search

sigstore / sigstore-conformance

Conformance testing for Sigstore clients
https://sigstore.dev
7 stars 10 forks source link

dev-requirements: enforce sigstore ~= 2.0 #136

Closed woodruffw closed 5 months ago

woodruffw commented 5 months ago

This ought to always resolve, but there's nothing preventing pip from selecting an older version without it.

h/t @segiddins

woodruffw commented 5 months ago

Sigh, I see what happened here:

The conflict is caused by:
ERROR: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts
    The user requested sigstore-protobuf-specs~=0.3.0
    sigstore 2.1.2 depends on sigstore-protobuf-specs~=0.2.2
    The user requested sigstore-protobuf-specs~=0.3.0
    sigstore 2.1.0 depends on sigstore-protobuf-specs~=0.2.2
    The user requested sigstore-protobuf-specs~=0.3.0
    sigstore 2.0.1 depends on sigstore-protobuf-specs~=0.2.0
    The user requested sigstore-protobuf-specs~=0.3.0
    sigstore 2.0.0 depends on sigstore-protobuf-specs~=0.2.0

To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip attempt to solve the dependency conflict

sigstore-python 2.x is ranged to sigstore-protobuf-specs ~= 0.2, but we've intentionally bumped to ~= 0.3 because of https://github.com/sigstore/sigstore-conformance/pull/132. So this fails to resolve a released version of 2.x.