search

erikrose / peep

A "pip install" that is cryptographically guaranteed repeatable
MIT License
221 stars 28 forks source link

pip v8 "TypeError: __init__() got an unexpected keyword argument 'allow_unverified'" #112

Closed edmorley closed 8 years ago

edmorley commented 8 years ago

Updating to pip v8.0.0 gives me this TypeError with peep v2.5.0.

vagrant ~/treeherder $ ./bin/peep.py install -r requirements/common.txt -r requirements/dev.txt

Oh no! Peep had a problem while trying to do stuff. Please write up a bug report
with the specifics so we can fix it:

https://github.com/erikrose/peep/issues/new

Here are some particulars you can copy and paste into the bug report:

peep: (2, 5, 0)
python: '2.7.11 (default, Dec 15 2015, 16:48:05) \n[GCC 4.8.4]'
pip: '8.0.0'
Command line:  ['./bin/peep.py', 'install', '-r', 'requirements/common.txt', '-r', 'requirements/dev.txt']
Traceback (most recent call last):
  File "./bin/peep.py", line 956, in <module>
    exit(main())
  File "./bin/peep.py", line 928, in main
    return commands[argv[1]](argv[2:])
  File "./bin/peep.py", line 860, in peep_install
    for path in req_paths))
  File "./bin/peep.py", line 860, in <genexpr>
    for path in req_paths))
  File "./bin/peep.py", line 835, in downloaded_reqs_from_path
    finder = package_finder(argv)
  File "./bin/peep.py", line 386, in package_finder
    return PackageFinder(index_urls=index_urls, **kwargs)
TypeError: __init__() got an unexpected keyword argument 'allow_unverified'

I know hashing support has been added to pip v8, however if peep supported pip v8, it would make the transition easier, since we could update the pip used first, and only then update our requirements files/{pip,peep} invocations :-)

edmorley commented 8 years ago

--allow-unverified was removed in: https://github.com/pypa/pip/commit/0f5d4286a5c6fc55832ef4c8c036fdce068cdf3b

Given the behaviour it added ("Allow the installation of a package even if it is hosted in an insecure and unverifiable way") seems undesirable for peep, I would suggest we drop support for it entirely, and not just for pip v8.

https://github.com/erikrose/peep/blob/4215691b9fdcdad7297141976c5dccca26427aa8/peep.py#L365

erikrose commented 8 years ago

The security lost by files "hosted in an insecure and unverifiable way" is almost entirely restored by our hash-checking. (The only exception is that your requests aren't encrypted on the wire.) So it's not a total no-brainer. Still, it sure makes pip 8 support easy, and I doubt people are using it much.