Skip to content

Handling new distributions added after locking #3022

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
alexbecker opened this issue Oct 13, 2018 · 5 comments
Closed

Handling new distributions added after locking #3022

alexbecker opened this issue Oct 13, 2018 · 5 comments
Labels
Category: Pip Requires pip update to address Status: Requires PEEP This issue requires an accompanying enhancement proposal Type: Behavior Change This issue describes a behavior change.

Comments

@alexbecker
Copy link

A few days ago, the zope.interface maintainers added some new distributions to their 4.5.0 release. This broke our builds, because pipenv install downloaded the new cp36-manylinux1 wheel, which did not match any of the saved hashes.

Ideally, pipenv would not attempt to download any distribution that does not have a hash in the lockfile. This may not be easy without work on pip's side (pypa/pip#5874), but I wanted to bring it to your attention.

@uranusjr
Copy link
Member

You are correct that Pipenv should do this, ideally, but Pipenv leverages a lot on pip, which does not support this. I am already working on pip internals to extract logic so we can do this, but this is not as easy as you might imagine.

@techalchemy
Copy link
Member

I believe it's not really that hard, we just need to define the desired behavior first (which will require a PEEP. I would like to see that outlined anyway, as the implementation is a bit murky. Would it be preferred for instance that we just suggest the user re-lock if they don't have input disabled? That's easy enough.

If not, we have some options:

  • We can extend our patches to pip's wheel priority sorting / selection algorithm, see https://github.com/pypa/pipenv/blob/master/tasks/vendoring/patches/patched/pip18.patch#L134 for example (but this only works when resolving, so we would have to output a specific target wheel for pip to install)
  • We could modify the installation process on our end to simply stop asking questions, and instead always pass explicit files/links (we need to store more metadata or query first to achieve this)
  • We could pre-filter the simple index down to matching candidates, hash check those, filter out the non-matching ones, and kind of patch in the sorting algorithm there for candidate selection (in order to respect --no-binary and --only-binary etc)
  • Something cleverer than these?

@techalchemy techalchemy added Type: Behavior Change This issue describes a behavior change. Status: Requires PEEP This issue requires an accompanying enhancement proposal Category: Pip Requires pip update to address labels Nov 5, 2018
@uranusjr
Copy link
Member

uranusjr commented Nov 5, 2018

Just to clarify: My “this is not as easy as” comment was for “working on pip internals”, not the issue itself.

@techalchemy
Copy link
Member

Well I think we can outline what we want as a desired behavior pretty easily. The hard part will be getting consensus and implementation

@uranusjr
Copy link
Member

uranusjr commented Nov 5, 2018

(Sorry, commented on the wrong issue) I would expose a top-level function set_pip_module that takes a string (or an imported module) to set the global variable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Category: Pip Requires pip update to address Status: Requires PEEP This issue requires an accompanying enhancement proposal Type: Behavior Change This issue describes a behavior change.
Projects
None yet
Development

No branches or pull requests

4 participants