From 9dec4d6f8841ea2521c5bd29552dd9fdd1f7d89c Mon Sep 17 00:00:00 2001 From: SomberNight Date: Fri, 4 Nov 2022 19:39:21 +0000 Subject: [PATCH] freeze_packages: better apply version restrictions on restricted deps hashin does not react well to package spec collisions: ``` $ touch txt $ python3 -m hashin -r txt "colorama==0.4.5" colorama $ cat txt colorama==0.4.6 \ --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \ --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6 ``` This lets pip resolve the version bounds instead. --- contrib/freeze_packages.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/contrib/freeze_packages.sh b/contrib/freeze_packages.sh index b3fa38a79cff..c0eeda6e8196 100755 --- a/contrib/freeze_packages.sh +++ b/contrib/freeze_packages.sh @@ -41,11 +41,15 @@ for suffix in '' '-hw' '-binaries' '-binaries-mac' '-build-wine' '-build-mac' '- echo "OK." requirements=$(pip freeze --all) + restricted=$(echo $requirements | ${SYSTEM_PYTHON} $contrib/deterministic-build/find_restricted_dependencies.py) - requirements="$requirements $restricted" + if [ ! -z "$restricted" ]; then + python -m pip install $restricted + requirements=$(pip freeze --all) + fi echo "Generating package hashes... (${reqfile})" - rm "$contrib/deterministic-build/${reqfile}" + rm -f "$contrib/deterministic-build/${reqfile}" touch "$contrib/deterministic-build/${reqfile}" # restrict ourselves to source-only packages. @@ -63,10 +67,8 @@ for suffix in '' '-hw' '-binaries' '-binaries-mac' '-build-wine' '-build-mac' '- HASHIN_FLAGS="--python-version source" fi - for requirement in $requirements; do - echo -e "\r Hashing $requirement..." - ${SYSTEM_PYTHON} -m hashin $HASHIN_FLAGS -r "$contrib/deterministic-build/${reqfile}" "${requirement}" - done + echo -e "\r Hashing requirements for $reqfile..." + ${SYSTEM_PYTHON} -m hashin $HASHIN_FLAGS -r "$contrib/deterministic-build/${reqfile}" $requirements echo "OK." done