Poetry does not add all hashes for multiple constraint dependences #6349
Description
- I am on the latest Poetry version.
- I have searched the issues of this repo and believe that this is not a duplicate.
- If an exception occurs when executing a command, I executed it again in debug mode (
-vvvoption).
- OS version and name: Linux, win32
- Poetry version: 1.2.0
- Link of a Gist with the contents of your pyproject.toml file: https://gist.github.com/intgr/efc96c44c3919189c3757275f0239eb6
Issue
The same example as in #6327. If package to be installed depends on the OS:
python-ldap = [
{ platform = "linux", version = "3.4.0" },
{ platform = "win32", url = "https://download.lfd.uci.edu/pythonlibs/archived/python_ldap-3.4.0-cp310-cp310-win_amd64.whl" },
]Running poetry lock on Linux only adds hashes for the Linux version of the package. poetry.lock only contains:
python-ldap = [
{file = "python-ldap-3.4.0.tar.gz", hash = "sha256:60464c8fc25e71e0fd40449a24eae482dcd0fb7fcf823e7de627a6525b3e0d12"},
]And this is despite the fact that on Linux, poetry lock every time re-downloads the Windows package again.
Resolving dependencies... Downloading https://download.lfd.uci.edu/pythonlibs/archived/python_ldap-3.4.0-cp310-cp310-win_amd64.whl 9%
Using this lockfile, poetry install on Windows causes the following error (note, this has different version numbers, I don't have Windows myself to reproduce cleanly)
• Updating python-ldap (3.3.1 .../AppData/Local/pypoetry/Cache/artifacts/df/70f0/b890a4118f494cdc75350af78a5bd590e52b9edd2788ca3e01001d1ef1/python_ldap-3.3.1-cp310-cp310-win_amd64.whl -> 3.3.1 .../python_ldap-3.3.1-cp310-cp310-win_amd64.whl)
RuntimeError
Hash for python-ldap (3.3.1 http://.../python_ldap-3.3.1-cp310-cp310-win_amd64.whl) from archive python_ldap-3.3.1-cp310-cp310-win_amd64.whl not found in known hashes (was: sha256:a2822da1c27d6d15d2d3a7ccfda4f156810ab525acb5895d56e00611ae4c50f7)
at ...\lib\site-packages\poetry\installation\executor.py:670 in _validate_archive_hash
666│ archive_hash: str = "sha256:" + file_dep.hash()
667│ known_hashes = {f["hash"] for f in package.files}
668│
669│ if archive_hash not in known_hashes:
→ 670│ raise RuntimeError(
671│ f"Hash for {package} from archive {archive.name} not found in"
672│ f" known hashes (was: {archive_hash})"
673│ )
674│
I believe this is a regression in Poetry 1.2.0. It seems 1.1.14 simply ignored the missing hash on Windows, but 1.2 is stricter and fails because of it.