cannot install with poetry anymore

[jc-louis]

This package cannot be installed with poetry since a few hours. I think this might me related to the update made for https://github.com/sighingnow/libclang/issues/18#issuecomment-1005805391 without version bump.

$ poetry init
$ poetry add libclang

  • Installing libclang (12.0.0): Failed

  RuntimeError

  Retrieved digest for link libclang-12.0.0-2-py2.py3-none-win_amd64.whl(sha256:46414009fcee8375ba64ea6c2c43c5b80a63e3a8b679f4293e00aa605b7265aa) not in poetry.lock metadata ['sha256:3b0585dbdc3f3b372340f1efe7c28bf4a5b658d2fb8dc0544a7ef0d2bef40618', 'sha256:6df2f8a2cb75181e3c1e99e5dfca2fd44bb7f84ed12d5112541e03c10384f306', 'sha256:b828cb52cf3f02fb0e0a8fddb9dece7e2ed006f8b4d54ee811cef0471d414367', 'sha256:275126823c60ab5c9fae6a433cbb6a47e4d1b5f668a985fbd6065553dbc7efcc', 'sha256:fadad3bf5fbab50c996eb151adc58c3a7cbee45a9135060c416be7b640372112']

Installing an older version still works

$ poetry add "libclang=<12.0.0"

[aaliddell]

Same issue here with a locked requirements file; the release artifacts have been overwritten on PyPI, with the old files pulled. This breaks anyone with locked dependencies, since the hashes no longer match and tools rightly flag this loudly as potential tampering with assets. Since TensorFlow transitively depends on this, I expect a lot of builds have started failing.

In future this should really be done as a new release, but are the old files able to be restored at this point, even if as 12.0.0-3?

[ncoish]

Same issue here. Can we get confirmation that this was a legitimate action taken by libclang and not a malicious replacement?

[sighingnow]

I though its was ok to delete the problematic artifacts when fixing #18, without realizing the effect of some package manager.

Can we get confirmation that this was a legitimate action taken by libclang and not a malicious replacement?

It is not a malicious replacement.

In future this should really be done as a new release, but are the old files able to be restored at this point, even if as 12.0.0-3?

Yes a new release is indeed required. I shouldn't delete old files when upload new revisions.

[sighingnow]

@ncoish @aaliddell @jc-louis I would make a new release today and hope it could resolve the issue when folks upgrade the required version.

[sighingnow]

I'm reaching out to the pypi admins to see if they could help to recover the missing artifacts.

Apology to anyone who are affecting by this mistake.

[antaradas94]

Stumbled upon the same error when trying to install tensorflow-gpu with poetry.

[adammarples]

I'm reaching out to the pypi admins to see if they could help to recover the missing artifacts.

Apology to anyone who are affecting by this mistake.

Any progress on this or should we pin to an earlier version?

[konstin]

@sighingnow pypi recently gained to option to yank releases, which is exactly for that case: The old wheels are still there, but won't be picked anymore unless you already had them in your lockfile

[timothyjlaurent]

Please fix this 😭

[florian-stoica]

@sighingnow Any news on this ?

[timothyjlaurent]

@sighingnow the workflow shared by @konstin to yank a release could really help with this - can you please check it out and save Tensorflow?

[timothyjlaurent]

@sighingnow - if yank is too tough to get working, can we make a bugfix release we could rely on where the hashes match the package?

[konstin]

The solution is to simply poetry update! I only shared the information about yanking for future reference and on the chance that the old file might be restore

if yank is too tough to get working, can we make a bugfix release we could rely on where the hashes match the package?

No, the hashes are meant to prevent that, otherwise you could never be sure what you actually install

[sighingnow]

Hi folks @jc-louis @aaliddell @antaradas94 @adammarples @konstin @timothyjlaurent,

Sorry for the delay. I have upload a new release v13.0.0 to the pypi: https://pypi.org/project/libclang/13.0.0/#files

You folks can force the pypi (or other package managers) to bump up the dependency version to resolve the issue. I have open a pull request to tensorflow to fix the downstream troubles.

The previous deleted files cannot be recovered and cannot be re-uploaded.

I have learned a lot in this issue and will do better in maintaining this releases. Thanks all folks for your patience ❤️

[sighingnow]

@sighingnow - if yank is too tough to get working, can we make a bugfix release we could rely on where the hashes match the package?

I will use a "bugfix release" in further bugfixes uploads. Thanks for the advice!

[sighingnow]

Thanks for pointing me for the motivation of yank!

[sighingnow]

Closed as resolved.