Fall back to distributions without hashes in resolver #2949
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
charliermarsh
added
the
enhancement
charliermarsh
commented
Apr 9, 2024
| sha256:123 | ||
|
|
||
| Computed: | ||
| sha256:5d69f0b590514103234f0c3526563856f04d044d8d0ea1073a843ae429b3187e |
There was a problem hiding this comment.
These aren't as nice-looking, but keep in mind that for --require-hashes, the user has to pin all dependencies upfront anyway. There's no backtracking or anything.
There was a problem hiding this comment.
They're pretty ugly but 🤷♂️ we could address later if we want.
There was a problem hiding this comment.
Absolutely DESTROYING my error messages
charliermarsh
force-pushed
the
charlie/check-hashes-iii
branch
from
f66887c to
cdb2449
Compare
charliermarsh
force-pushed
the
charlie/check-hashes-v
branch
from
19505ca to
6f897d2
Compare
charliermarsh
force-pushed
the
charlie/check-hashes-iii
branch
from
cdb2449 to
32a2088
Compare
charliermarsh
force-pushed
the
charlie/check-hashes-v
branch
from
6f897d2 to
fc6c30c
Compare
charliermarsh
force-pushed
the
charlie/check-hashes-iii
branch
from
32a2088 to
d8f5d37
Compare
charliermarsh
force-pushed
the
charlie/check-hashes-v
branch
from
fc6c30c to
fdd87aa
Compare
zanieb
approved these changes
Apr 10, 2024
charliermarsh
force-pushed
the
charlie/check-hashes-iii
branch
2 times, most recently
from
669384d to
e3f5242
Compare
charliermarsh
force-pushed
the
charlie/check-hashes-v
branch
from
fdd87aa to
d3b6023
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This represents a change to
--require-hashesin the event that we don't find a matching hash from the registry. The behavior in this PR is closer to pip's.Prior to this PR, if a distribution had no reported hash, or only mismatched hashes, we would mark it as incompatible. Now, we mark it as compatible, but we use the hash-agreement as part of the ordering, such that we prefer any distribution with a matching hash, then any distribution with no hash, then any distribution with a mismatched hash.
As a result, if an index reports incorrect hashes, but the user provides the correct one, resolution now succeeds, where it would've failed.
Similarly, if an index omits hashes altogether, but the user provides the correct one, resolution now succeeds, where it would've failed.
If we end up picking a distribution whose hash ultimately doesn't match, we'll reject it later, after resolution.