You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If a hash is incorrect, pip will fail with a command like:
THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
django==2.0.0 from https://pypi.python.org/packages/44/98/35b935a98a17e9a188efc2d53fc51ae0c8bf498a77bc224f9321ae5d111c/Django-2.0-py3-none-any.whl#md5=da2fdc3901e8751aa7835f49fb6246b2 (from -r requirements.txt (line 7)):
Expected sha256 6914851d4a7ff8cbd32b73c6076441f377c45a5bbff7e771798fb02c43c31f47
Expected or af18618ce3291be5092893d8522fe3916961bf3a1fb60e3858ae74865a4f07c2
Got af18618ce3291be5092893d8522fe3919661bf3a1fb60e3858ae74865a4f07c2
However, pip-sync will not fail. It will happily install the package even if the hashes do no match. I expect pip-sync to also fail if it can't verify the package hashes.
Environment Versions
Linux -- Fedora 27
Python version: 3.6.3
pip version: 9.0.1
pip-tools version: 1.11.0
Steps to replicate
Change the hashes in requirements.txt so they are obviously wrong
Run pip-sync requirements.txt in a fresh virtualenv
Expected result
pip-sync fails with a loud warning that the hashes do not match (like pip)
Actual result
pip-sync installs the packages with mismatched hashes.
I have written a test script to demonstrate. In this script, pip-sync installs packages with mismatched hashes. At the end, the test is rerun with pip to demonstrate what I believe should happen.
Describe the issue briefly here.
If a hash is incorrect,
pip
will fail with a command like:However,
pip-sync
will not fail. It will happily install the package even if the hashes do no match. I expectpip-sync
to also fail if it can't verify the package hashes.Environment Versions
Steps to replicate
requirements.txt
so they are obviously wrongpip-sync requirements.txt
in a fresh virtualenvExpected result
pip-sync
fails with a loud warning that the hashes do not match (like pip)Actual result
pip-sync
installs the packages with mismatched hashes.I have written a test script to demonstrate. In this script,
pip-sync
installs packages with mismatched hashes. At the end, the test is rerun withpip
to demonstrate what I believe should happen.requirements.in
:test.sh
:Full script output:
The text was updated successfully, but these errors were encountered: