Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Respect hashes in constraints files #7093

Merged
merged 1 commit into from
Sep 5, 2024
Merged

Conversation

charliermarsh
Copy link
Member

@charliermarsh charliermarsh commented Sep 5, 2024

Summary

Like pip, if hashes are present on both the requirement and the constraint, we prefer the requirement.

Closes #7089.

@charliermarsh charliermarsh added enhancement New feature or improvement to existing functionality security labels Sep 5, 2024
@charliermarsh
Copy link
Member Author

@alex -- Do you have an opinion on what's correct, if both a requirement and a constraint for a given package-version include --hash?

@charliermarsh charliermarsh force-pushed the charlie/constraint-hash branch 2 times, most recently from a6b40ee to c1ae6f6 Compare September 5, 2024 18:00
@alex
Copy link
Contributor

alex commented Sep 5, 2024

I guess there's three cases:

  1. They have the same hashes, that's fine, that's ok.
  2. One of them has a subset of the others' hashes. If constraint has a subset of requirements' hashes, I think that should act as a "filter" -- effectively it's constraining the set of valid hashes. If requirements' hashes are a subset of constraints hashes, error?
  3. If they just disagree: Error.

But that seems kind of complicated: So really: same == fine, different == error is probably sufficient.

@charliermarsh charliermarsh force-pushed the charlie/constraint-hash branch from c1ae6f6 to 2636ebe Compare September 5, 2024 18:13
@charliermarsh charliermarsh merged commit bb61513 into main Sep 5, 2024
58 checks passed
@charliermarsh charliermarsh deleted the charlie/constraint-hash branch September 5, 2024 18:30
@charliermarsh
Copy link
Member Author

For now, I went with what I observe from pip's behavior, but I may change prior to merging. I see some pip issues that suggest they want to be using the intersection, but I don't see that behavior locally.

@alex
Copy link
Contributor

alex commented Sep 5, 2024 via email

@notatallshaw
Copy link
Collaborator

notatallshaw commented Sep 5, 2024

For now, I went with what I observe from pip's behavior, but I may change prior to merging. I see some pip issues that suggest they want to be using the intersection, but I don't see that behavior locally.

The latest discussion is about dropping support for hashes in constraints: pypa/pip#12942 (comment)

In practise hashes in constraints files don't really work in pip as they imply require hashes, but the requires hashes errors out unless the hash is in the requirements file.

So I think uv has quite a bit of leeway here to choose what it thinks is best.

@charliermarsh
Copy link
Member Author

What's the motivation for dropping support there?

@notatallshaw
Copy link
Collaborator

What's the motivation for dropping support there?

As I understand it (and I've not spent time reviewing the code, I'm just basing this on what I've read in comments) constraints are implemented as a collection filter where hashes are not checked, and are not part of resolution verification where hashes can be checked.

Currently pip only allows hashes to be specified if you pin the requirement, and adding a hash implies requiring hashes, this leads to the behaviour of:

  1. Create constraints.txt with the contents:
setuptools==74.1.1 --hash=sha256:fc91b5f89e392ef5b77fe143b17e32f65d3024744fba66dc3afe07201684d766
  1. Run pip install setuptools==74.1.1 -c constraints.txt, and get error:
ERROR: Hashes are required in --require-hashes mode, but they are missing from some requirements. Here is a list of those requirements along with the hashes their downloaded archives actually had. Add lines like these to your requirements files to prevent tampering. (If you did not enable --require-hashes manually, note that it turns on automatically when any package has a hash.)
	setuptools==74.1.1 --hash=sha256:fc91b5f89e392ef5b77fe143b17e32f65d3024744fba66dc3afe07201684d766

I would love for pip to support this use case (and hence also uv), but I'm not going to be the one to drive large architectural changes on the pip side.

@charliermarsh
Copy link
Member Author

Ahh ok I see. Yeah we can support it, it's structured slightly differently here. Not sure what's best though: union, intersection, ignroing one or the other, etc.

@notatallshaw
Copy link
Collaborator

notatallshaw commented Sep 5, 2024

IMO a constraint should "constrain" the solution. Which I think would be an intersection?

A requirements of:

foo==1.0.0 --hash=sha256:{hashA} --hash=sha256:{hashB}
bar==1.0.0 
baz

With a constraints file of:

foo==1.0.0 --hash=sha256:{hashB} --hash=sha256:{hashC}
bar==1.0.0 --hash=sha256:{hashD}
baz==1.0.0 --hash=sha256:{hashE}

For those packages the solution (assuming one exists) should only be able to have:

foo==1.0.0 --hash=sha256:{hashB}
bar==1.0.0 --hash=sha256:{hashD}
baz==1.0.0 --hash=sha256:{hashE}

Does that make sense?

charliermarsh added a commit that referenced this pull request Sep 6, 2024
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Sep 11, 2024
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.4.4` -> `0.4.9` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>astral-sh/uv (astral-sh/uv)</summary>

### [`v0.4.9`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#049)

[Compare Source](astral-sh/uv@0.4.8...0.4.9)

##### Enhancements

-   Add support for managed Python 3.13 ([#&#8203;7263](astral-sh/uv#7263))
-   Upgrade managed CPython versions to latest patch releases ([#&#8203;7263](astral-sh/uv#7263))
-   Allow setting a target version for `uv self update` ([#&#8203;7252](astral-sh/uv#7252))
-   Create `py.typed` files during `uv init --lib` ([#&#8203;7232](astral-sh/uv#7232))
-   Add a dedicated error for packages that fail due to `distutils` deprecation ([#&#8203;7239](astral-sh/uv#7239))
-   Improve error message when requested Python version is unsupported ([#&#8203;7269](astral-sh/uv#7269))
-   Add `uv run --no-sync` ([#&#8203;7192](\(https://github.com/astral-sh/uv/pull/7192\))

##### Bug fixes

-   Avoid updating `pyproject.toml` offsets on non-add edits ([#&#8203;7262](astral-sh/uv#7262))
-   Invalidate cache when `--config-settings` change ([#&#8203;7139](astral-sh/uv#7139))
-   Remove workspace root for single-member workspace with `uv export` ([#&#8203;7254](astral-sh/uv#7254))

### [`v0.4.8`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#048)

[Compare Source](astral-sh/uv@0.4.7...0.4.8)

##### Enhancements

-   Add support for dynamic cache keys ([#&#8203;7136](astral-sh/uv#7136))
-   Allow `.dist-info` names with dashes for post releases ([#&#8203;7208](astral-sh/uv#7208))
-   Use type hints in code from `uv init` ([#&#8203;7225](astral-sh/uv#7225))
-   Treat `.tgz` the same as `.tar.gz` ([#&#8203;7201](astral-sh/uv#7201))
-   Direct users towards `uv venv` to create a virtual environment ([#&#8203;7188](astral-sh/uv#7188))
-   Improve error message for uv init already init-ed ([#&#8203;7198](astral-sh/uv#7198))

##### Performance

-   Avoid batch prefetching for un-optimized registries ([#&#8203;7226](astral-sh/uv#7226))
-   Avoid iteration for singleton selections ([#&#8203;7195](astral-sh/uv#7195))

##### Bug fixes

-   Avoid extra newlines in debug logging for source builds ([#&#8203;7174](astral-sh/uv#7174))
-   Prune unreachable packages from `--universal` output ([#&#8203;7209](astral-sh/uv#7209))
-   Respect exclusion when collecting workspace members ([#&#8203;7175](astral-sh/uv#7175))
-   Use path file instead of `sitecustomize.py` ([#&#8203;7161](astral-sh/uv#7161))
-   Replace incorrect `--source` and `--binary` flags with correct `--sdist` and `--wheel` flags in `uv build` ([#&#8203;7156](astral-sh/uv#7156))

##### Documentation

-   Document support for `UV_INSTALL_DIR` ([#&#8203;7107](astral-sh/uv#7107))
-   List all supported sdist formats ([#&#8203;7168](astral-sh/uv#7168))

### [`v0.4.7`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#047)

[Compare Source](astral-sh/uv@0.4.6...0.4.7)

##### Enhancements

-   Add `--no-emit-project` and friends to `uv export` ([#&#8203;7110](astral-sh/uv#7110))
-   Add `--output-file` to `uv export` ([#&#8203;7109](astral-sh/uv#7109))
-   Prune unused source distributions from the cache in `uv cache prune` ([#&#8203;7112](astral-sh/uv#7112))
-   Take intersection of constraint and requirements hashes ([#&#8203;7108](astral-sh/uv#7108))

##### Performance

-   Skip metadata fetch for `--no-deps` and `pip sync` ([#&#8203;7127](astral-sh/uv#7127))

##### Bug fixes

-   Avoid panicking when encountering an invalid Python version during `uv python list` ([#&#8203;7131](astral-sh/uv#7131))
-   Write trailing newline to `.python-version` files ([#&#8203;7140](astral-sh/uv#7140))

### [`v0.4.6`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#046)

[Compare Source](astral-sh/uv@0.4.5...0.4.6)

##### Enhancements

-   Accept `--build-constraints` in `uv build` ([#&#8203;7085](astral-sh/uv#7085))
-   Add `--require-hashes` and `--verify-hashes` to `uv build` ([#&#8203;7094](astral-sh/uv#7094))
-   Add `--show-version-specifiers` to `uv tool list` ([#&#8203;7050](astral-sh/uv#7050))
-   Respect hashes in constraints files ([#&#8203;7093](astral-sh/uv#7093))
-   Upgrade installer scripts ([#&#8203;7092](astral-sh/uv#7092))
-   Allow specifying multiple packages in `uv tool upgrade` and `uninstall` ([#&#8203;7037](astral-sh/uv#7037))
-   Sort by implementation in `uv python list` ([#&#8203;6918](astral-sh/uv#6918))

##### Bug fixes

-   Invalidate lockfile when member versions change ([#&#8203;7102](astral-sh/uv#7102))
-   Strip fragments from direct source URLs in lockfile ([#&#8203;7061](astral-sh/uv#7061))
-   Support `--no-build` and `--no-binary` in `uv sync` et al ([#&#8203;7100](astral-sh/uv#7100))
-   Use distribution hash over registry hash ([#&#8203;7060](astral-sh/uv#7060))
-   Fix inverted log message ([#&#8203;7063](astral-sh/uv#7063))
-   Adjust Docker `ENTRYPOINT` and `CMD` for inherited images ([#&#8203;7054](astral-sh/uv#7054))

##### Documentation

-   Add winget to installers ([#&#8203;7088](astral-sh/uv#7088))
-   Document how to disable path modifications during install ([#&#8203;7090](astral-sh/uv#7090))
-   Document how to manually update locked package version ([#&#8203;7083](astral-sh/uv#7083))
-   Document official `setup-uv` action ([#&#8203;7056](astral-sh/uv#7056))
-   Update docs on `.python-version` file ([#&#8203;7051](astral-sh/uv#7051))

### [`v0.4.5`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#045)

[Compare Source](astral-sh/uv@0.4.4...0.4.5)

##### Enhancements

-   Implement `uv build` ([#&#8203;6895](astral-sh/uv#6895))
-   Add `--package` support to `uv build` ([#&#8203;6990](astral-sh/uv#6990))
-   Prune unreachable packages from lockfile ([#&#8203;6959](astral-sh/uv#6959))
-   Prune unreachable wheels from lockfile ([#&#8203;6961](astral-sh/uv#6961))
-   Show build output by default in `uv build` ([#&#8203;6912](astral-sh/uv#6912))
-   Support `uv build --wheel` from source distributions ([#&#8203;6898](astral-sh/uv#6898))
-   Use the root project name for the project virtual environment prompt ([#&#8203;7021](astral-sh/uv#7021))

##### Bug fixes

-   Fix handling of inline optional dependencies in `uv add` ([#&#8203;7023](astral-sh/uv#7023))
-   Reflect exit code in `uv tool run` and `uv run` ([#&#8203;6994](astral-sh/uv#6994))
-   Revert `pyproject.toml` modifications on Ctrl-C ([#&#8203;7024](astral-sh/uv#7024))
-   Rollback `pyproject.toml` changes on all errors ([#&#8203;7022](astral-sh/uv#7022))
-   Use correct ordering semantics for narrowing upper-bounded Python requirements ([#&#8203;7031](astral-sh/uv#7031))
-   Fix segfault in Windows trampolines ([#&#8203;6955](astral-sh/uv#6955))
-   Remove unused `__future__.annotations` import in `_virtualenv.py` ([#&#8203;6996](astral-sh/uv#6996))

##### Documentation

-   Add documentation for `uv build` ([#&#8203;6991](astral-sh/uv#6991))
-   Add note to `extra` and `all-extras` in `uv sync` help ([#&#8203;7013](astral-sh/uv#7013))
-   Add project docs for `project.scripts` ([#&#8203;7010](astral-sh/uv#7010))
-   Fix available Docker image tag rendering and shorten list ([#&#8203;7017](astral-sh/uv#7017))
-   Touchup to the project environment config section ([#&#8203;7038](astral-sh/uv#7038))
-   Clarify precedence of `uv.toml` ([#&#8203;6986](astral-sh/uv#6986))
-   Fix available Docker tags for `-slim` variants ([#&#8203;7041](astral-sh/uv#7041))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or improvement to existing functionality security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Respect SHAs in --constraints and --build-constraints files
3 participants