-
-
Notifications
You must be signed in to change notification settings - Fork 636
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using install_from_resolve
with a manually generated lockfile raises AssertionError
#18932
Comments
Yeah, this isn't supported. A tool lockfile must be a pants-generated one. We have been thinking of deprecating those hand-knitted requirements.txt-style lockfiles. Do you have to use them, or could you switch to the (vastly better :) ) pants-generated ones? |
Ok, I understand. My 2c, deprecating the requirements.txt would have a pretty big impact for us. We use pants as part of a wider tool chain. We might be able to limit this impact if there's a clear way of generating a PEX-style lockfile from a poetry.lock. Is the PEX-style lockfile format documented somewhere? |
It's purposely undocumented. The only blessed way to create one is |
We have a The
The In order for pants to use a PEX-style lockfile, I see 4 possibilities (please correct me where my assumptions are wrong):
This doesn't work for us, as we need the
This goes against the whole idea of a lockfile, since we'll have two lockfiles built using different solvers at potentially different moments in time. There is a possibility of ending up with two different transitive closures, or different checksums. This is potential source of very subtle bugs or security vulnerabilities.
I'm assuming that from a version point of view, since the In addition, this approach involves a redundant solve step, although that's not a blocker.
This seems like the most appropriate approach, as it preserves our I understand that there is only one blessed way of generating PEX-style lockfiles, so producing one via custom code introduces a risk if the pants team decide to change the format down the line, but I believe this risk to be manageable as it would only occur on an upgrade, and that's an opt-in process on our side. Whilst there is no documentation of the format (I'm guessing you don't want to commit to a specific structure or have to maintain backwards compatibility, which is understandable), it seems relatively straight-forward. I still think some form of docs, or at least commented code, with a big red "PROCEED AT YOUR OWN RISK" would be useful :) |
Re #4, the format is easy to reverse-engineer, but again can change without warning. So if it's not hard to cobble together that converter (I don't know enough about poetry.lock to say) then probably worth a try! The alternative is to let Pants support poetry lockfiles for tools etc. I'll keep that in mind as I tinker with this functionality. |
Re #3, you can run pex directly to do this, and I think the checksums would be stable, why wouldn't they be? |
I'm going to give the converter a go - my mileage may vary... Re-checksums, I would imagine that in most cases you're correct, the checksums would be identical, unless someone has changed the underlying files (either maliciously or otherwise) between the two resolves - then that becomes a vulnerability because you're not actually using the original checksum to check the code being downloaded. |
Describe the bug
Using
install_from_resolve
with[pytest]
raises an AssertionError (fromassert loaded_lockfile.is_pex_native
in source) when the associated lockfile is a manually generated requirements-style lockfile.The relevant parts of the pants.toml:
The lockfile contains the following dependencies (and their transitive dependencies):
Am I missing something in my config? Is this use-case not supported?
Pants version
2.16.0rc0
OS
Tested on macOS. Not tested on other platforms.
Additional info
The contents of
src/py/deps.lock
is in this gist.The text was updated successfully, but these errors were encountered: