Closed jsirois closed 3 months ago
I appreciate any and all reviews as always. That said, in this case, I'll be blocking on your opinion @huonw. There are some eye-of-the-beholder decisions here that I'd like your second eye on.
I've only had a moment for a quick skim but looks reasonable: nice approach with the warning message, and the introduction of --format pip-no-hash
seems sensible (and the name looks good: obviously preserving --format pip
for backwards compatibility, but even if starting from scratch, seems better to have the "more secure" version as the easier default).
Could you indicate which parts you're thinking are worth particular attention?
That's it, you covered it all in that paragraph.
Although Pex supports locking VCS requirements and local project requirements, it does so with a be-spoke system for fingerprinting each; as such, the
--hash
es emitted when exporting lock files containing these types of requirements are not actually useable in practice. Continue to support exporting this class of lock file, but warn of the potential problems and offer a new--format pip-no-hash
mode for the daring. In addition, change the requirements output for this class of lock file to match the input requirement for best fidelity when actually attempting to use the resulting exported requirement file without--hash
es.Fixes #2416