Pip: 2020 resolver does not consider hashes in the constraints file

We completely overlooked this 🙂

Constraints went through a minor re-design in the new resolver, so there are a few decisions we need to make:

1. Do we want to continue to support this usage? I’m inclined to say yes since this usage essentially adds further restrictions on what pip can choose when downloading distributions, which is not unlike version specifiers. Discussions in #8253 seems like we are open to applying this kind of “adding further restrictions” semantic to constraints. (Note: we’ll still need to add an error message if we decide to not support this. The current implementation silently ignores hashes.)
2. What should we do when hashes are specified in both constraints and requirements? There are three choices I can think of: requirements override constraints, union, and intersection. My intuition goes to intersection (i.e. the constraints restrict the list of hashes further) since that’s how version specifiers are merged. what does the current resolver do? What happens when a package appear multiple times in an install command with different list of hashes?

Interesting, I did not expect that hashes in the constraints file wouldn't be processed, so I was wrong about the cause of my issue. I've made my example simpler in a branch (https://github.com/jwhitlock/pip-resolver-demo/tree/just-constraints). I've added a note to my original bug, and plan to change the title, but I haven't re-written my original bug entirely.

My mental model of a constraints file is that it is the requirements of the requirements that I care about. For example, I use Sphinx to generate documentation, but I don't particularly care about sphinxcontrib-qthelp, it just comes along for the ride. I've evangelized for this model with https://stackoverflow.com/questions/34645821/pip-constraints-files/36848206#36848206.

This separation supports the way I approach package updates:

• When updating the project requirements:
  
  
  
  • Update a few weeks after each release
  
  
  • Read the changelog, and think about project changes before and after the update
  
  
  • Run automated tests after updating
  
  
  • Run some manual tests around the project functionality that uses that requirement
  
  
  • Run the project in a staging environment overnight
  
  
• When updating the requirements of requirements (which I stick in constraints)
  
  
  
  • Batch a bunch at once, otherwise only update for security issues
  
  
  • Skip the changelog unless it is easy to find and skim
  
  
  • Let continuous integration run automated tests
  
  
  • Skip manual tests
  
  
  • Briefly run on stage before going to production
  
  

The other nice feature of constraints is that, if a project requirement stopped requiring them, then they didn't get installed. Otherwise, it seems like I could solve my issue by changing -c constraints.txt to -r constraints.txt.

With that preamble, my answers are:

1. Do we want to continue to support this usage? I hope so. When installing with hashes, the hash is as important as a version for the constraint. If someone is going to do something funky, I could imagine a new build for a widely used but somewhat boring requirement-of-requirements, and I'd want the hash to signal the shenanigans.
2. What should we do when hashes are specified in both constraints and requirements? For my use case, an intersection (only hashes in all specs) would work. I'd go a step further, and say the hash list must be identical if present. This treats the version number + sorted hash list as the full package restriction.

I think other people's legit use would be a requirements.txt file with:

Django>=3.0

and a constraints.txt with

Django==3.1 \
    --hash=sha256:1a63f5bb6ff4d7c42f62a519edc2adbb37f9b78068a5a862beff858b68e3dc8b \
    --hash=sha256:2d390268a13c655c97e0e2ede9d117007996db692c1bb93eabebd4fb7ea7012b
pytz==2020.1 \
    --hash=sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed \
    --hash=sha256:c35965d010ce31b23eeb663ed3cc8c906275d6be1a34393a1d73a41febf4a048
sqlparse==0.3.1 \
    --hash=sha256:022fb9c87b524d1f7862b3037e541f68597a730a8843245c349fc93e1643dc4e \
    --hash=sha256:e162203737712307dfe78860cc56c8da8a852ab2ee33750e33aeadf38d12c548
asgiref==3.2.10 \
    --hash=sha256:7e51911ee147dd685c3c8b805c0ad0cb58d360987b56953878f8c06d2d1c6f1a \
    --hash=sha256:9fc6fb5d39b8af147ba40765234fa822b39818b12cc80b35ad9b0cef3a476aed

so that

pip install -r requirements.txt -c constraints.txt --use-feature=2020-resolver

works and securely installs the listed packages.

@pfmoore Do you have concerns with (re?)introducing this behaviour, for this use-case?

tl;dr; I feel that we should be cautious, but I don't have a strong objection.

I wouldn't describe the new resolver changes as a "minor redesign" - I think we did a fairly comprehensive overhaul and stripped constraints files down to being purely a way to specify global (version) limits for packages. That gave us a very specific behaviour, that translates well to how pip decides which version to install (don't even consider versions that don't match the limits in the constraint file).

I'm fine with adding extra functionality to constraint files that is in the same vein - removing certain candidates from consideration up front. As @uranusjr says, hashes can be viewed in this way, and so I feel that it's a reasonable extension. However, that logic does mean that IMO the only reasonable interpretation of the case when hashes are in both constraints and requirements is "intersection" - pip never considers anything that doesn't match the constraints, so if a requirement has a conflicting hash, pip will see nothing and hence will fail. I'd be unhappy with "requirements override" or "union" because they don't fit that model.

My mental model of a constraints file is that it is the requirements of the requirements that I care about.

That's not how I viewed them when I designed the new implementation. As I said above, the intended interpretation is that constraints limit what candidates pip sees. Most of the time, I don't expect there to be much difference in the viewpoints (which has positive and negative aspects - we won't conflict with people's expectations, which is good, but people may want to push constraints in a direction we didn't intend, which is less so...)

Some additional context:

pip currently merges hash lists (i.e. a union operation) if a requirement is specified multiple times. So this

# This one points to the sdist.
six==1.15.0 --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259

# This points to the wheel.
six==1.15.0 --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced

has the same effect as

six==1.15.0 \
    --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
    --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced

The ordering of hashes does not matter, nor whether the line is a constraint or requirement. So if we’re going to change the constraint file’s behaviour, we should probably also change the merge logic in requirements.txt as well. But the problem is, the merge is currently done during the parsing stage, and shared between both resolvers. This can be tricky to change 😥

Ah. Yes, that will be tricky. But IMO having a consistent model is the important thing (something pip has traditionally not been very good at doing 🙁) so we should either come up with a different model for constraints that makes union the "natural" interpretation¹, or bite the bullet and make the tricky change. Personally, I like the current model as it's very easy to explain.

¹ And, of course, review the existing constraints code to make sure it conforms to the changed model 🤷

Where does the merging occur?

My understanding was that we were handling the hash-checking-related rejections in Provider.find_matches (and, finally, in a loop in whatever the relevant method on Factory is).

The merging is done in the Hashes class (which is on InstallRequirement). I traced the code and believe it’s possible to only change the new resolver implementation to do the intersection logic (and keep the legacy resolver as-is, performing union). PR coming shortly.

I traced the code and believe it’s possible to only change the new resolver implementation to do the intersection logic (and keep the legacy resolver as-is, performing union).

I did this too, and I was wondering whether I was missing something. :)

PR coming shortly.

\o/

Intersection sounds the most natural to me too. Just one question: what if we have foo and foo --hash .... Does it result in an empty hash set? Or is it simply not allowed because hash checking mode rejects requirements with no hashes?

Do you have a real world use case? If you're asking in a purely theoretical sense, then I'd say:

1. foo must appear in a genuine requirement (a constraint of foo by itself makes no sense).
2. So we're talking about foo in a requirement and foo --hash in a constraint.

I'd say that the result should be that only versions of foo with the given hash can be selected (i.e., intersection) but it wouldn't trigger full hash checking mode, because hashes in constraint files don't do that.

But I don't really like that behaviour, because it would encourage people to use constraints for "only hash check one project" mode. An alternative would be to disallow hashes in constraints files unless hash checking mode is in force (which would mean that a constraint file with hashes in it couldn't be used with requirements that omit hashes).

It's hard to say which is best without a proper use case, though.

The bigger question is whether constraints files can even include some projects with hashes and others without. Hash checking is supposed to be all-or-nothing, and having constraints files that could add hashes to some projects but not others could be very confusing. Maybe what we should really be doing is saying that hashes in constraint files should also be all-or-nothing, and therefore that if a constraint file contains hashes, all projects in that constraint file must have hashes, and using the constraint file triggers hash checking mode, meaning that any requirements not limited by a constraint must have a hash specified in the requirements.

But all of this is guessing. We don't have a good enough conceptual model of has checking (IMO - or if we do, it's not documented well enough) and we don't have enough real use cases to infer what rules would be useful.

Do you have a real world use case?

Not really. The current hash checking mode is not practical for my use cases because it does not work with VCS URLs and it disables the wheel cache.

So I'm probing the corner cases to try to make myself a mental model of what would work and what not. And the model is not clear yet, for sure :)

What could work is to say that when a constraint gets activated and we are in hash checking mode, that constraint must have hashes, just like other requirements. And then do the intersection.

what if we have foo and foo --hash .... Does it result in an empty hash set? Or is it simply not allowed because hash checking mode rejects requirements with no hashes?

You would get

Hashes are required in --require-hashes mode, but they are
missing from some requirements. Here is a list of those
requirements along with the hashes their downloaded archives
actually had. Add lines like these to your requirements files to
prevent tampering. (If you did not enable --require-hashes
manually, note that it turns on automatically when any package
has a hash.)

Indeed there is a theoratical use case, but I’m happy to keep it as-is and not worry about it.

The 20.2.4 release didn't fix my issue. Should I open a new bug or re-open this one?

Consider this requirements.txt:

-c constraints.txt
Django==3.1 \
    --hash=sha256:1a63f5bb6ff4d7c42f62a519edc2adbb37f9b78068a5a862beff858b68e3dc8b \
    --hash=sha256:2d390268a13c655c97e0e2ede9d117007996db692c1bb93eabebd4fb7ea7012b

and this constraints.txt:

pytz==2020.1 \
    --hash=sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed \
    --hash=sha256:c35965d010ce31b23eeb663ed3cc8c906275d6be1a34393a1d73a41febf4a048
sqlparse==0.3.1 \
    --hash=sha256:022fb9c87b524d1f7862b3037e541f68597a730a8843245c349fc93e1643dc4e \
    --hash=sha256:e162203737712307dfe78860cc56c8da8a852ab2ee33750e33aeadf38d12c548
asgiref==3.2.10 \
    --hash=sha256:7e51911ee147dd685c3c8b805c0ad0cb58d360987b56953878f8c06d2d1c6f1a \
    --hash=sha256:9fc6fb5d39b8af147ba40765234fa822b39818b12cc80b35ad9b0cef3a476aed

This works:

pip install -r requirements.txt

and this fails:

pip install -r requirements.txt --use-feature=2020-resolver

with:

ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    asgiref~=3.2.10 from https://files.pythonhosted.org/packages/d5/eb/64725b25f991010307fd18a9e0c1f0e6dff2f03622fc4bcbcdb2244f60d6/asgiref-3.2.10-py3-none-any.whl#sha256=9fc6fb5d39b8af147ba40765234fa822b39818b12cc80b35ad9b0cef3a476aed (from Django==3.1->-r requirements.txt (line 2))

@jwhitlock I think the fix to the issue is surfacing another different bug (that was not triggered previously since pip fails before hitting it). It would be best to track it in another issue.