Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

requirement, resolvelib: Hash package contents to verify requirement file hashes #462

Merged
merged 28 commits into from
Jan 25, 2023
Merged

requirement, resolvelib: Hash package contents to verify requirement file hashes #462

merged 28 commits into from
Jan 25, 2023

Conversation

tetsuo-cpp
Copy link
Contributor

Closes #433

@tetsuo-cpp tetsuo-cpp marked this pull request as draft January 4, 2023 14:52
@tetsuo-cpp
Copy link
Contributor Author

tetsuo-cpp commented Jan 4, 2023
edited
Loading

Just pushing for visibility, this is not ready. Still needs tests, refinement, etc.

In order to get this to work, I've had to push hashed requirements file down the dependency resolution path where we can no longer take advantage of the fact that these files are guaranteed to be fully resolved. We could potentially do something like get hack the Candidate to report no sub-dependencies when hashes are provided.

There's some really ugly bits here that I'm not super pleased with. I'll sleep on it and come back to it tomorrow but if anyone has a better design, I'd be glad to hear it.

@tetsuo-cpp tetsuo-cpp requested review from woodruffw and di January 4, 2023 15:10
@tetsuo-cpp
requirement: Propagate error messages out of requirement source
c6a1621
@tetsuo-cpp
resolvelib: Use project as candidate name so we're able to match
76648e7 
requirement file hashes to selected candidates
@tetsuo-cpp
_dependency_source: Create a RequirementHashes class
698d897
@tetsuo-cpp
resolvelib: Create more specific exception types for hash errors
630e203
@tetsuo-cpp
_dependency_source: Bring hash types into __init__
ec75e00
@tetsuo-cpp
resolvelib: Construct a provider every time
31d7cff
@tetsuo-cpp
test: Get most tests passing
d3d76d9
@tetsuo-cpp
test: Fix canonical name mismatch test
0d2f415
@tetsuo-cpp
resolvelib: Pass in project name separately
f30487a
@tetsuo-cpp
Revert "test: Fix canonical name mismatch test"
5b4f301 
This reverts commit 0d2f415.
@tetsuo-cpp
test: Fix candidate constructor call
13d4f13
@tetsuo-cpp
test: Small PyPI provider refactor and fix tests
c2c2cc1
@tetsuo-cpp
test: Mock the failure cases to ensure that they aren't failing due to
b7d55d2 
having unresolved dependencies
@tetsuo-cpp
test: Fill out some test coverage
437b208
@tetsuo-cpp
lint: Fix type checking
67fd643
@tetsuo-cpp
resolvelib: Check for non-guaranteed or unsupported hashes
911cd0d
@tetsuo-cpp
_dependency_source: Document RequirementHashes methods
9eb6ecc
@tetsuo-cpp
Merge branch 'main' into alex/third-party-index-hashing
718a915
@tetsuo-cpp
test: Add test for using an unsupported hash algorithm
dabc42b
@tetsuo-cpp
test: Add unit tests for RequirementHashes
06cc9d1
@tetsuo-cpp tetsuo-cpp marked this pull request as ready for review January 16, 2023 15:26
@tetsuo-cpp tetsuo-cpp requested a review from woodruffw January 16, 2023 15:26
woodruffw
woodruffw approved these changes Jan 19, 2023
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! A few small nits, but overall this looks great!

(We should also make sure to add a CHANGELOG entry before merging.)

@tetsuo-cpp tetsuo-cpp merged commit a082574 into main Jan 25, 2023
@tetsuo-cpp tetsuo-cpp deleted the alex/third-party-index-hashing branch January 25, 2023 02:47
This was referenced Feb 1, 2023
Closed
Closed
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Mar 19, 2023
@0-wiz-0
py-pip_audit: update to 2.5.1.
461ae18 
## [2.5.1]

### Fixed

* Fixed a crash on Windows caused by multiple open file handles to
  input requirements ([#551](pypa/pip-audit#551))

## [2.5.0]

### Changed

* Improved error messaging when a requirements input or indirect dependency
  has an invalid (non-PEP 440) requirements specifier
  ([#507](pypa/pip-audit#507))

* `pip-audit`'s handling of dependency resolution has been significantly
  refactored and simplified ([#523](pypa/pip-audit#523))

### Fixed

* Fixed a potential crash on invalid unicode in subprocess streams
  ([#536](pypa/pip-audit#536))

## [2.4.15]

**YANKED**

### Fixed

* Fixed an issue where hash checking would fail when using third-party indices
  ([#462](pypa/pip-audit#462))

* Fixed the behavior of the `--skip-editable` flag, which had regressed
  with an internal API change
  ([#499](pypa/pip-audit#499))

* Fixed a dependency resolution bug that can potentially be triggered when
  multiple packages have the same subdependency
  ([#488](pypa/pip-audit#488))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

@di di Awaiting requested review from di

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Hash checking: respect third party indices
2 participants
@tetsuo-cpp @woodruffw