Handling new distributions added after locking

[alexbecker]

A few days ago, the zope.interface maintainers added some new distributions to their 4.5.0 release. This broke our builds, because pipenv install downloaded the new cp36-manylinux1 wheel, which did not match any of the saved hashes.

Ideally, pipenv would not attempt to download any distribution that does not have a hash in the lockfile. This may not be easy without work on pip's side (pypa/pip#5874), but I wanted to bring it to your attention.

[uranusjr]

You are correct that Pipenv should do this, ideally, but Pipenv leverages a lot on pip, which does not support this. I am already working on pip internals to extract logic so we can do this, but this is not as easy as you might imagine.

[techalchemy]

I believe it's not really that hard, we just need to define the desired behavior first (which will require a PEEP. I would like to see that outlined anyway, as the implementation is a bit murky. Would it be preferred for instance that we just suggest the user re-lock if they don't have input disabled? That's easy enough.

If not, we have some options:

• We can extend our patches to pip's wheel priority sorting / selection algorithm, see https://github.com/pypa/pipenv/blob/master/tasks/vendoring/patches/patched/pip18.patch#L134 for example (but this only works when resolving, so we would have to output a specific target wheel for pip to install)
• We could modify the installation process on our end to simply stop asking questions, and instead always pass explicit files/links (we need to store more metadata or query first to achieve this)
• We could pre-filter the simple index down to matching candidates, hash check those, filter out the non-matching ones, and kind of patch in the sorting algorithm there for candidate selection (in order to respect --no-binary and --only-binary etc)
• Something cleverer than these?

[uranusjr]

Just to clarify: My “this is not as easy as” comment was for “working on pip internals”, not the issue itself.

[techalchemy]

Well I think we can outline what we want as a desired behavior pretty easily. The hard part will be getting consensus and implementation

[uranusjr]

(Sorry, commented on the wrong issue) I would expose a top-level function set_pip_module that takes a string (or an imported module) to set the global variable.