Poetry: Hashes are not being produced for private packages when exporting a requirements file.
Hi,
no hash is being created in the requirements.txt file when I run poetry export -f requirements.txt. This means pip fails when it reads the file. It's fine, pip actually gives me the hash to insert into the file, however it would be great if Poetry did it in the first place.
Also, what might be good is to have something like a --no-hashes argument for exporting, so that no hashes are added to the requirements file. My understanding is that if pip can't find any hashes at all, it won't complain about missing ones.
jamessmith-decisionlab
All 7 comments
I am also experiencing this.
The issue is related to https://github.com/sdispater/poetry/issues/1631 - what's happening under the hood, I think, is that your poetry.lock file is using an MD5 hash rather than SHA256, and since pip would complain about an md5 anyway, the _exporter_ is correctly not outputting it. In other words, the bug is farther upstream, at the time of lockfile generation. If poetry would capture the SHA256 in the lockfile, everything would work fine at export time.
petergaultney
on 25 Nov 2019
In fact there are no hashes corresponding to the private package at all in the lock file. So I guess the bug is related to the lock file, but not quite how you envisaged it.
requests = ["11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4", "9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31"]
xxx-schema = []
rx = ["84ac6e140f2129266fd4c77a3d0903bbff0a761386079ea0cb99c8524695cac1", "ad793d79843feba2ea25c0c01be245f3163d5d469418279d4019737b93d88c78"]
It's been flagged as a bug so let's see what happens.
jamessmith-decisionlab
on 26 Nov 2019
Ah, that's interesting. I should have said "I would _guess_" this is related to #1631. :)
petergaultney
on 26 Nov 2019
I see this same behavior when using artifactory, in case the actual private repository matters - I would imagine it shouldn't though, since the "simple" api is being used.
adawalli
on 10 Dec 2019
Also, what might be good is to have something like a
--no-hashesargument for exporting, so that no hashes are added to the requirements file. My understanding is that ifpipcan't find any hashes at all, it won't complain about missing ones.
Perhaps I am not understanding, but this option is already supported directly in poetry (at least on the new RC's.
--without-hashes Exclude hashes from the exported file.
adawalli
on 10 Dec 2019
Hi,
apologies for leaving it so long before replying, firstly. One thing drives out another, I'm sure you know how it is!
The --without-hashes tip works fine, thank you very much.
I guess we should leave the issue open, however, because ideally the lock file should contain the hash(es) for the private repository?
jamessmith-decisionlab
on 23 Dec 2019
I'm having a similar issue when using url.
pyproject.toml:
django-requestlogging = {url = "https://bitbucket.org/miohtama/django-requestlogging/get/fc515e3b3029.zip"}
poetry.lock (no hashes stored):
django-requestlogging = []
Exported requirements.txt (no hashes, wrong -e):
-e https://bitbucket.org/miohtama/django-requestlogging/get/fc515e3b3029.zip
Expected entry in requirements.txt:
https://bitbucket.org/miohtama/django-requestlogging/get/fc515e3b3029.zip \
--hash=sha256:eef6342cc77af842be3efb6ece073310b49ce7cb65256441527f1aac7686c01b
As you can see, this is also an instance of https://github.com/python-poetry/poetry/issues/897
filipelbc
on 7 Jan 2020
Related issues
probablykasper
路
3Comments
jeremy886
路
3Comments
Euphorbium
路
3Comments
jackemuk
路
3Comments
etijskens
路
3Comments
Most helpful comment
Hi,
apologies for leaving it so long before replying, firstly. One thing drives out another, I'm sure you know how it is!
The
--without-hashestip works fine, thank you very much.I guess we should leave the issue open, however, because ideally the lock file should contain the hash(es) for the private repository?