search

peterbe / hashin

Helping you write hashed entries for packages in your requirements.txt
https://www.peterbe.com/plog/hashin
MIT License
105 stars 27 forks source link

Order of hashes shouldn't matter #93

Closed peterbe closed 5 years ago

peterbe commented 5 years ago

Consider this example:

▶ python hashin.py -r ~/songsearch/requirements.txt --dry-run --update-all
--- Old
+++ New
...
 xmltodict==0.11.0 \
-    --hash=sha256:add07d92089ff611badec526912747cf87afd4f9447af6661aca074eeaf32615 \
-    --hash=sha256:8f8d7d40aa28d83f4109a7e8aa86e67a4df202d9538be40c0cb1d70da527b0df
+    --hash=sha256:8f8d7d40aa28d83f4109a7e8aa86e67a4df202d9538be40c0cb1d70da527b0df \
+    --hash=sha256:add07d92089ff611badec526912747cf87afd4f9447af6661aca074eeaf32615

Nothing has actually changed but for some reason, the order of the hashes is different this time. That would cause an unnecessary change.

peterbe commented 5 years ago

Note, it is not safe to ignore the problem if the package (e.g. xmltodict) hasn't changed version number. The hashes could legitimately be different.