-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Download source regression in 10.25 #5444
Comments
I am not sure what is causing this, but I can confirm that generating the lock file on the prior versions and the current version yields the same lock file, but pip itself (which was upgraded to latest 22.3) is rejecting the hashes and expecting a different hash on the latest version. Updating the lock file does not add the expected hash, so we are looking at a bug/regression of some kind. |
Ah well I got somewhere at least -- the issue is that its trying to install from the wrong index and getting a different hash. When I remove from the lock file:
then it installs fine -- it seems something is not working right with index restricted packages anymore. |
Issue description
When installing packages from the same lock file, 10.25 will fail with hash check error, while 10.12 will succeed.
Expected result
Both should install the packages.
Actual result
Based on what I can tell, the lockfile includes the SHAs for the .whl and the .tar.gz from PyPi. However, it actually downloads the wheel from PiWheels instead, which has a different SHA, not listed in the lock file.
So it's kind these steps happening
pypi
(ref)Steps to replicate
I threw together a basic repo here: https://github.com/stumpylog/pipenv-issue-repro
Please run
$ pipenv --support
, and paste the results here. Don't put backticks (`
) around it! The output already contains Markdown formatting.If you're on macOS, run the following:
If you're on Windows, run the following:
If you're on Linux, run the following:
The text was updated successfully, but these errors were encountered: