Skip to content

Test pip provenance with direct_url.json only #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

Test pip provenance with direct_url.json only #2

wants to merge 6 commits into from

Conversation

@fridex
Copy link
Owner

@fridex fridex commented Mar 13, 2023

No description provided.

Fridolin Pokorny added 6 commits January 25, 2023 20:19
Always provide direct_url.json for wheel installations
795d32e 
Signed-off-by: Fridolin Pokorny <fridolin.pokorny@datadoghq.com>
Use provenance_url.json instead of direct_url.json for provenance
0013e5a
Provide testsuite for pip provenance url
47d2587 
Signed-off-by: Fridolin Pokorny <fridolin.pokorny@datadoghq.com>
Add a temporary news entry
3fcb5b8 
Signed-off-by: Fridolin Pokorny <fridolin.pokorny@datadoghq.com>
Remove unused import
c29b3ec 
Signed-off-by: Fridolin Pokorny <fridolin.pokorny@datadoghq.com>
Test pip provenance with direct_url.json only
adcef53
@fridex
Copy link
Owner Author

fridex commented Mar 13, 2023

Tested behaviour locally, it looks like pip freeze would break if we put the addressed provenance information into direct_url.json (instead of keeping it in a separate provenance_url.json file):

$ pip install flask
Collecting flask
  Using cached Flask-2.2.3-py3-none-any.whl (101 kB)
Requirement already satisfied: Werkzeug>=2.2.2 in ./.venv2/lib/python3.8/site-packages (from flask) (2.2.3)
Requirement already satisfied: Jinja2>=3.0 in ./.venv2/lib/python3.8/site-packages (from flask) (3.1.2)
Requirement already satisfied: itsdangerous>=2.0 in ./.venv2/lib/python3.8/site-packages (from flask) (2.1.2)
Requirement already satisfied: click>=8.0 in ./.venv2/lib/python3.8/site-packages (from flask) (8.1.3)
Requirement already satisfied: importlib-metadata>=3.6.0 in ./.venv2/lib/python3.8/site-packages (from flask) (6.0.0)
Requirement already satisfied: zipp>=0.5 in ./.venv2/lib/python3.8/site-packages (from importlib-metadata>=3.6.0->flask) (3.15.0)
Requirement already satisfied: MarkupSafe>=2.0 in ./.venv2/lib/python3.8/site-packages (from Jinja2>=3.0->flask) (2.1.2)
Installing collected packages: flask
Successfully installed flask-2.2.3

[notice] A new release of pip is available: 23.0.dev0 -> 23.0.1
[notice] To update, run: pip install --upgrade pip                                                                               
$ cat .venv2/lib/python3.8/site-packages/Flask-2.2.3.dist-info/direct_url.json | jq
{
  "archive_info": {
    "hash": "sha256=c0bec9477df1cb867e5a67c9e1ab758de9cb4a3e52dd70681f59fa40a62b3f2d"
  },
  "url": "https://files.pythonhosted.org/packages/95/9c/a3542594ce4973786236a1b7b702b8ca81dbf40ea270f0f96284f0c27348/Flask-2.2.3-py3-none-any.whl"
}
$ pip freeze
click==8.1.3
Flask @ https://files.pythonhosted.org/packages/95/9c/a3542594ce4973786236a1b7b702b8ca81dbf40ea270f0f96284f0c27348/Flask-2.2.3-py3-none-any.whl#sha256=c0bec9477df1cb867e5a67c9e1ab758de9cb4a3e52dd70681f59fa40a62b3f2d
importlib-metadata==6.0.0
itsdangerous==2.1.2
Jinja2==3.1.2
MarkupSafe==2.1.2
Werkzeug==2.2.3
zipp==3.15.0

Here, the expected behaviour is stating flask==2.2.3 in the pip freeze output.

Thanks to @dstufft for pointing this out.

@fridex
Copy link
Owner Author

fridex commented Mar 28, 2023

Closing as testing showed the current limitations.

@fridex fridex closed this Mar 28, 2023
@fridex fridex deleted the provenance-only-provenance-url-json branch March 28, 2023 10:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fridex