Update Poetry

[matejcik]

dependabot PRs completely break our CI because they're using a newer version of poetry.lock.

We can, and should, update our Poetry to avoid this problem in the future.

[matejcik]

this is actually breaking HWI tests now

[mmilata]

We do want the hashes there for reproducibility reasons, right?

Currently we have poetry-1.1.13, today nixpkgs have 1.3.2 with 1.4.0 on the way NixOS/nixpkgs#218868.

[matejcik]

We do want the hashes there for reproducibility reasons, right?

absolutely, yes. i'm seeing some hashes discussion here, do you know what that is about?

[matejcik]

reproducibility reasons

security reasons, strictly speaking. if some part of the supply chain is attacked, we don't want to pull in a different thing just because it is called by the same name.

[mmilata]

do you know what that is about?

No idea tbh. I'm asking because we used to have the hashes before 5196f24, and running poetry add freeetype-py with poetry-1.1.3 adds them again, was wondering what's going on.

[prusnak]

NixOS/nixpkgs@2db5027 is the first nixpkgs commit that contains poetry-1.4.0

Hopefully it propagates soon from staging-next to nixpkgs-unstable.

[prusnak]

Hopefully it propagates soon from staging-next to nixpkgs-unstable.

Poetry 1.4.0 in nixpkgs-unstable now -> created PR #2890 which bumps nixpkgs to latest unstable and regenerates the poetry.lock file