lively-exabyte-12840
03/01/2022, 3:30 PMhundreds-father-404
03/01/2022, 3:36 PM--hash
for every single entry if it is used by any single one, but there is no --hash
for VCS. So, you can't use --hash
at all, which is a bummer for supply chain safety but you can still at least use multiple resolves
Two ideas:
1. Still use generate-lockfiles
but then manually strip hashes.
2. Don't use Pants to generate the lockfiles. Use a technique like from https://www.pantsbuild.org/docs/python-third-party-dependencies#user-lockfile. You'll need to disable Pants's lockfile staleness checks by setting [python].invalid_lockfile_behavior = 'ignore'
Does that make sense?lively-exabyte-12840
03/01/2022, 3:40 PMhundreds-father-404
03/01/2022, 3:42 PM[python-repos]
, VCS requirements, or encounter that transitive-deps & env markers issue mentioned in the docs.
So, you won't yet benefit from Pants doing generation, but you can still benefit from Pants being able to consume multiple lockfiles
Then in hopefully Pants 2.11, we'll be able to switch to Pex doing lockfile generation a la pip, which will address those limitations.lively-exabyte-12840
03/01/2022, 3:49 PMhundreds-father-404
03/01/2022, 3:53 PM[python].resolves
points to the right paths and follow the instructions about the resolve
field etc.
Lockfile consumption is somewhat decoupled from lockfile generation, to your benefit.lively-exabyte-12840
03/02/2022, 3:10 PMflask@git+ssh://git@github.com/redacted/flask.git@rr/click8 ; platform_system=='Linux'
And it appears to work. Oh - I'm on 2.10.0rc2 and using enable_resolves=true, and this is in 3rdparty/python/default_lock.txt . Is that expected that the above works? I'm certainly glad it does! Haven't fully tested, but seems good so far, just wanted to verify I'm not doing anything wacky that just happens to workhundreds-father-404
03/02/2022, 4:43 PMhundreds-father-404
03/02/2022, 7:02 PM