1. The index listed in the Pipfile.lock is pypi (ref)
  2. The SHAs are from PyPi
  3. The download happens from PiWheels (ref)
[pipenv.exceptions.InstallError]:     asgiref==3.5.2 from https://www.piwheels.org/simple/asgiref/asgiref-3.5.2-py3-none-any.whl#sha256=dda3f0b6b921471f50c266c63f0a8a6eb2c65e66359915db18b69b8d629ca594 (from -r /tmp/pipenv-yap_1oy1-requirements/pipenv-u0qmzuvp-hashed-reqs.txt (line 1)):
[pipenv.exceptions.InstallError]:         Expected sha256 1d2880b792ae8757289136f1db2b7b99100ce959b2aa57fd69dab783d05afac4
[pipenv.exceptions.InstallError]:         Expected     or 4a29362a6acebe09bf1d6640db38c1dc3d9217c68e6f9f6204d72667fc19a424
[pipenv.exceptions.InstallError]:              Got        dda3f0b6b921471f50c266c63f0a8a6eb2c65e66[35](https://github.com/stumpylog/pipenv-issue-repro/actions/runs/3332756300/jobs/5513993154#step:5:36)9915db18b69b8d629ca594

Steps to replicate

I threw together a basic repo here: https://github.com/stumpylog/pipenv-issue-repro


Please run $ pipenv --support, and paste the results here. Don't put backticks (`) around it! The output already contains Markdown formatting.

If you're on macOS, run the following:

$ pipenv --support | pbcopy

If you're on Windows, run the following:

> pipenv --support | clip

If you're on Linux, run the following:

$ pipenv --support | xclip
@matteius matteius added Type: Possible Bug This issue describes a possible bug in pipenv. Type: Regression This issue is a regression of a previous behavior. triage Type: Bug 🐛 This issue is a bug. and removed Type: Possible Bug This issue describes a possible bug in pipenv. labels Oct 26, 2022
@matteius
Copy link
Member

I am not sure what is causing this, but I can confirm that generating the lock file on the prior versions and the current version yields the same lock file, but pip itself (which was upgraded to latest 22.3) is rejecting the hashes and expecting a different hash on the latest version. Updating the lock file does not add the expected hash, so we are looking at a bug/regression of some kind.

@matteius
Copy link
Member

Ah well I got somewhere at least -- the issue is that its trying to install from the wrong index and getting a different hash. When I remove from the lock file:

            {
                "name": "piwheels",
                "url": "https://www.piwheels.org/simple",
                "verify_ssl": true
            }

then it installs fine -- it seems something is not working right with index restricted packages anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
triage Type: Bug 🐛 This issue is a bug. Type: Regression This issue is a regression of a previous behavior.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants