Pypi packages + cibuildwheel Hi we re using cibuildwheel to Pants #general

Pypi packages + cibuildwheel: Hi, we're using cibu...

modern-london-16641

12/18/2023, 5:16 PM

Pypi packages + cibuildwheel: Hi, we're using cibuildwheel to pre-build wheels of third party dependencies that we use. When I use these wheels, I occasionally see a message like:

Copy code

Expected sha256 hash of db4db3c08ffbb18582f856545f058a7a5e4ab6f17f75795ca90b3c38ee0a8ba4 when downloading sqlalchemy but hashed to 87f49295ffab7bcf6808f9dacb451bf6b31410be53ba27b72564cc9efa971e34.

which I imagine is expected (since these are pre-built wheels, rather than sdists / released wheels).. Any thoughts on why this happens?

modern-london-16641

12/18/2023, 5:17 PM

It doesn't happen all the time? Also, we're using Gitlab's "registry" as our internal pypi server

broad-processor-92400

12/18/2023, 10:20 PM

Which version of SQLAlchemy? Plus, can you see if either of those hashes appear in your lockfile?

modern-london-16641

12/19/2023, 7:29 PM

This is the "expected" one: https://pypi.org/project/SQLAlchemy/1.4.50/#copy-hash-modal-57e746f8-1a3c-4128-8ec1-2f4086658299

modern-london-16641

12/19/2023, 7:29 PM

Let me see what our "internal" built hash for that wheel is

modern-london-16641

12/19/2023, 7:30 PM

Screenshot 2023-12-19 at 1.30.31 PM.png

modern-london-16641

12/19/2023, 7:31 PM

(aside: we rebuild this wheel because it doesn't have a mac arm wheel available)

modern-london-16641

12/19/2023, 7:36 PM

@broad-processor-92400 they both show up.. Let me see the context

🤔 1

modern-london-16641

12/19/2023, 7:38 PM

It looks like the

artifacts

section for

sqlalchemy

has files from pypi and our "internal" registry

modern-london-16641

12/19/2023, 7:40 PM

We have our registries configured as:

Copy code

[python-repos]
indexes = [
   # pypi passthrough and internal packages 
'<https://gitlab.com/api/v4/projects/><passthrough>/packages/pypi/simple',
  # internally built wheels of external projects '<https://gitlab.com/api/v4/projects/><internally_built_wheels>/packages/pypi/simple',
]

modern-london-16641

12/19/2023, 7:40 PM

I'm going to try and shift ordering, but perhaps the

generate-lockfile

pip

is just throwing them all together into the lockfile?

modern-london-16641

12/19/2023, 7:41 PM

Also, it doesn't happen consistently, so could be some sort of race-y condition

modern-london-16641

12/19/2023, 7:53 PM

cc @curved-manchester-66006

modern-london-16641

12/19/2023, 7:58 PM

Perhaps one workaround is just to use one index (with passthrough)..?

curved-manchester-66006

12/19/2023, 8:01 PM

Now that I look at this I'm confused how the gitlab passthru works, I naivey would expect all the `url`s to be from gitlab and not pythonhosted

modern-london-16641

12/19/2023, 8:16 PM

Good news: I think using https://docs.gitlab.com/ee/user/packages/pypi_repository/#install-from-the-group-level may be a quick fix on our part. There may (?) be another issue here, or this may be the "expected" result with having multiple indexes with the same package (but different hashes)

5 Views

Open in Slack

Previous Next