Calculate and store hash for url dependencies #7122
Description
- I have searched the issues of this repo and believe that this is not a duplicate.
- I have searched the FAQ and general documentation and believe that my question is not already covered.
I think it would be useful if poetry calculated hashes for URL dependencies and stored them in poetry.lock.
After exporting dependencies into a requirements.txt file I tried to then install them with pip. I was met with this error message:
ERROR: Hashes are required in --require-hashes mode, but they are missing from
some requirements. Here is a list of those requirements along with the hashes
their downloaded archives actually had. Add lines like these to your
requirements files to prevent tampering. (If you did not enable --require-hashes
manually, note that it turns on automatically when any package has a hash.)
One of the dependencies I was using is a GitHub zip download that is a patch of a library. This was the problem, as it had no hash in the requirements file.
After looking about the poetry docs and GitHub Issues, I came across python-poetry/poetry-plugin-export#146 and python-poetry/poetry-plugin-export#164. This seemed to be exactly the same issue I was having. From reading through those, it seems the issue as to why the hashes aren't exported is due to the lock file not actually having any hashes stored for a URL dependency.
I tried some different ways of including the dependency and found something interesting. When using a local file as a dependency, the sha hash is created. Better still, it is included in the export command as one would expect.
After finding this, I thought it would be interesting to dig into poetry and try to figure out how to replicate the behavior in file dependencies. So here we are...
I have opened #7121 and python-poetry/poetry-core#535 which are the two changes that I made to add this functionality. I don't know if these changes will be welcomed, so I am hoping to get some feedback from the maintainers! I would be happy to make any changes deemed appropriate.
Thanks for taking a look at this and for all you do with poetry.