-
-
Notifications
You must be signed in to change notification settings - Fork 611
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hash packages without unpacking (Fixes #512 and #544) #557
Conversation
Some distributions have incompatible type of files with same name on the root directory. For example, matplotlib-2.0.2.tar.gz has a directory named "LICENSE" on the root, which may conflict many other distributions, causing errors like: IOError: [Errno 20] Not a directory: u'/tmp/tmpz/LICENSE/LICENSE_STIX' So we need to isolate unpacking directory of each distributions.
1b9fec8
to
e264bd3
Compare
The PyPIRepository._get_file_hash used to call unpack_url, when generating the hash. It only needed the side effect of the downloaded package being left in the download directory and the unpacking part was actually unnecessary. Change it to just open the (local or remote) package as a file object and hash the contents without unpacking. This makes it faster and lighter, since unpacking consumes CPU cycles and disk space, and more importantly, avoids problems which happen when some distribution has a file with the same name as a directory in another. Unpacking both to packages to the same directory will then fail. E.g. matplotlib-2.0.2.tar.gz has a directory named LICENSE, but many other packages have a file named LICENSE. Fixes jazzband#512, jazzband#544
e264bd3
to
627dbaf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Can this be merged, please? |
@suutari it would be even better if you pulled the SHA256 hashes from PyPI directly. |
Fixes #544 |
IMHO Pulling the hashesh from Warehouse is a different issue. This fixes two existing bugs. That would be a new feature, so I'd rather create a new PR of it. |
This would also help solve sdispater/poet#21 - which is basically an extension of #512. It would be great to see this merged. |
@suutari @suutari-ai Could you rebase on master, I'll be ready to get this in right away. Thanks! |
Thanks for the PR! |
The PyPIRepository._get_file_hash used to call unpack_url, when
generating the hash. It only needed the side effect of the downloaded
package being left in the download directory and the unpacking part was
actually unnecessary. Change it to just open the (local or remote)
package as a file object and hash the contents without unpacking.
This makes it faster and lighter, since unpacking consumes CPU cycles
and disk space, and more importantly, avoids problems which happen when
some distribution has a file with the same name as a directory in
another. Unpacking both to packages to the same directory will then
fail. E.g. matplotlib-2.0.2.tar.gz has a directory named LICENSE, but
many other packages have a file named LICENSE.
Fixes #512, #544
Contributor checklist