Pipenv is creating requirements.txt
files that fail installation complaining about unpinned versions in hashes mode. This may be related to #491 or #357, but as those are closed and this is reproduceable in 9.0.3, I thought I should post it.
Unless I'm not understanding the feature correctly, one should be able to setup a virtualenv and use the generated requirements.txt
file to populate it without need of a Pipfile or pipenv, but the file being generated isn't working.
The output of lock -r
is insufficient for use as requirements.txt. I think there may be a problem with a dependency of a dependency not being locked to a specific version.
$ pipenv --version
pipenv, version 9.0.3
$ python --version
Python 3.6.4
$ cat Pipfile
[[source]]
url = "https://pypi.python.org/simple"
verify_ssl = true
[packages]
django-two-factor-auth = "==1.7.0"
$ pipenv install
Creating a virtualenv for this projectβ¦
β Using base prefix '/usr'
New python executable in /home/daniel/.local/share/virtualenvs/scratch-kl-E6MqG/bin/python
Installing setuptools, pip, wheel...done.
Virtualenv location: /home/daniel/.local/share/virtualenvs/scratch-kl-E6MqG
Installing dependencies from Pipfile.lock (beb093)β¦
π ββββββββββββββββββββββββββββββββ 9/9 β 00:00:02
To activate this project's virtualenv, run the following:
$ pipenv shell
$ pipenv lock -r > requirements.txt
$ cat requirements.txt
babel==2.5.3 --hash=sha256:ad209a68d7162c4cff4b29cdebe3dec4cef75492df501b0049a9433c96ce6f80 --hash=sha256:8ce4cb6fdd4393edd323227cba3a077bceb2a6ce5201c902c65e730046f41f14
django==2.0.1 --hash=sha256:52475f607c92035d4ac8fee284f56213065a4a6b25ed43f7e39df0e576e69e9f --hash=sha256:d96b804be412a5125a594023ec524a2010a6ffa4d408e5482ab6ff3cb97ec12f
django-formtools==2.1 --hash=sha256:cb2bd7c29c2104278e5a0e76f7ff256b9570acf11485d547ee0c1b35347359fb --hash=sha256:7703793f1675aa6e871f9fed147e8563816d7a5b9affdc5e3459899596217f7c
django-otp==0.4.2 --hash=sha256:06047e6f20e1527363ced31e4e8ea090f531cb33f4acd1bcaa6358a2efc05dbe --hash=sha256:b1b0166717e35363e8b8fba7d23e5a3e4f175b4893b2e1b68ac8bd3e1908c6a9
django-phonenumber-field==1.3.0 --hash=sha256:8db9d2dc833678b163adabd593cda7ad1dede81a1c18f67c895701fc44dc44f1
django-two-factor-auth==1.7.0 --hash=sha256:ae60423decd63aad85dff68d47784d9bf64cf45d7d6cd37e0664d9e6d5d5b37e --hash=sha256:21ee5a97a2e354973680a4d21f48fdc59d4660f01b4c645e9e19269813733543
pytz==2017.3 --hash=sha256:80af0f3008046b9975242012a985f04c5df1f01eed4ec1633d56cc47a75a6a48 --hash=sha256:feb2365914948b8620347784b6b6da356f31c9d03560259070b2f30cff3d469d --hash=sha256:59707844a9825589878236ff2f4e0dc9958511b7ffaae94dc615da07d4a68d33 --hash=sha256:d0ef5ef55ed3d37854320d4926b04a4cb42a2e88f71da9ddfdacfde8e364f027 --hash=sha256:c41c62827ce9cafacd6f2f7018e4f83a6f1986e87bfd000b8cfbd4ab5da95f1a --hash=sha256:8cc90340159b5d7ced6f2ba77694d946fc975b09f1a51d93f3ce3bb399396f94 --hash=sha256:dd2e4ca6ce3785c8dd342d1853dd9052b19290d5bf66060846e5dc6b8d6667f7 --hash=sha256:699d18a2a56f19ee5698ab1123bbcc1d269d061996aeb1eda6d89248d3542b82 --hash=sha256:fae4cffc040921b8a2d60c6cf0b5d662c1190fe54d718271db4eb17d44a185b7
qrcode==4.0.4 --hash=sha256:f3993aea9e3af2ca92b64128a81f36ed978a44d115a214293bfcd2cae7de8f6e
six==1.11.0 --hash=sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb --hash=sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9
$ virtualenv --python python3 .virtualenv
Running virtualenv with interpreter /usr/bin/python3
Using base prefix '/usr'
New python executable in /tmp/scratch/.virtualenv/bin/python3
Also creating executable in /tmp/scratch/.virtualenv/bin/python
Installing setuptools, pip, wheel...done.
$ . .virtualenv/bin/activate
$ pip install -r requirements.txt
Collecting babel==2.5.3 (from -r requirements.txt (line 1))
Using cached Babel-2.5.3-py2.py3-none-any.whl
Collecting django==2.0.1 (from -r requirements.txt (line 2))
Using cached Django-2.0.1-py3-none-any.whl
Collecting django-formtools==2.1 (from -r requirements.txt (line 3))
Using cached django_formtools-2.1-py2.py3-none-any.whl
Collecting django-otp==0.4.2 (from -r requirements.txt (line 4))
Using cached django_otp-0.4.2-py2.py3-none-any.whl
Collecting django-phonenumber-field==1.3.0 (from -r requirements.txt (line 5))
Using cached django-phonenumber-field-1.3.0.tar.gz
Collecting django-two-factor-auth==1.7.0 (from -r requirements.txt (line 6))
Using cached django_two_factor_auth-1.7.0-py2.py3-none-any.whl
Collecting pytz==2017.3 (from -r requirements.txt (line 7))
Using cached pytz-2017.3-py2.py3-none-any.whl
Collecting qrcode==4.0.4 (from -r requirements.txt (line 8))
Using cached qrcode-4.0.4.tar.gz
Collecting six==1.11.0 (from -r requirements.txt (line 9))
Using cached six-1.11.0-py2.py3-none-any.whl
Collecting phonenumberslite>=7.0.2 (from django-phonenumber-field==1.3.0->-r requirements.txt (line 5))
In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
phonenumberslite>=7.0.2 from https://pypi.python.org/packages/3e/30/9ee89bb84755f1bdb12c158a77035ee646484590607f456281254fb5ef65/phonenumberslite-8.8.10-py2.py3-none-any.whl#md5=7cbbd0f87fd0f6caca431555dae751d7 (from django-phonenumber-field==1.3.0->-r requirements.txt (line 5))
Yeah, I was having this issue with the discord.py library as well. It was giving the same error for a dependency.
requirements.txt
aiohttp==1.0.5 --hash=sha256:81a6aaace2b9e8a87531277a5d5f998efbd3554c15bf47173834386966d1bbe1 --hash=sha256:ad374a5d7be1de271ecd0fb0ef87c0f8dd9fb062e6fae350fa6c098360018978 --hash=sha256:3ac6fa105355928e2fc02e876d0d72d6230557d4637017ebf09aec7611124155 --hash=sha256:3a253332a0d8f82549e65035ebe7199580c3ea0e47071b7428f25b109b3c0310 --hash=sha256:e1985766a4c83fcbdf7dde06544231fc9fb3de8929788179e623d6f9f9f321d2 --hash=sha256:714c62532ca6be90be4b54002743e7ea277ec78b45f04ae86cdc6f45a8400abd --hash=sha256:c579ec606f25b3f756f177fee6db344f8d7ef75cfc0603a94c9fa1d1c645789d --hash=sha256:3bfcb76553d7f6296d1a598162d5fb890198f98c021540cbbb85bb604ff198db --hash=sha256:c3e1897726f97d40e067e8b658b2dbdfe216f32b801c5c589212e1b1f9aa8388
async-timeout==2.0.0 --hash=sha256:d3a195a827b0f4068d1616ae2da04aac62e365d14f2b13dbc071f9feed9db4e2 --hash=sha256:c17d8ac2d735d59aa62737d76f2787a6c938f5a944ecf768a8c0ab70b0dea566
certifi==2018.1.18 --hash=sha256:14131608ad2fd56836d33a71ee60fa1c82bc9d2c8d98b7bdbc631fe1b3cd1296 --hash=sha256:edbc3f203427eef571f79a7692bb160a2b0f7ccaa31953e99bd17e307cf63f7d
cffi==1.11.4 --hash=sha256:5d0d7023b72794ea847725680e2156d1d01bc698a9007fccce46d03c904fe093 --hash=sha256:86903c0afab4a3390170aca61f753f5adad8ffff947030719ee44dedc5b68403 --hash=sha256:7d35678a54da0d3f1bc30e3a58a232043753d57c691875b5a75e4e062793bc9a --hash=sha256:824cac33906be5c8e976f0d950924d88ec058989ef9cd2f77f5cd53cec417635 --hash=sha256:6ca52651f6bd4b8647cb7dee15c82619de3e13490f8e0bc0620830a2245b51d1 --hash=sha256:a183959a4b1e01d6172aeed356e2523ec8682596075aa6cf0003fe08da959a49 --hash=sha256:9532c5bc0108bd0fe43c0eb3faa2ef98a2db60fc0d4019f106b88d46803dd663 --hash=sha256:96652215ef328262b5f1d5647632bd342ac6b31dfbc495b21f1ab27cb06d621d --hash=sha256:6c99d19225e3135f6190a3bfce2a614cae8eaa5dcaf9e0705d4ccb79a3959a3f --hash=sha256:12cbf4c04c1ad07124bfc9e928c01e282feac9ec7dd72a18042d4fc56456289a --hash=sha256:69c37089ccf10692361c8d14dbf4138b00b46741ffe9628755054499f06ed548 --hash=sha256:b8d1454ef627098dc76ccfd6211a08065e6f84efe3754d8d112049fec3768e71 --hash=sha256:cd13f347235410c592f6e36395ee1c136a64b66534f10173bfa4df1dc88f47d0 --hash=sha256:0640f12f04f257c4467075a804a4920a5d07ef91e11c525fc65d715c08231c81 --hash=sha256:89a8d05b96bdeca8fdc89c5fa9469a357d30f6c066262e92c0c8d2e4d3c53cae --hash=sha256:a67c430a9bde73ae85b0c885fcf41b556760e42ea74c16dc70431a349989b448 --hash=sha256:7a831170b621e98f45ed1d5758325be19619a593924127a0a47af9a72a117319 --hash=sha256:796d0379102e6da5215acfcd20e8e69cca9d97309215b4ce088fe175b1c2f586 --hash=sha256:0fe3b3d571543a4065059d1d3d6d39f4ca6da0f2207ad13547094522e32ead46 --hash=sha256:678135090c311780382b1dd3f828f715583ea8a69687ed053c047d3cec6625d6 --hash=sha256:f4992cd7b4c867f453d44c213ee29e8fd484cf81cfece4b6e836d0982b6fa1cf --hash=sha256:6d191fb20138fe1948727b20e7b96582b7b7e676135eabf72d910e10bf7bfa65 --hash=sha256:ec208ca16e57904dd7f4c7568665f80b1f7eb7e3214be014560c28def219060d --hash=sha256:b3653644d6411bf4bd64c1f2ca3cb1b093f98c68439ade5cef328609bbfabf8c --hash=sha256:f4719d0bafc5f0a67b2ec432086d40f653840698d41fa6e9afa679403dea9d78 --hash=sha256:87f837459c3c78d75cb4f5aadf08a7104db15e8c7618a5c732e60f252279c7a6 --hash=sha256:df9083a992b17a28cd4251a3f5c879e0198bb26c9e808c4647e0a18739f1d11d
chardet==3.0.4 --hash=sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691 --hash=sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae
codecov==2.0.15 --hash=sha256:ae00d68e18d8a20e9c3288ba3875ae03db3a8e892115bf9b83ef20507732bed4 --hash=sha256:8ed8b7c6791010d359baed66f84f061bba5bd41174bf324c31311e8737602788
coverage==4.5.1 --hash=sha256:7608a3dd5d73cb06c531b8925e0ef8d3de31fed2544a7de6c63960a1e73ea4bc --hash=sha256:3a2184c6d797a125dca8367878d3b9a178b6fdd05fdc2d35d758c3006a1cd694 --hash=sha256:f3f501f345f24383c0000395b26b726e46758b71393267aeae0bd36f8b3ade80 --hash=sha256:0b136648de27201056c1869a6c0d4e23f464750fd9a9ba9750b8336a244429ed --hash=sha256:337ded681dd2ef9ca04ef5d93cfc87e52e09db2594c296b4a0a3662cb1b41249 --hash=sha256:3eb42bf89a6be7deb64116dd1cc4b08171734d721e7a7e57ad64cc4ef29ed2f1 --hash=sha256:be6cfcd8053d13f5f5eeb284aa8a814220c3da1b0078fa859011c7fffd86dab9 --hash=sha256:69bf008a06b76619d3c3f3b1983f5145c75a305a0fea513aca094cae5c40a8f5 --hash=sha256:2eb564bbf7816a9d68dd3369a510be3327f1c618d2357fa6b1216994c2e3d508 --hash=sha256:9d6dd10d49e01571bf6e147d3b505141ffc093a06756c60b053a859cb2128b1f --hash=sha256:701cd6093d63e6b8ad7009d8a92425428bc4d6e7ab8d75efbb665c806c1d79ba --hash=sha256:5a13ea7911ff5e1796b6d5e4fbbf6952381a611209b736d48e675c2756f3f74e --hash=sha256:c1bb572fab8208c400adaf06a8133ac0712179a334c09224fb11393e920abcdd --hash=sha256:03481e81d558d30d230bc12999e3edffe392d244349a90f4ef9b88425fac74ba --hash=sha256:28b2191e7283f4f3568962e373b47ef7f0392993bb6660d079c62bd50fe9d162 --hash=sha256:de4418dadaa1c01d497e539210cb6baa015965526ff5afc078c57ca69160108d --hash=sha256:8c3cb8c35ec4d9506979b4cf90ee9918bc2e49f84189d9bf5c36c0c1119c6558 --hash=sha256:7e1fe19bd6dce69d9fd159d8e4a80a8f52101380d5d3a4d374b6d3eae0e5de9c --hash=sha256:6bc583dc18d5979dc0f6cec26a8603129de0304d5ae1f17e57a12834e7235062 --hash=sha256:198626739a79b09fa0a2f06e083ffd12eb55449b5f8bfdbeed1df4910b2ca640 --hash=sha256:7aa36d2b844a3e4a4b356708d79fd2c260281a7390d678a10b91ca595ddc9e99 --hash=sha256:3d72c20bd105022d29b14a7d628462ebdc61de2f303322c0212a054352f3b287 --hash=sha256:4635a184d0bbe537aa185a34193898eee409332a8ccb27eea36f262566585000 --hash=sha256:e05cb4d9aad6233d67e0541caa7e511fa4047ed7750ec2510d466e806e0255d6 --hash=sha256:76ecd006d1d8f739430ec50cc872889af1f9c1b6b8f48e29941814b09b0fd3cc --hash=sha256:7d3f553904b0c5c016d1dad058a7554c7ac4c91a789fca496e7d8347ad040653 --hash=sha256:3c79a6f7b95751cdebcd9037e4d06f8d5a9b60e4ed0cd231342aa8ad7124882a --hash=sha256:56e448f051a201c5ebbaa86a5efd0ca90d327204d8b059ab25ad0f35fbfd79f1 --hash=sha256:ac4fef68da01116a5c117eba4dd46f2e06847a497de5ed1d64bb99a5fda1ef91 --hash=sha256:1c383d2ef13ade2acc636556fd544dba6e14fa30755f26812f54300e401f98f2 --hash=sha256:b8815995e050764c8610dbc82641807d196927c3dbed207f0a079833ffcf588d --hash=sha256:104ab3934abaf5be871a583541e8829d6c19ce7bde2923b2751e0d3ca44db60a --hash=sha256:9e112fcbe0148a6fa4f0a02e8d58e94470fc6cb82a5481618fea901699bf34c4 --hash=sha256:15b111b6a0f46ee1a485414a52a7ad1d703bdf984e9ed3c288a4414d3871dcbd --hash=sha256:e4d96c07229f58cb686120f168276e434660e4358cc9cf3b0464210b04913e77 --hash=sha256:f8a923a85cb099422ad5a2e345fe877bbc89a8a8b23235824a93488150e45f6e
discord.py==0.16.12 --hash=sha256:17fb8814100fbaf7a79468baa432184db6cef3bbea4ad194fe297c7407d50108
idna==2.6 --hash=sha256:8c7309c718f94b3a625cb648ace320157ad16ff131ae0af362c9f21b80ef6ec4 --hash=sha256:2c6a5de3089009e3da7c5dde64a141dbc8551d5b7f6cf4ed7c2568d0cc520a8f
multidict==4.1.0 --hash=sha256:0fd4d255adcbab3341d64a2fff5acce23409e57bb94e626485dea3db70ddc35e --hash=sha256:93f1af99bbe75c854370460a60823d6726f9af2196818a64346000d02e074ed7 --hash=sha256:65546242d0c481c0daf0ef20c1be81c075fb763c5f4346f18f748b422fc40f32 --hash=sha256:0462372fc74e4c061335118a4a5992b9a618d6c584b028ef03cf3e9b88a960e2 --hash=sha256:63663541d395ffe4d51a3c021467d0a7b46c965b63fa1646cb46e2e2f1f36415 --hash=sha256:84a1cb5320f1494cd444ca3bd09ddba2e0af0cb210f9263bcf17357ab22671a1 --hash=sha256:241c11614f64535e213ea143efa8b7e598793256601fc795e77075bdfa54f5d6 --hash=sha256:ea8a18ea02bf84981ec93faded773a866554666f13955c92139127892c4bb45c --hash=sha256:b46ec31bb7729eaa678a3bb1c999460902df1e295fcc093b9aa5f2c7e68d5803 --hash=sha256:608f7eef60e6558418d7da6551dd3d07ccc1290ecc85755d781bd8100322ea5b --hash=sha256:068e91060e3e211441b1a31f5e65de88fc346490e1fae583c35a75a5295c8ef7 --hash=sha256:288e8f94fb6f586e7386c1f22c979ce3ec866ab23371fa8fef1dd526cd4dfde1 --hash=sha256:503ae54582601b0ff647731fee5efcdff5db1f4da0350febb31b628236a5f0b5 --hash=sha256:6d5f6f26f9025756035c473167b39c5a72e4e519a2286c9399d21f6682e4e5bc --hash=sha256:e13265feabb1fa26f9cd49cbafd9b5de70ad768093ddb092af477c9823f44f0e --hash=sha256:50de6f3786ba868ffb7d78d4bcacf0928321f9892366b2f4a0426bba644e3f25 --hash=sha256:16c78b10e897a512aa34ab1969982e42246e53077ae903c1b334926e1ea832d1 --hash=sha256:e04b5bf8581718cf84c1c60bda40221d926ceb06f942ebabfc3baf467a1e34be --hash=sha256:d99819e9e15e1295a31a757360cab65bc96162870f90c29432564bd8e8999aca --hash=sha256:cd172509bfc9144395204dd2c0eb305ae5e89f8ad1714ffd7d793607c53c3244 --hash=sha256:3508bea4974ee30fabcf7c8852fca7d9d54d496eaa068bee8311e0ac4df4ade3 --hash=sha256:fb4412490324705dcd2172baa8a3ea58ae23c5f982476805cad58ae929fe2a52
pycparser==2.18 --hash=sha256:99a8ca03e29851d96616ad0404b4aad7d9ee16f25c9f9708a11faf2810f7b226
pynacl==1.0.1 --hash=sha256:eb7ba561a8ae2faeeafae38218100f015c4055408af1eda5f9ff7c536cdd3faf --hash=sha256:96fe0af92008488c0ad805920ccb7abc6742cfeef173f0c117f2f26a054b33ee --hash=sha256:49f7f7cfcd25db335262818266c40b12a3d3885cd3011ddc6258394418ec8c9c --hash=sha256:d307a9bc2b0502e4111a9c2324dddb828efcb84d54e3dd41d1eaae3d3cf98e37 --hash=sha256:b866c28ab1700efccf0468ede2ecaf550c2f8ab7e84828b05b7c45496a86bd34 --hash=sha256:cf183495fd655706e17e1cc92a2b6bdd27c74aebcfa34425035217c6a55d4229 --hash=sha256:d7d209742f2b075efd7b796709a29809368e68d2a4b319a5515bc51d4dde92be --hash=sha256:2e16443657b7ed37878fdd4783c45b96e7b7e00dfa19736638b03c3c632080d4 --hash=sha256:dc49ee007f194fa4b4070f8a1a4c58dc5c32f9340134cfc5becc2d5775350697 --hash=sha256:afd0106f4a337c428f3113927b14b0e877e7a0eb3cdc25fabcb6584d7be21ad2 --hash=sha256:e40487e3b8d0a16f038970732c3705a89b0a188c065603edd871b6a25a40bf97 --hash=sha256:394853427159419c5dcd3d5cd8db2f14592ac3b5215df6ae16613577b21b76e8 --hash=sha256:2066cb852e369888798bd50506d185b1a64d83ed4a7aac181d60466e91d4c56a --hash=sha256:2e7b0a54aa3fc689f9ca34ef0d0bc21203dea87a3da120230b9a3d04bb95075c --hash=sha256:d5c8a1084cc2c0c9fe1e9ee9b626adda7b89eed82677195fcd194323f83544f8 --hash=sha256:d21d7a7358a85fb9b9ddadfbd1176c40fe199334fe2202881255e77f6d3773f4
requests==2.18.4 --hash=sha256:6a1b267aa90cac58ac3a765d067950e7dbbf75b1da07e895d1f594193a40a38b --hash=sha256:9c443e7324ba5b85070c4a818ade28bfabedf16ea10206da1132edaa6dda237e
six==1.11.0 --hash=sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb --hash=sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9
urllib3==1.22 --hash=sha256:06330f386d6e4b195fbfc736b297f58c5a892e4440e54d294d7004e3a9bbea1b --hash=sha256:cc44da8e1145637334317feebd728bd869a35285b93cbb4cca2577da7e62db4f
websockets==3.4 --hash=sha256:e9c1cdbb591432c59d0b5ca64fd30b6d517024767f152fc169563b26e7bcc9da --hash=sha256:85ae1e4b36aa2e90de56d211d2de36d7c093d00277a9afdd9b4f81e69c0214ab --hash=sha256:2aa6d52264cecb08d39741e8fda49f5ac4872aef02617230c84d02e861f3cc5a --hash=sha256:8a29100079f5b91a72bcd25d35a7354db985d3babae42d00b9d629f9a0aaa8ac --hash=sha256:de743ef26b002efceea7d7756e99e5d38bf5d4f27563b8d27df2a9a5cc57340a --hash=sha256:aa42ecef3aed807e23218c264b1e82004cdd131a6698a10b57fc3d8af8f651fc --hash=sha256:c4c5b5ce2d66cb0cf193c14bc9726adca095febef0f7b2c04e5e3fa3487a97a4 --hash=sha256:e1e568136ad5cb6768504be36d470a136b072acbf3ea882303aee6361be01941 --hash=sha256:e8992f1db371f2a1c5af59e032d9dc7c1aa92f16241efcda695b7d955b4de0c2 --hash=sha256:3d38f76f71654268e5533b45df125ff208fee242a102d4b5ca958da5cf5fb345 --hash=sha256:4128212ab6f91afda03a0c697add261bdf6946b47928db83f07298ea2cd8d937 --hash=sha256:b19e7ede1ba80ee9de6f5b8ccd31beee25402e68bef7c13eeb0b8bc46bc4b7b7 --hash=sha256:7347af28fcc70eb45be409760c2a428f8199e7f73c04a621916c3c219ed7ad27 --hash=sha256:2f5b7f3920f29609086fb0b63552bb1f86a04b8cbdcc0dbf3775cc90d489dfc8 --hash=sha256:4a932c17cb11c361c286c04842dc2385cc7157019bbba8b64808acbc89a95584 --hash=sha256:5ddc5fc121eb76771e990f071071d9530e27d20e8cfb804d9f5823de055837af --hash=sha256:a7e7585c8e3c0f9277ad7d6ee6ccddc69649cd216255d5e255d68f90482aeefa --hash=sha256:3fcc7dfb365e81ff8206f950c86d1e73accdf3be2f9110c0cb73be32d2e7a9a5 --hash=sha256:09dfec40e9b73e8808c39ecdbc1733e33915a2b26b90c54566afc0af546a9ec3 --hash=sha256:43e5b9f51dd0000a4c6f646e2ade0c886bd14a784ffac08b9e079bd17a63bcc5
Collecting sphinxcontrib-napoleon (from discord.py==0.16.12->-r requirements.txt (line 8))
In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
sphinxcontrib-napoleon from https://pypi.python.org/packages/96/48/7fe4211809e555ec25fd12d5c11121d0f15d04455d5a0e73f740f4f8e651/sphinxcontrib_napoleon-0.6.1-py2.py3-none-any.whl#md5=1e548d7acd8190c092377fe25cff20bd (from discord.py==0.16.12->-r requirements.txt (line 8))
Ended having to get rid of the hashes in that file altogether. However, something interesting I noticed is that the root dependency for which the sub dependency error occurs only has one hash.
For instance:
In the requirements.txt file of @danielquinn's issue https://github.com/pypa/pipenv/issues/1380#issue-293116113 , django-phonenumber-field==1.3.0
only has one hash. And sure enough, it is it's sub dependency phonenumberslite>=7.0.2
that produces the error. You can notice the same pattern in discord.py==0.16.12
and it's respective sub dependency sphinxcontrib-napoleon
.
Even more interesting is that both these sub dependencies have their code added dynamically (without hashes) to their requirements.
discord.py's Offending Code
django-phonenumber-field's Offending Code
should be fixed in master
I just tested this using the master of Pipenv installed into a virtualenv, and reproduced the bug:
mkdir -p /tmp/xdemo
cd /tmp/xdemo
python3.6 -m venv env{,2}
source env/bin/activate
pip install git+git://github.com/pypa/pipenv#egg=pipenv
pushd env/src/pipenv/; git rev-parse --short HEAD; popd # 4ffa057
pipenv install python-dateutil
pipenv lock -r > requirements.txt
deactivate
source env2/bin/activate
pip install -r requirements.txt # fails
Collecting python-dateutil==2.6.1 (from -r requirements.txt (line 1))
Using cached python_dateutil-2.6.1-py2.py3-none-any.whl
Collecting six>=1.5 (from python-dateutil==2.6.1->-r requirements.txt (line 1))
In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
six>=1.5 from https://pypi.python.org/packages/67/4b/141a581104b1f6397bfa78ac9d43d8ad29a7ca43ea90a2d863fe3056e86a/six-1.11.0-py2.py3-none-any.whl#md5=866ab722be6bdfed6830f3179af65468 (from python-dateutil==2.6.1->-r requirements.txt (line 1))
And the Pipfile looks like this:
[[source]]
url = "https://pypi.python.org/simple"
verify_ssl = true
name = "pypi"
[packages]
python-dateutil = "*"
[dev-packages]
And the Pipfile.lock looks like this:
{
"_meta": {
"hash": {
"sha256": "a9e99679482fa191870abb12c047ce9c9ed2d6497dce7326bb65c143c327d262"
},
"host-environment-markers": {
"implementation_name": "cpython",
"implementation_version": "3.6.4",
"os_name": "posix",
"platform_machine": "x86_64",
"platform_python_implementation": "CPython",
"platform_release": "17.4.0",
"platform_system": "Darwin",
"platform_version": "Darwin Kernel Version 17.4.0: Sun Dec 17 09:19:54 PST 2017; root:xnu-4570.41.2~1/RELEASE_X86_64",
"python_full_version": "3.6.4",
"python_version": "3.6",
"sys_platform": "darwin"
},
"pipfile-spec": 6,
"requires": {},
"sources": [
{
"name": "pypi",
"url": "https://pypi.python.org/simple",
"verify_ssl": true
}
]
},
"default": {
"python-dateutil": {
"hashes": [
"sha256:95511bae634d69bc7329ba55e646499a842bc4ec342ad54a8cdb65645a0aad3c",
"sha256:891c38b2a02f5bb1be3e4793866c8df49c7d19baabf9c1bad62547e0b4866aca"
],
"version": "==2.6.1"
},
"six": {
"hashes": [
"sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb",
"sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9"
],
"version": "==1.11.0"
}
},
"develop": {}
}
I suspect pipenv 9.1.0 triggered this problem for me. robobrowser depends on six, but pipenv's core.py in 9.1.0 has a BAD_PACKAGES
blacklist that includes six, so it's always commented in the generated requirements file.
@kennethreitz a few days ago I reported that your fix doesn't appear to be working. Should I open a new issue?
@dfee we're aware of it
released
Most helpful comment
released