ghost
commented
3 years ago This is still an issue. Sounds simple enough to fix.
Open sumanthratna opened 4 years ago
ghost
commented
3 years ago This is still an issue. Sounds simple enough to fix.
ryancausey
commented
3 years ago Just ran into this while trying to export a requirements.txt for a two-stage docker build. Is there something that needs to be done to help the open PR along?
hterik
commented
3 years ago There is a --without-hashes option for poetry export one can use if you know beforehand there are git requirements in your pyproject.toml.
neersighted
commented
2 years ago This issue has been migrated as the underlying code has moved to a first-party plugin.
shai4lt
commented
2 years ago In my opinion, whatever is done here should be user-controllable. My ideal is, when there are mixed (index and VCS) requirements
--without-hashes was specified, export without hashes, no problemI believe these options are useful, because in situations where one may rely on the VCS repo (say, the repo is owned by the owners of the project we're exporting), it is possible to export both separately, pip install --without-deps the VCS requirements, and then pip install the index requirements; relying on poetry's locking to make sure all the required dependencies are present.
shangxiao
commented
2 years ago So with a little grepping we can actually resolve this ourselves.
This works for me (alter as desired):
poetry export -f requirements.txt > requirements-base.txt
grep 'git\+' requirements-base.txt > requirements-vcs.txt
grep 'git\+' -v requirements-base.txt > requirements-hashed.txt
pip install -r requirements-vcs.txt
pip install -r requirements-hashed.txtThis is due to pip install implicitly setting --require-hashes if any of the requirements in a file has --hash:
pip install -h
...
--require-hashes Require a hash to check each requirement against, for repeatable installs. This
option is implied when any package in a requirements file has a --hash option.Edit: I don't know whether poetry will export a line-wrapped vcs requirement but if it did then we'd need to be a little more clever than simply grepping. Ideally it would be something Poetry does.
shai4lt
commented
2 years ago Just one note:
poetry export -f requirements.txt > requirements-base.txt grep 'git\+' requirements-base.txt > requirements-vcs.txt grep 'git\+' -v requirements-base.txt > requirements-hashed.txt pip install -r requirements-vcs.txt pip install -r requirements-hashed.txt
When doing this, you need to be careful -- when installing the vcs requirements, if you do it as you wrote above, you open yourself up to sneaking in uncontrolled (2nd-order) dependencies. To prevent this, use
pip install --without-deps -r requirements-vcs.txt
pip install -r requirements-hashed.txtAfter locking, the exported requirements (requirements-base.txt) should already include all the dependencies for the VCS dependencies; and that's how you want them installed.
Avoid adding --without-deps to the command for requirements-hashed.txt. Running without it serves as a sort of "sanity check" -- if all is well, no dependency needs to be added and the flag is meaningless; if any dependency does need to be added, it will not be hashed and cause the installation to fail. But needing to add a dependency at that stage indicates a failure in locking or exporting, and then you're better off failing the installation and investigating.
zyv
commented
1 year ago Yay pypa/pip#11968
[x] I am on the latest Poetry version.
[x] I have searched the issues of this repo and believe that this is not a duplicate.
[x] If an exception occurs when executing a command, I executed it again in debug mode (
-vvvoption). (n/a)OS version and name: macOS 10.5.5 Beta
Poetry version: 1.0.5
Contents of pyproject.toml file:
[tool.poetry.dependencies] python = "^3.6.1" numpy = "^1.18.4" hyperopt = {git = "https://github.com/hyperopt/hyperopt.git"}
[tool.poetry.dev-dependencies] pytest = "^5.4.2"
[tool.poetry.scripts]
[build-system] requires = ["poetry>=0.12"] build-backend = "poetry.masonry.api"
ERROR: Can't verify hashes for these requirements because we don't have a way to hash version control repositories: hyperopt from git+https://github.com/hyperopt/hyperopt.git#egg=hyperopt (from -r requirements.txt (line 192))