pip freezing (==) isn't safe (intermediate) anthony explains #455

preview_player
Показать описание
today I walk through why == pinning isn't enough to ensure repeatability through an *intentional* feature. personally, I hope this "feature" gets removed

==========

I won't ask for subscriptions / likes / comments in videos but it really helps the channel. If you have any suggestions or things you'd like to see please comment below!
  1. anthonywritescode
Рекомендации по теме
pip freezing (==) 0:06:04

pip freezing (==) isn't safe (intermediate) anthony explains #455

PYTHON : Pip 0:01:20

PYTHON : Pip freeze vs. pip list

Never pour hot 0:00:30

Never pour hot water on a frozen car#car#winter

🤯😎 DO THIS 0:00:25

🤯😎 DO THIS TRICK IN JAILBREAK! #roblox #shorts

Disgust and Envy 0:00:35

Disgust and Envy Eating Funky Steak! 🥩🤢| Inside Out 2 (Cartoon Animation)

OMG THIS CAPCUT 0:00:16

OMG THIS CAPCUT GLITCH- 😭✋

Gravity bong 0:00:18

Gravity bong

The aftermath of 0:00:25

The aftermath of laying your PS5 on its side… #ps5 #playstation #playstation5 #gaming #games #gamer...

STUDENT CRASH ON 0:00:16

STUDENT CRASH ON DRIVING TEST!!! IS THIS A FAIL? #carcrash #drivingtest #drivingtestfail #livestream

What is 'pkg-resources==0.0.0' 0:05:01

What is 'pkg-resources==0.0.0' in output of pip freeze command

$1 Lipgloss 😳 0:00:08

$1 Lipgloss 😳

When You've Got 0:00:28

When You've Got 10 Luck In Fallout 4

Get More FPS 0:00:23

Get More FPS On Mobile Games!

The Furthest Fallout 0:01:00

The Furthest Fallout Has Gone #shorts

The CRAZIEST iPad 0:00:10

The CRAZIEST iPad Feature! 🤯

This Instant Pot 0:00:24

This Instant Pot Hack Will Change Your Life

The WORST Message 0:00:20

The WORST Message on ROBLOX!😳😭#shorts

Did you know 0:00:18

Did you know in TITANIC #shorts #short

Stop pip installing 0:02:34

Stop pip installing packages into your system (base) python: use virtual environments instead

WARNING Claustrophobia inducing! 0:00:58

WARNING Claustrophobia inducing! #shorts #exploration

How to make 0:00:20

How to make your OWN LIPGLOSS at home! 🤯💄 Pipminecosmetics.com

Microsoft Hates Chrome 0:00:36

Microsoft Hates Chrome 😂

LIP BALM ADDICTION 0:00:18

LIP BALM ADDICTION #shorts

Got jaw pain 0:00:32

Got jaw pain (#TMJ)? This simple technique will relieve that pain! 😱✅️

Комментарии
Автор

This is one reason I like pip-tools: it adds the hashes to the requirements files, so they can be verified on install.

thisfred
Автор

I was gonna say pipenv and poetry do locking using the checksums, might be a "solution" though has other problems part of which you mentioned. At least the lockfiles of those tools take into account, that users might need multiple wheels for the same version of a package (e.g. one v2.0.0 wheel for mac users, another for v.2.0.0 on linux, yet another one for windows, ...) and lock those with their checksums, too.

con-f-use
Автор

Doesn't sound like a bug per se. From the name of the option itself, a "build number" would be the same version of the software, just possibly rebuilt with different options / settings and not justifying a version bump. I'd say if you fundamentally can't trust the source of your package at the level of package semantics, you have much bigger problems, and a requirements specifier isn't supposed to be used as a security tool to protect against that.

madumlao
Автор

All hail `pip-compile --generate-hashes`! ^___^ Thanks for the great topic! That's funny how easy to inject a malicious package into a private PyPI index server.

atugushev
Автор

Another point for conda. “Conda env export” pins build hashes in addition the version. The whole python packaging ecosystem is such a mess and always has been. Conda is the only solution that makes it make sense in spite of PyPAs best efforts to keep it bad.

johnflynn
Автор

Maybe its a bug in packaging.SpecifierSet? Because pip uses it internally, maybe its already fixed in main branch of packaging repo, but there is no release

lonterel
Автор

Anthony how do you implement hash validation?

dumbqs
Автор

Isn't it still that packages can be overwritten on PyPI? By removing and re-uploading it under the same name. Or has this been changed?

ChristianBrugger
Автор

I like poetry export without hashes but idk if it solves the problem you mentioned here; gotta check it out

amir.hessam
Автор

Wait, this sounds like some sort of society crumbling bug waiting to explode, right?

dhruvakashyap
Автор

So it would be nice to have an option to "pip freeze" to include the build numbers?

alexprengere
Автор

pip/pypi is a security nightmare. it's worse than npm, just was lucky enough to not get the headlines.

-morrow
Автор

You can also download all your required wheels and keep them in your git repo along with the project, and use pip install

soberhippie