You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adding support for pip's --hash option in the requirement parser, for example
- pip:
- my_module === 1.2.3 --hash=sha256:1234
Using that hash to create a lockfile
Questions
Is this going into the right direction? And some more specific questions:
The unit test is mostly copied from other another test. Should this be factorized?
This solution only works for a single hash. The documentation states that you can specify multiple hashes for the same package, for example for different platforms. As far as I can see this is not supported by conda-lock's hash model. But maybe it's not needed, because conda-lock supports different platforms anyway.
I created two new subclasses which hold the hash, mostly because I didn't want to break anything. But I'm not sure if that's the best approach.
I'm not sure how to resolve the mypy issue in pypi_solver.py (PoetryDependency not having the get_hash_model method). I agree with mypy that the solution is not really consistent, because some dependencies still carry the hash in their URL. Maybe PoetryURLDependency and PoetryVCSDependency could be extended with a get_hash_model method as well?
Thanks so much @sfinkens for all your work on this! I like your approach.
It's fine as-is. I would really like to get the test suite refactored, and I'd be very grateful for any help you could provide. But I see that as a different issue.
I think it's fine for now. We could support it later if there's demand for it, but I suspect it isn't worth the effort.
Looks good to me.
As for the mypy issue in particular, I think all you need to do is to inline _dependency_provides_hash. Then you should be solid from a typing perspective. Could you be more specific about the inconsistency you're concerned about? (I'm sure you're thinking more deeply that I am on this subject.)
and I was wondering if that logic could be delegated to the corresponding dependency classes
def get_requirements():
hash = op.package.dependency.get_hash_model()
# ...
class PoetryURLDependency:
def get_hash_model()
# variant 1
class PoetryVCSDependency:
def get_hash_model():
# variant 2
class PoetryDependencyWithHash:
def get_hash_model():
# variant 3
We couldn't get rid of the if block entirely, but maybe make it a bit smaller. Then mypy wouldn't complain anymore, because every dependency class provides that method. But now that I think about it, that's maybe beyond the scope of this PR.
Regarding 4. I find the if nice and explicit. Unless there's a really clean and obvious class hierarchy, tucking away logic into class methods seems unnecessarily indirect. Since this is all a bit of a hack, I'd rather have that hack in one place upfront in the if block, if that makes any sense. :)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fix #624 by
--hashoption in the requirement parser, for exampleQuestions
Is this going into the right direction? And some more specific questions:
pypi_solver.py(PoetryDependencynot having theget_hash_modelmethod). I agree with mypy that the solution is not really consistent, because some dependencies still carry the hash in their URL. MaybePoetryURLDependencyandPoetryVCSDependencycould be extended with aget_hash_modelmethod as well?