search

yaml / pyyaml

Canonical source repository for PyYAML
MIT License
2.56k stars 518 forks source link

pip install fail #833

Closed tooptoop4 closed 1 month ago

tooptoop4 commented 1 month ago

pip3 install pyyaml==6.0.2

Collecting pyyaml==6.0.2
  Obtaining dependency information for pyyaml==6.0.2 from https://files.pythonhosted.org/packages/75/e4/2c27590dfc9992f73aabbeb9241ae20220bd9452df27483b6e56d3975cc5/PyYAML-6.0.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata
  Using cached PyYAML-6.0.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (2.1 kB)
Downloading PyYAML-6.0.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (762 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.0/763.0 kB ? eta -:--:--
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    unknown package:
        Expected sha256 3ad2a3decf9aaba3d29c8f537ac4b243e36bef957511b4766cb0057d32b0be85
             Got        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
[notice] A new release of pip is available: 23.2.1 -> 24.2
[notice] To update, run: pip install --upgrade pip
TomGoedeme commented 1 month ago

Having the same issue for an older version too:

17.13 Collecting pyyaml==6.0.1
17.15   Downloading PyYAML-6.0.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (757 kB)
17.33      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━    704.5/757.7 kB 5.3 MB/s eta 0:00:01
17.34 ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
17.34     pyyaml==6.0.1 from https://files.pythonhosted.org/packages/7b/5e/efd033ab7199a0b2044dab3b9f7a4f6670e6a52c089de572e928d2873b06/PyYAML-6.0.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (from -r requirements.txt (line 7)):
17.34         Expected sha256 d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673
17.34              Got        14cc3441254ff28ad7cae59ab729825f575e2e615fa7ed759ce134ef76c0bbd1
cesar-vermeulen commented 1 month ago

Experiencing the same issue on python 3.12 and both pyyaml 6.0.1 / 6.0.2

yannickwellens commented 1 month ago

It's a block on pala alto, it detects it as a threat

m-ajay commented 1 month ago

It's a block on pala alto, it detects it as a threat

@yannickwellens I am not sure about that. I tried on my home computer, and still facing this issue.

drisbee commented 1 month ago

Is there any information about this? Our Palo Alto firewall also detected it as a thread.

nitzmahone commented 1 month ago

It appears that your pip cache contains a broken local wheel build of PyYAML 6.0.1 (note the very small file size, denoting a wheel with no binaries).

Removing those from the pip cache (eg pip cache remove PyYAML*), or skipping the cache entirely (pip install PyYAML --no-cache) should fix the problem- the hashes listed are consistent with what's on PyPI, but pip is likely favoring the broken locally-cached builds, leading to the mismatch (probably from an external freeze/constraint file).