https://pantsbuild.org/ logo
#general
Title
# general
p

polite-garden-50641

05/17/2021, 4:59 PM
@enough-analyst-54434 I am trying to create a constraints file using pip-compile (instead of using pip freeze) this is following what is now considered best practice(https://github.com/pypa/warehouse/blob/dffce426d48d779f5495c01547234993e3a3e523/Makefile#L124), however that seems to be incompatible w/ pex this is an attempt to lock down the constraints file (I want to add hashes) that will help protect some forms of supply chain attacks. see: https://pyconus2021.hubilo.com/community/#/session-stream/57619 https://github.com/di/talks/blob/master/2021/pyconus_2021/talk.pdf pex doesn't allow this: https://github.com/pantsbuild/pex/blob/6720d4c64fb033e8418b2e14535512baa01b9a2d/pex/vendor/_vendored/pip/pip/_internal/req/req_install.py#L878
h

happy-kitchen-89482

05/17/2021, 5:06 PM
I believe it is underlying pip that doesn't allow hashes in constraints files. We would have to use the resulting lockfile as a requirements file. cc @hundreds-father-404 re the lockfiles design doc
p

polite-garden-50641

05/17/2021, 5:16 PM
pip itself doesn't have any issue with that...
h

hundreds-father-404

05/17/2021, 5:18 PM
It does if you used -c instead of -r
Tl;dr, we're aware of this limitation. Constraints files are going to be removed by true lockfiles, and part of that will be supporting files like you generated
got it.
h

hundreds-father-404

05/17/2021, 5:19 PM
Yes, constraints files are underpowered and will be going away
👍 1
🤩 1
e

enough-analyst-54434

05/17/2021, 6:22 PM
One lesson is Pex is almost assuredly acting like Pip in any given situation. The only likely divergence is at PEX file runtime when the PEX file boostraps its sys.path with the embedded dependencies.
👍 1
p

polite-garden-50641

05/17/2021, 7:32 PM
it doesn't seem to be.... so now i am confused... since this is pex logic that makes those checks on the constraints file... pip should be able to handle extras and hashes (for example).
e

enough-analyst-54434

05/17/2021, 7:35 PM
It is not pex logic that makes those files. Its Pants's pex rules. Pex does not generate constraints files or requirements files. Only Pants does.
👍 1
And Pants doesn't even generate those yet, just the pantsbuild.org reccomended script hybrid thing does.
Pip does not handle extras and hashes for a constraints file. Only for a requirements file.
👍 1
Try it.
The fundamental issue was Pants abusing a constraints file for what it is not way back. It was a hack that solved some issues temporarily but did not solve others and sowed confusion.
1
2 Views