Skip to content

Is it safe to pin setuptools/distribute/pip in requirements.txt? #6459

New issue
New issue
Open
Open
Is it safe to pin setuptools/distribute/pip in requirements.txt?#6459
Labels
project: vendored dependencyRelated to a vendored dependencystate: needs discussionThis needs some more discussiontype: questionUser question
@jcushman

Description

@jcushman
jcushman
opened on May 3, 2019
  • Pip version: pip 19.1
  • Python version: Python 3.5.3
  • Operating system: macOS 10.14.4

As documented in this issue over at pip-tools, if you install packages like pytest or Markdown with --require-hashes you have to pin a specific version of setuptools as well, because it's included in their dependencies:

$ cat requirements.txt
#
# This file is autogenerated by pip-compile
# To update, run:
#
#    pip-compile --generate-hashes
#
markdown==3.1 \
    --hash=sha256:fc4a6f69a656b8d858d7503bda633f4dd63c2d70cf80abdc6eafa64c4ae8c250 \
    --hash=sha256:fe463ff51e679377e3624984c829022e2cfb3be5518726b06f608a07a3aad680
$ pip install -r requirements.txt
Collecting markdown==3.1 (from -r requirements.txt (line 7))
  Using cached https://files.pythonhosted.org/packages/f5/e4/d8c18f2555add57ff21bf25af36d827145896a07607486cc79a2aea641af/Markdown-3.1-py2.py3-none-any.whl
Collecting setuptools>=36 (from markdown==3.1->-r requirements.txt (line 7))
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    setuptools>=36 from https://files.pythonhosted.org/packages/ec/51/f45cea425fd5cb0b0380f5b0f048ebc1da5b417e48d304838c02d6288a1e/setuptools-41.0.1-py2.py3-none-any.whl#sha256=c7769ce668c7a333d84e17fe8b524b1c45e7ee9f7908ad0a73e1eda7e6a5aebf (from markdown==3.1->-r requirements.txt (line 7))

The pip-tools project does not pin setuptools without the scary-sounding --allow-unsafe flag, because "it may cause conflicts with pip itself". But the maintainers don't currently have a failing test case or know what the conflict would be. It also appears that setuptools was vendored by pip at some point, which might have changed the equation.

Can anyone on the pip side clarify under what circumstances it might be safe or unsafe to pin setuptools, and thus what the correct behavior would be for pip-compile --generate-hashes in the linked bug? To promote the use of --require-hashes, it would be great to either narrow pip-compile's definition of "unsafe", or provide clearer instructions about how to handle the unsafety when needed.

The other two packages on pip-compile's "unsafe" list are distribute and pip itself, so I guess the same question applies to those as well -- are there any risks as far as pip is concerned to pinning them if necessary to satisfy --require-hashes?

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    project: vendored dependencyRelated to a vendored dependencystate: needs discussionThis needs some more discussiontype: questionUser question

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions