Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hashes should get included with url dependencies in exported requirements.txt #164

Open
4 tasks done
blueyed opened this issue Nov 24, 2022 · 2 comments
Open
4 tasks done

Hashes should get included with url dependencies in exported requirements.txt #164

blueyed opened this issue Nov 24, 2022 · 2 comments

Comments

@blueyed
Copy link

blueyed commented Nov 24, 2022
edited
Loading

  • Poetry version: Poetry (version 1.2.2)
  • Python version: 3.11.0
  • OS version and name: Arch Linux
  • pyproject.toml: -
  • I am on the latest stable Poetry version, installed using a recommended method.
  • I have searched the issues of this repo and believe that this is not a duplicate.
  • I have consulted the FAQ and blog for any relevant entries or release notes.
  • If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below.

Issue

Given something along django-fsm-admin = { url = "https://github.com/infarm/django-fsm-admin/archive/38f2719935be16a7c01d110651ad8ea8383bbe1d.zip" } in [tool.poetry.dependencies] it results in django-fsm-admin @ https://github.com/infarm/django-fsm-admin/archive/38f2719935be16a7c01d110651ad8ea8383bbe1d.zip ; python_version >= "3.11" and python_version < "4.0" when using poetry export -f requirements.txt -o "requirements-main.txt" --only=main.

When using pip install -r requirements-main.txt it causes the following error:

ERROR: Hashes are required in --require-hashes mode, but they are missing from some requirements. Here is a list of those requirements along with the hashes their downloaded archives actually had. Add lines like these to your requirements files to prevent tampering. (If you did not enable --require-hashes manually, note that it turns on automatically when any package has a hash.)
https://github.com/infarm/django-fsm-admin/archive/38f2719935be16a7c01d110651ad8ea8383bbe1d.zip --hash=sha256:32bc3205cec3ec83a78dd0fd0b5f02f25d81a9689493c2580c8fdb4e02c6f4ec

I think with "url" requirements hashes can and should get included in the exported file.

For reference: this was fixed in PDM in pdm-project/pdm@1a1f8748 (via pdm-project/pdm#1103), where the output in requirements.txt looks as follows:

django-fsm-admin @ https://github.com/infarm/django-fsm-admin/archive/38f2719935be16a7c01d110651ad8ea8383bbe1d.zip \
    --hash=sha256:32bc3205cec3ec83a78dd0fd0b5f02f25d81a9689493c2580c8fdb4e02c6f4ec
@neersighted neersighted transferred this issue from python-poetry/poetry Nov 24, 2022
@dimbleby
Copy link
Contributor

duplicate #146

and as there IMO this belongs in poetry proper rather than here: if poetry were to include hashes in the lockfile then this plugin would automatically export them

@dunkmann00 dunkmann00 mentioned this issue Nov 30, 2022
Closed
2 tasks
@dunkmann00
Copy link

This should be resolved with python-poetry/poetry#7121

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@blueyed @dimbleby @dunkmann00