-
-
Notifications
You must be signed in to change notification settings - Fork 612
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pip-sync does not verify hashes when installing packages #619
Labels
PR wanted
Feature is discussed or bug is confirmed, PR needed
Comments
@jdufresne Thanks for the report, and good catch! I took a quick look at the code: I feel like this could be changed, which could simplify |
That makes sense to me. So, IIUC,
Yeah, I like that. |
vphilippon
added
the
PR wanted
Feature is discussed or bug is confirmed, PR needed
label
Dec 19, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the issue briefly here.
If a hash is incorrect,
pip
will fail with a command like:However,
pip-sync
will not fail. It will happily install the package even if the hashes do no match. I expectpip-sync
to also fail if it can't verify the package hashes.Environment Versions
Steps to replicate
requirements.txt
so they are obviously wrongpip-sync requirements.txt
in a fresh virtualenvExpected result
pip-sync
fails with a loud warning that the hashes do not match (like pip)Actual result
pip-sync
installs the packages with mismatched hashes.I have written a test script to demonstrate. In this script,
pip-sync
installs packages with mismatched hashes. At the end, the test is rerun withpip
to demonstrate what I believe should happen.requirements.in
:test.sh
:Full script output:
The text was updated successfully, but these errors were encountered: