New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
URL based dependencies don't generate a hash #146
Comments
@lucaskjaero is this related to python-poetry/poetry#1631? In essence I don't think Depending on your situation, if you can get away with a requirements file that only contains version numbers and not hashes, you can try:
|
@novemberkilo Yes, I think they might have the same root cause. That workaround definitely helps, thanks! |
Is there a workaround for this? Can we calculate hash manually and somehow include it in pyproject.toml file? |
I believe this problem is also hit if you are using your own private pypi repos. All my regular dependencies have hashes, but for all packages installed from our private pypi repo, the hashes are missing when performing a |
I believe this issue should not have low priority because it is a security concern. People use these hashes to mitigate a certain security risk. The |
this issue belonged in poetry all along: if poetry were to store hashes for url dependencies then the export plugin would write them out |
I'm not sure -- the original ask is for |
if there isn't an issue somewhere complaining that poetry fails to store hashes for url dependencies there probably ought to be; and then this would be entirely secondary to that |
This should be resolved with python-poetry/poetry#7121 |
-vvv
option).Issue
When adding a normal python dependency, poetry will generate hashes of the downloaded files to put in the lockfile. These can then be given to pip to create reproducible builds. When adding a url dependency, these hashes are not created, and pip cannot successfully install dependencies.
Steps to reproduce
poetry add https://github.com/explosion/spacy-models/releases/download/en_core_web_sm-2.2.0/en_core_web_sm-2.2.0.tar.gz
poetry export -f requirements.txt | /venv/bin/pip install -r /dev/stdin
The text was updated successfully, but these errors were encountered: