Should --generate-hashes imply --allow-unsafe? #806
Comments
|
Hello @jcushman, Thank you for the very detailed report and good catch!
See the comment in the examples/ptrotection.in file: pip-tools/examples/protection.in Lines 1 to 2 in 8a1a8ef
The
Sounds good to me. I'd rather to print a warning, instead of implying |
But that's because the package you're installing is importing setuptools -- not because pip is importing setuptools. pip vendors setuptools and doesn't care what version you have installed locally. You can't break pip itself by pinning setuptools -- you should only have a problem if a target requirement relies on an incompatible version. But that's no different from any other incompatible sub-dependency, and can be resolved the same way. |
It's not vendored, look at here. Pip only calls subprocess
It might be some legacy reason to consider the PS |
It's partially vendored. :) From your link, "setuptools is completely stripped to only keep pkg_resources", which is the part of setuptools that pip imports rather than calling as a subprocess. This discussion leads me to think that |
Yes, only FTR unsafe packages are also used in |
|
I'll close this in favour of #814. Feel free to reopen if there's something to say. |
|
Yep, thanks for closing this! I'm starting to think it might make sense to deprecate |
|
hello pleas help what the hash is hier ??????? |
Also, update the versions of `pip` and `pip-tools` used in the `pip-compile` `tox` target, and use the `--allow-unsafe` flag which is supposedly not really unsafe at all (and will become the default). See: jazzband/pip-tools#806 (comment)
Due to changes in `pluggy` (a dependency of `pytest`) using the `importlib.metadata` module from the standard library instead of the `importlib-metadata` package when running on Python >= 3.8, we need to pin the `basepython` used in the `pip-compile` Tox env to the version that's actually used in CI, otherwise `pip` complains during installation of dependencies the `importlib-metadata` package is not listed (with hashes) in some `requirements.txt`. As such, setting `basepython` to `python3.6`, similar to 8a9104b. Also, update the versions of `pip` and `pip-tools` used in the `pip-compile` `tox` target, and use the `--allow-unsafe` flag which is supposedly not really unsafe at all (and will become the default). See: 8a9104b Closes: #2897 Closes: #2898 See: pytest-dev/pluggy#222 See: https://github.com/pytest-dev/pluggy/pull/223/files#diff-60f61ab7a8d1910d86d9fda2261620314edcae5894d5aaa236b821c7256badd7 See: jazzband/pip-tools#806 (comment)
Due to changes in `pluggy` (a dependency of `pytest`) using the `importlib.metadata` module from the standard library instead of the `importlib-metadata` package when running on Python >= 3.8, we need to pin the `basepython` used in the `pip-compile` Tox env to the version that's actually used in CI, otherwise `pip` complains during installation of dependencies the `importlib-metadata` package is not listed (with hashes) in some `requirements.txt`. As such, setting `basepython` to `python3.6`, similar to 8a9104b. Also, update the versions of `pip` and `pip-tools` used in the `pip-compile` `tox` target, and use the `--allow-unsafe` flag which is supposedly not really unsafe at all (and will become the default). See: 8a9104b Closes: #2897 Closes: #2898 See: pytest-dev/pluggy#222 See: https://github.com/pytest-dev/pluggy/pull/223/files#diff-60f61ab7a8d1910d86d9fda2261620314edcae5894d5aaa236b821c7256badd7 See: jazzband/pip-tools#806 (comment)
Due to changes in `pluggy` (a dependency of `pytest`) using the `importlib.metadata` module from the standard library instead of the `importlib-metadata` package when running on Python >= 3.8, we need to pin the `basepython` used in the `pip-compile` Tox env to the version that's actually used in CI, otherwise `pip` complains during installation of dependencies the `importlib-metadata` package is not listed (with hashes) in some `requirements.txt`. As such, setting `basepython` to `python3.6`, similar to 8a9104b. Also, update the versions of `pip` and `pip-tools` used in the `pip-compile` `tox` target, and use the `--allow-unsafe` flag which is supposedly not really unsafe at all (and will become the default). See: 8a9104b Closes: #2897 Closes: #2898 See: pytest-dev/pluggy#222 See: https://github.com/pytest-dev/pluggy/pull/223/files#diff-60f61ab7a8d1910d86d9fda2261620314edcae5894d5aaa236b821c7256badd7 See: jazzband/pip-tools#806 (comment)
Due to changes in `pluggy` (a dependency of `pytest`) using the `importlib.metadata` module from the standard library instead of the `importlib-metadata` package when running on Python >= 3.8, we need to pin the `basepython` used in the `pip-compile` Tox env to the version that's actually used in CI, otherwise `pip` complains during installation of dependencies the `importlib-metadata` package is not listed (with hashes) in some `requirements.txt`. As such, setting `basepython` to `python3.6`, similar to 8a9104b. Also, update the versions of `pip` and `pip-tools` used in the `pip-compile` `tox` target, and use the `--allow-unsafe` flag which is supposedly not really unsafe at all (and will become the default). See: 8a9104b Closes: #2897 Closes: #2898 See: pytest-dev/pluggy#222 See: https://github.com/pytest-dev/pluggy/pull/223/files#diff-60f61ab7a8d1910d86d9fda2261620314edcae5894d5aaa236b821c7256badd7 See: jazzband/pip-tools#806 (comment)
Due to changes in `pluggy` (a dependency of `pytest`) using the `importlib.metadata` module from the standard library instead of the `importlib-metadata` package when running on Python >= 3.8, we need to pin the `basepython` used in the `pip-compile` Tox env to the version that's actually used in CI, otherwise `pip` complains during installation of dependencies the `importlib-metadata` package is not listed (with hashes) in some `requirements.txt`. As such, setting `basepython` to `python3.6`, similar to 8a9104b. Also, update the versions of `pip` and `pip-tools` used in the `pip-compile` `tox` target, and use the `--allow-unsafe` flag which is supposedly not really unsafe at all (and will become the default). Finally, since we're currently unable to properly update the MacOS X platform-specific dependencies for the buildchain (in `buildchain/requirements-Darwin.txt`), the updates to `buildchain/requirements-Linux.txt` are manually reverted (after running `tox -e pip-compile` on a Linux host) to ensure both `buildchain/requirements-Linux.txt` and `buildchain/requirements-Darwin.txt` remain in sync (except for `pyinotify` and `macfsevents`, as usual). See: 8a9104b Closes: #2897 Closes: #2898 See: pytest-dev/pluggy#222 See: https://github.com/pytest-dev/pluggy/pull/223/files#diff-60f61ab7a8d1910d86d9fda2261620314edcae5894d5aaa236b821c7256badd7 See: jazzband/pip-tools#806 (comment) See: #2986 (comment)
pip-compile considers several packages "unsafe" for pinning. However, we
would like to be able to pin the pip version itself in requirements-dev
("pip" is one of these unsafe packages).
Adding "--allow-unsafe" tells pip-compile to pin versions of "unsafe"
packages. Despite the warning, there's no evidence of any unsafe effects
from this, and pip-tools is considering deprecating this flag and making
it the default behaviour anyway [1].
I've tested this locally and it seems to work without issue.
[1]: jazzband/pip-tools#806 (comment)
…al with setuptools and pip requirements (see jazzband/pip-tools#806 for more details)
The flag is needed to create hash-pinned requirements for pip and setup-tools. Find more information about this at these issues from [pip-tools](jazzband/pip-tools#806) and from [pip](pypa/pip#6459). Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
) * ci: Update GitHub owned actions to be referenced by SHA. Work automated using StepSecurity Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> * ci: create hash-pinned requirements files for build and publish processes Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: change ci files to install build and publish dependencies using hashes Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: fix path to requirements files Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: rebuild the requirement.txt files using `--allow-unsafe` The flag is needed to create hash-pinned requirements for pip and setup-tools. Find more information about this at these issues from [pip-tools](jazzband/pip-tools#806) and from [pip](pypa/pip#6459). Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * refactor(workflows): move build requirements files to a separated folder Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * fix(workflow): requirements download was erasing work from previous steps Using the actions/checkout to download the requirements.txt was erasing some necessary files that came from previous steps. Thus, this commit changes moves the checkout action to the beginnig of the jobs. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: remove reference to inexistent input in pypi-publish.yml * docs(workflows): remove comment related to a line already delated from code Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * refactor(workflows): use a workflow-level env var to define path to build requirements file Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * fix(workflows): refer to env vars using ${{ }} sintax Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * refactor(workflows): move build and publish requirements files Moved from .github/workflows/requirements/ to .github/requirements/ Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * docs(workflows): add comments on requirements files explaining their relation Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci(workflows): update build dependencies to match exactly the ones at pyproject.toml Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: remove unnecessary parameter When calling actions/checkout , we were passing the `ref` parameter as `github.ref`, but it will likely be always main, or the vary same value as the default for this parameter. * Update dependabot config to cover build/publish dependencies --------- Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Co-authored-by: StepSecurity Bot <bot@stepsecurity.io>
Some packages, such as pytest and Markdown, include minimum versions of setuptools in their requirements. Running
pip-compile --generate-hasheswithout--allow-unsafefor those packages creates arequirements.txtfile that doesn't work withpip install. This creates a bug that is easy to miss until deployment. Should--allow-unsafebe the default behavior for--generate-hashes?Environment Versions
Steps to replicate
Markdown, which requires a newer version of setuptools:Expected result
Successful install of Markdown.
Actual result
Install fails because setuptools==41.0.1 is not pinned.
Discussion
Seems like it would be good to do one of the following:
--allow-unsafewhen--generate-hashesis provided and there are unsafe package requirements.--generate-hashesas implying--allow-unsafe, maybe with a different comment in the generatedrequirements.txt.I don't know why
pip-compilechooses not to include setuptools or whypipchooses to require it, so I'm not sure what the correct thing to do is, but it seems likepip-compilehas all the info it needs to recommend whatever that thing is.(FWIW this is easy to miss and create latent bugs -- I did
pip install Markdownfirst, which upgraded setuptools and masked the error, and then things broke a few days later when another dev tried to recreate their virtualenv.)The text was updated successfully, but these errors were encountered: