Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tuf-on-ci-sign fails to install with uv #205

Open
joshuagl opened this issue Feb 28, 2024 · 1 comment
Open

tuf-on-ci-sign fails to install with uv #205

joshuagl opened this issue Feb 28, 2024 · 1 comment

Comments

@joshuagl
Copy link
Member

I tried to install tuf-on-ci-sign with uv into a uv created venv and ran into an error:

~ % uv pip install tuf-on-ci-sign
× No solution found when resolving dependencies:
╰─▶ Because there is no version of betterproto==2.0.0b6 and
sigstore-protobuf-specs==0.2.2 depends on betterproto==2.0.0b6, we can
conclude that sigstore-protobuf-specs==0.2.2 cannot be used. (1)
And because only the following versions of sigstore-protobuf-specs are
available:
sigstore-protobuf-specs<=0.2.2
sigstore-protobuf-specs>=0.3.dev0
and sigstore>=2.1.0 depends on sigstore-protobuf-specs>=0.2.2,<0.3.dev0,
we can conclude that sigstore>=2.1.0 cannot be used. (2)

  Because we know from (1) that sigstore-protobuf-specs==0.2.2 cannot
  be used and only the following versions of sigstore-protobuf-specs are
  available:
      sigstore-protobuf-specs<=0.2.2
      sigstore-protobuf-specs>=0.3.dev0
  we can conclude that sigstore-protobuf-specs>=0.2.2,<0.3.dev0 cannot be
  used. (3)

  Because there is no version of betterproto==2.0.0b5 and
  sigstore-protobuf-specs>=0.2.0,<=0.2.1 depends on betterproto==2.0.0b5,
  we can conclude that sigstore-protobuf-specs>=0.2.0,<=0.2.1 cannot be
  used.
  And because we know from (3) that
  sigstore-protobuf-specs>=0.2.2,<0.3.dev0 cannot be used, we can conclude
  that sigstore-protobuf-specs>=0.2.0,<0.3.dev0 cannot be used.
  And because only the following versions of sigstore-protobuf-specs are
  available:
      sigstore-protobuf-specs<=0.2.0
      sigstore-protobuf-specs==0.2.1
      sigstore-protobuf-specs>=0.2.2
  and sigstore>=2.0.0,<=2.0.1 depends on
  sigstore-protobuf-specs>=0.2.0,<0.3.dev0, we can conclude that
  sigstore>=2.0.0,<=2.0.1 cannot be used.
  And because we know from (2) that sigstore>=2.1.0 cannot be used, we can
  conclude that sigstore>=2.0.0 cannot be used.
  And because only the following versions of sigstore are available:
      sigstore<=2.0.0
      sigstore==2.0.1
      sigstore==2.1.0
      sigstore==2.1.2
      sigstore>=3.dev0
  and securesystemslib[sigstore]>=0.30.0 depends on sigstore>=2.0, we can
  conclude that securesystemslib[sigstore]>=0.30.0 cannot be used.
  And because only the following versions of securesystemslib[sigstore]
  are available:
      securesystemslib[sigstore]<=0.30.0
      securesystemslib[sigstore]==0.31.0
      securesystemslib[sigstore]>=1.dev0
  and all versions of tuf-on-ci-sign depend on
  securesystemslib[sigstore]>=0.30, we can conclude that all versions of
  tuf-on-ci-sign cannot be used.
  And because only the following versions of tuf-on-ci-sign are available:
      tuf-on-ci-sign==0.1.0
      tuf-on-ci-sign==0.2.0
      tuf-on-ci-sign==0.3.0
      tuf-on-ci-sign==0.4.0
      tuf-on-ci-sign==0.5.0
      tuf-on-ci-sign==0.6.0
      tuf-on-ci-sign==0.7.0
  and you require tuf-on-ci-sign, we can conclude that the requirements
  are unsatisfiable.

  hint: betterproto was requested with a pre-release marker (e.g.,
  betterproto==2.0.0b6), but pre-releases weren't enabled (try:
  `--prerelease=allow`)

  hint: sigstore-protobuf-specs was requested with a pre-release marker
  (e.g., sigstore-protobuf-specs>0.2.2,<0.3.dev0), but pre-releases
  weren't enabled (try: `--prerelease=allow`)

  hint: sigstore was requested with a pre-release marker (e.g., any of:
      sigstore>2.0.0,<2.0.1
      sigstore>2.0.1,<2.1.0
      sigstore>2.1.0,<2.1.2
      sigstore>2.1.2,<3.dev0
  ), but pre-releases weren't enabled (try: `--prerelease=allow`)

  hint: securesystemslib[sigstore] was requested with a pre-release marker
  (e.g., any of:
      securesystemslib[sigstore]>0.30.0,<0.31.0
      securesystemslib[sigstore]>0.31.0,<1.dev0
  ), but pre-releases weren't enabled (try: `--prerelease=allow`)
@jku
Copy link
Member

jku commented Feb 28, 2024

https://github.com/sigstore/protobuf-specs/blob/main/gen/pb-python/pyproject.toml#L28C18-L28C38

Looks like pip is fine with installing a beta release when protobuf-specs explicitly depends on it but uv is not cool with it. Not sure what uv needs --prerelease=allow for when the dependency is a specific version. But I also recognise that prereleases are a nightmare so probably no decision is good for every case:

Pre-releases are notoriously difficult to model, and are a frequent source of bugs in other packaging tools. uv's pre-release handling is intentionally limited and intentionally requires user intervention to opt in to pre-releases to ensure correctness, though pre-release handling will be revisited in future releases.

Based on the readme it might also work if we explicitly depended on betterproto>=2.0.0b6 but that feels like a hack to

@jku jku mentioned this issue Apr 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jku @joshuagl