-
-
Notifications
You must be signed in to change notification settings - Fork 610
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Skip constraint path check #2038
Conversation
I don't think removing the type altogether is the right solution. Failing early with a definite traceback is better, in my opinion. |
It's not that early I guess but I can understand this. |
I tried early validation in #2040 but I honestly feel it is overshooting. |
If I understand it correctly, this command line option is more or less transparently passed down to pip internal, so it doesn't help much applying an additional layer of validation. |
Now I wasn't urging you to write an own enhanced parameter type! You must need this feature badly ;-). I think I'm going to ask over at |
@chrysle Haha, I never tried extending click type, so it was a fun exercise.
Yeah that makes sense. |
Honestly, this strikes me as dangerous and it removes the immutability/reproducibility property of the constraint files. This makes it possible to influence the resolved deptree by modifying an externally managed file on the internet which subsequently opens up a can of worms, allowing for rollback attacks. If this is implemented, it shouldn't behave like this by default and should only be toggled by the end-user with a sufficiently cautious flag name like |
It is a valid concern, but this is not a feature of pip-compile but pip itself. pip always supports reading a file from HTTP(S) for constraints and requirements. This feature has been used by for example Airflow for some time: https://raw.githubusercontent.com/apache/airflow/constraints-2.4.3/constraints-3.10.txt. So there is no reason that pip-compile should block it. Today users of pip-compile can already use a constraints file from HTTP(S) in a |
I think that's exactly the reason for doing it by default. |
Not sure I understand this. What do you mean as "by default"? I think the original PR adding |
I'm not sure pip-tools should support everything that pip does the same way. Its purpose is to aid reproducibility and constraints that are mutable at random points in time aren't exactly that. |
Whether it was overlooked is something that only the original PR author knows, I think. |
The thing is, pip-compile already supports this. In requirements.in:
There is no reason to not to support it via command line option I think. |
In terms of reproducibility, I think it boils down to how the remote constraints file is served and digested. A local file does not ensure reproducibility either. |
I'm not exactly sure why |
Please let me know how I can move this forward together with #2040. Thank you. |
Try rebasing. It's probably fixed on As for the change, I guess it's okay to make the CLI behave the same way as what's in the input files. |
Please help merge this when suitable. Thank you all for the reviews and suggestions. |
Thank you! |
pip
can read constraint file via HTTP sopip-compile
doesn't need to restrict that to a local file. Removing the option type makes it a plain string so users can pass in an URL. This of course skip local file validation, but the compilation would fail anyway if the file is not readable, no matter local or remote.Closes #2040
Contributor checklist
Maintainer checklist
backwards incompatible
,feature
,enhancement
,deprecation
,bug
,dependency
,docs
orskip-changelog
as they determine changelog listing.