@enough-analyst-54434 I am trying to create a constraints file using pip-compile (instead of using pip freeze) this is following what is now considered best practice(https://github.com/pypa/warehouse/blob/dffce426d48d779f5495c01547234993e3a3e523/Makefile#L124), however that seems to be incompatible w/ pex this is an attempt to lock down the constraints file (I want to add hashes) that will help protect some forms of supply chain attacks. see: https://pyconus2021.hubilo.com/community/#/session-stream/57619 https://github.com/di/talks/blob/master/2021/pyconus_2021/talk.pdf pex doesn't allow this: https://github.com/pantsbuild/pex/blob/6720d4c64fb033e8418b2e14535512baa01b9a2d/pex/vendor/_vendored/pip/pip/_internal/req/req_install.py#L878

I believe it is underlying pip that doesn't allow hashes in constraints files. We would have to use the resulting lockfile as a requirements file. cc @hundreds-father-404 re the lockfiles design doc

pip itself doesn't have any issue with that...

It does if you used -c instead of -r

this is what pypi.org uses... https://github.com/pypa/warehouse/blob/dffce426d48d779f5495c01547234993e3a3e523/Dockerfile#L113 https://github.com/pypa/warehouse/blob/dffce426d48d779f5495c01547234993e3a3e523/requirements/main.txt

Yes, constraints files are underpowered and will be going away

One lesson is Pex is almost assuredly acting like Pip in any given situation. The only likely divergence is at PEX file runtime when the PEX file boostraps its sys.path with the embedded dependencies.

it doesn't seem to be.... so now i am confused... since this is pex logic that makes those checks on the constraints file... pip should be able to handle extras and hashes (for example).

It is not pex logic that makes those files. Its Pants's pex rules. Pex does not generate constraints files or requirements files. Only Pants does.