Does the experimental.new-installer check for package hash mismatch?

[haydenseitz]

• Poetry version: Poetry (version 1.3.2)
• Python version: 3.9.16
• OS version and name: Debian GNU/Linux 11
• pyproject.toml: https://gist.github.com/haydenseitz/3a72cd1cbf2b44af43a8de2779a7fe3f#file-pyproject-toml

• [x] I am on the latest stable Poetry version, installed using a recommended method.
• [x] I have searched the issues of this repo and believe that this is not a duplicate.
• [x] I have consulted the FAQ and blog for any relevant entries or release notes.
• [x] If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below.

Issue

I stumbled upon a difference in behavior between the default installer (experimental.new-installer true) and the legacy(?) installer (experimental.new-installer false). I recently found that a package version hash changed, and it was causing my local poetry install to fail. However, our CI builds were still working, as well as other colleagues' local builds.

To reproduce, here is a poetry.lock file that has the old hash for the python-crontab package. Disable the new installer with poetry config experimental.new-installer false, use the provided pyproject.toml and poetry.lock, and run poetry install. The install should fail with a hash mismatch for python-crontab. However, when trying the same steps with poetry config experimental.new-installer true, I do not get a mismatch error, and the package with a different hash seems to be installed. Is there an issue here or is something else going on with the new installer?

[haydenseitz]

whelp, reading through what I think is a similar issue with pipenv, I'm thinking the legacy installer may just not be aware of the newer wheel release in the python-crontab package, so it's failing when trying to install the older setup.py dist package, instead of installing the wheel dist. Whereas the new installer is correctly using the wheel dist of that package, which has a different package file and therefore a different hash.

Hopefully that makes sense 😅

[Ant3ng]

I also failed to install Pillow with poetry config experimental.new-installer false. so I change config into poetry config experimental.new-installer true, and I can install it. thank you!

I put error message here (in the case of poetry config experimental.new-installer false)

me: poetry add Pillow
Using version ^9.4.0 for pillow

Updating dependencies
Resolving dependencies... (0.3s)

Writing lock file

Package operations: 1 install, 0 updates, 0 removals

  - Installing pillow (9.4.0)

Command ['/Users/<my directory name>/.venv/bin/python', '-m', 'pip', 'install', '--no-deps', '--no-input', '-r', '/var/folders/h6/yd44n32x4c9c2tt79hyy5htw0000gn/T/pillow-9.4.0jmk9myukreqs.txt'] errored with the following return code 1, and output: 
Collecting pillow==9.4.0
  Using cached Pillow-9.4.0-1-cp311-cp311-macosx_10_10_x86_64.whl (3.3 MB)
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    pillow==9.4.0 from https://files.pythonhosted.org/packages/20/46/8f6f569584425c5250cd26c79ab2f56df42e388e6a737ae8eafa939ac607/Pillow-9.4.0-1-cp311-cp311-macosx_10_10_x86_64.whl (from -r /var/folders/h6/yd44n32x4c9c2tt79hyy5htw0000gn/T/pillow-9.4.0jmk9myukreqs.txt (line 1)):
        Expected sha256 0845adc64fe9886db00f5ab68c4a8cd933ab749a87747555cec1c95acea64b0b
        Expected     or 0884ba7b515163a1a05440a138adeb722b8a6ae2c2b33aea93ea3118dd3a899e
        Expected     or 09b89ddc95c248ee788328528e6a2996e09eaccddeeb82a5356e92645733be35
        Expected     or 0dd4c681b82214b36273c18ca7ee87065a50e013112eea7d78c7a1b89a739153
        Expected     or 0e51f608da093e5d9038c592b5b575cadc12fd748af1479b5e858045fff955a9
        Expected     or 0f3269304c1a7ce82f1759c12ce731ef9b6e95b6df829dccd9fe42912cc48569
        Expected     or 16a8df99701f9095bea8a6c4b3197da105df6f74e6176c5b410bc2df2fd29a57
        Expected     or 19005a8e58b7c1796bc0167862b1f54a64d3b44ee5d48152b06bb861458bc0f8
        Expected     or 28676836c7796805914b76b1837a40f76827ee0d5398f72f7dcc634bae7c6264
        Expected     or 2968c58feca624bb6c8502f9564dd187d0e1389964898f5e9e1fbc8533169157
        Expected     or 3fa1284762aacca6dc97474ee9c16f83990b8eeb6697f2ba17140d54b453e133
        Expected     or 451f10ef963918e65b8869e17d67db5e2f4ab40e716ee6ce7129b0cde2876eab
        Expected     or 46c259e87199041583658457372a183636ae8cd56dbf3f0755e0f376a7f9d0e6
        Expected     or 46f39cab8bbf4a384ba7cb0bc8bae7b7062b6a11cfac1ca4bc144dea90d4a9f5
        Expected     or 519e14e2c49fcf7616d6d2cfc5c70adae95682ae20f0395e9280db85e8d6c4df
        Expected     or 53dcb50fbdc3fb2c55431a9b30caeb2f7027fcd2aeb501459464f0214200a503
        Expected     or 54614444887e0d3043557d9dbc697dbb16cfb5a35d672b7a0fcc1ed0cf1c600b
        Expected     or 575d8912dca808edd9acd6f7795199332696d3469665ef26163cd090fa1f8bfa
        Expected     or 5dd5a9c3091a0f414a963d427f920368e2b6a4c2f7527fdd82cde8ef0bc7a327
        Expected     or 5f532a2ad4d174eb73494e7397988e22bf427f91acc8e6ebf5bb10597b49c493
        Expected     or 60e7da3a3ad1812c128750fc1bc14a7ceeb8d29f77e0a2356a8fb2aa8925287d
        Expected     or 653d7fb2df65efefbcbf81ef5fe5e5be931f1ee4332c2893ca638c9b11a409c4
        Expected     or 6663977496d616b618b6cfa43ec86e479ee62b942e1da76a2c3daa1c75933ef4
        Expected     or 6abfb51a82e919e3933eb137e17c4ae9c0475a25508ea88993bb59faf82f3b35
        Expected     or 6c6b1389ed66cdd174d040105123a5a1bc91d0aa7059c7261d20e583b6d8cbd2
        Expected     or 6d9dfb9959a3b0039ee06c1a1a90dc23bac3b430842dcb97908ddde05870601c
        Expected     or 765cb54c0b8724a7c12c55146ae4647e0274a839fb6de7bcba841e04298e1011
        Expected     or 7a21222644ab69ddd9967cfe6f2bb420b460dae4289c9d40ff9a4896e7c35c9a
        Expected     or 7ac7594397698f77bce84382929747130765f66406dc2cd8b4ab4da68ade4c6e
        Expected     or 7cfc287da09f9d2a7ec146ee4d72d6ea1342e770d975e49a8621bf54eaa8f30f
        Expected     or 847b114580c5cc9ebaf216dd8c8dbc6b00a3b7ab0131e173d7120e6deade1f57
        Expected     or 8f127e7b028900421cad64f51f75c051b628db17fb00e099eb148761eed598c9
        Expected     or 94cdff45173b1919350601f82d61365e792895e3c3a3443cf99819e6fbf717a5
        Expected     or 9a3049a10261d7f2b6514d35bbb7a4dfc3ece4c4de14ef5876c4b7a23a0e566d
        Expected     or a1c2d7780448eb93fbcc3789bf3916aa5720d942e37945f4056680317f1cd23e
        Expected     or a2e0f87144fcbbe54297cae708c5e7f9da21a4646523456b00cc956bd4c65815
        Expected     or a4dfdae195335abb4e89cc9762b2edc524f3c6e80d647a9a81bf81e17e3fb6f0
        Expected     or a96e6e23f2b79433390273eaf8cc94fec9c6370842e577ab10dabdcc7ea0a66b
        Expected     or aabdab8ec1e7ca7f1434d042bf8b1e92056245fb179790dc97ed040361f16bfd
        Expected     or b222090c455d6d1a64e6b7bb5f4035c4dff479e22455c9eaa1bdd4c75b52c80c
        Expected     or b52ff4f4e002f828ea6483faf4c4e8deea8d743cf801b74910243c58acc6eda3
        Expected     or b9b752ab91e78234941e44abdecc07f1f0d8f51fb62941d32995b8161f68cfe5
        Expected     or ba6612b6548220ff5e9df85261bddc811a057b0b465a1226b39bfb8550616aee
        Expected     or bd752c5ff1b4a870b7661234694f24b1d2b9076b8bf337321a814c612665f343
        Expected     or c3c4ed2ff6760e98d262e0cc9c9a7f7b8a9f61aa4d47c58835cdaf7b0b8811bb
        Expected     or c5c1362c14aee73f50143d74389b2c158707b4abce2cb055b7ad37ce60738d47
        Expected     or cb362e3b0976dc994857391b776ddaa8c13c28a16f80ac6522c23d5257156bed
        Expected     or d197df5489004db87d90b918033edbeee0bd6df3848a204bca3ff0a903bef837
        Expected     or d3b56206244dc8711f7e8b7d6cad4663917cd5b2d950799425076681e8766286
        Expected     or d5b2f8a31bd43e0f18172d8ac82347c8f37ef3e0b414431157718aa234991b28
        Expected     or d7081c084ceb58278dd3cf81f836bc818978c0ccc770cbbb202125ddabec6628
        Expected     or db74f5562c09953b2c5f8ec4b7dfd3f5421f31811e97d1dbc0a7c93d6e3a24df
        Expected     or df41112ccce5d47770a0c13651479fbcd8793f34232a2dd9faeccb75eb5d0d0d
        Expected     or e1339790c083c5a4de48f688b4841f18df839eb3c9584a770cbd818b33e26d5d
        Expected     or e621b0246192d3b9cb1dc62c78cfa4c6f6d2ddc0ec207d43c0dedecb914f152a
        Expected     or e8c5cf126889a4de385c02a2c3d3aba4b00f70234bfddae82a5eaa3ee6d5e3e6
        Expected     or e9d7747847c53a16a729b6ee5e737cf170f7a16611c143d95aa60a109a59c336
        Expected     or eaef5d2de3c7e9b21f1e762f289d17b726c2239a42b11e25446abf82b26ac132
        Expected     or ed3e4b4e1e6de75fdc16d3259098de7c6571b1a6cc863b1a49e7d3d53e036070
        Expected     or ef21af928e807f10bf4141cad4746eee692a0dd3ff56cfb25fce076ec3cc8abe
        Expected     or f09598b416ba39a8f489c124447b007fe865f786a89dbfa48bb5cf395693132a
        Expected     or f6e78171be3fb7941f9910ea15b4b14ec27725865a73c15277bc39f5ca4f8391
        Expected     or f715c32e774a60a337b2bb8ad9839b4abf75b267a0f18806f6f4f5f1688c4b5a
             Got        fb5c1ad6bad98c57482236a21bf985ab0ef42bd51f7ad4e4538e89a997624e12

[radoering]

We have been recommending not to disable experimental.new-installer for a while now. Unfortunately, we missed to deprecate the old installler. The name of the setting is quite confusing. (It was chosen when the new installer had been experimental. It isn't experimental anymore but the setting's name did not change.) The old installer will probably be deprecated in the next release. See #7358 for details.

Considering the planned deprecation, I doubt someone will spend the time to debug issues of the old installer.

Regarding the original issue: If the wheel was added later and you locked before, you will probably want to clear your cache and lock again.

[dimbleby]

re the original report there never was any bug with the "new" installer in the first place: poetry skips over the python-crontab wheel (because indeed it does not appear in the lockfile) and chooses the sdist instead.

should be closed.

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.