Poetry: URL based dependencies don't generate a hash

Created on 19 Feb 2020  路  5Comments  路  Source: python-poetry/poetry

  • [x] I am on the latest Poetry version.
  • [x] I have searched the issues of this repo and believe that this is not a duplicate.
  • [x] If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

Issue

When adding a normal python dependency, poetry will generate hashes of the downloaded files to put in the lockfile. These can then be given to pip to create reproducible builds. When adding a url dependency, these hashes are not created, and pip cannot successfully install dependencies.

Steps to reproduce

  1. poetry add https://github.com/explosion/spacy-models/releases/download/en_core_web_sm-2.2.0/en_core_web_sm-2.2.0.tar.gz
  2. poetry export -f requirements.txt | /venv/bin/pip install -r /dev/stdin
Bug
Source
picture lucaskjaero
👍3

Most helpful comment

Is there a workaround for this? Can we calculate hash manually and somehow include it in pyproject.toml file?

picture mfrlin on 16 Mar 2020
👍7

All 5 comments

@lucaskjaero is this related to https://github.com/python-poetry/poetry/issues/1631? In essence I don't think poetry generates hashes. It receives them from pypi but not necessarily from private repositories.

Depending on your situation, if you can get away with a requirements file that only contains version numbers and not hashes, you can try: 

poetry export --without-hashes -f requirements.txt | /venv/bin/pip install -r /dev/stdin
novemberkilo picture novemberkilo on 2 Mar 2020

@novemberkilo Yes, I think they might have the same root cause. That workaround definitely helps, thanks!
It would be nice to get official support for making hashes though, since they are useful.

lucaskjaero picture lucaskjaero on 2 Mar 2020

Is there a workaround for this? Can we calculate hash manually and somehow include it in pyproject.toml file?

mfrlin picture mfrlin on 16 Mar 2020
👍7

@mfrlin You can use pip-compile --generate-hashes from pip_tools on the requirements.txt output from poetry. IIRC, this will fallback to generating hashes when not provided by the source.

polyatail picture polyatail on 5 May 2020

I believe this problem is also hit if you are using your own private pypi repos. All my regular dependencies have hashes, but for all packages installed from our private pypi repo, the hashes are missing when performing a poetry export.

fredrikaverpil picture fredrikaverpil on 16 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ambv picture ambv  路  3Comments
jhrmnn picture jhrmnn  路  3Comments
kierun picture kierun  路  3Comments
mozartilize picture mozartilize  路  3Comments
ghost picture ghost  路  3Comments