-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Concurrent execution of pip in multiple virtual environments fail (due to caching of packages) #12361
Comments
Hi, I believe so. |
It's not clear to me if CacheControl was ever guaranteed to be safe for concurrent use. Maybe this is something where the new implementation is simply more likely to trigger race conditions? I'd be happy if this were fixed at the CacheControl level, but I'm not sure if it's something we should try to fix in pip. There's probably a lot of places where running multiple copies of pip in parallel is risky (for example doing multiple parallel installs to the same environment). |
There was some attempt to allow atomic updates of cache files, at least, so this may be a regression. I will take a look. |
I think I see an issue in CacheControl, at least. Previous cache format locking was tied to a file, and that was fine because both metadata and body were in the same file. Now they are two separate files so each gets locked separately and that's an opportunity for race conditions. In Pip the locking logic is bypassed to use atomic replace via |
There's a similar race condition when reading. |
Options:
|
So... how does |
Based on the above I think I am leaning towards option 3, but I might be missing a more obvious solution, and this is partially about policy and architecture, so will await further feedback and keep thinking. I will implement whatever fix is chosen. |
I don't have a major problem with vendoring I'd prefer option 3, simply because it's no work for pip 🙂 But I'm not against option 2, subject to the above. I'm -1 on reverting. This feels like a relatively rare issue, and the benefits of the new cache are non-trivial. I'm against option 4, because as you say, locking at pip's level would be messy and too broad. Also, we'd have to maintain the code and it'll be tricky to get right. That's precisely the sort of reason we defer stuff like this to vendored packages. As far as option 5 is concerned, I think running pip in parallel has always been something of a "use at your own risk" exercise. I imagine that running |
Taking a step back, while there is a race condition... shouldn't the download key be unique per specific download? If so, the window for the race condition is actually very very short, the time between writing metadata and writing the body. And that might fixable just by swapping the order body and metadata are written. Note I've gotten a corrupted hash once before, in older pip, and just assumed it was a memory bit flip somewhere in the CDN... So maybe actual next step is for me to try to reproduce this. |
Thanks for the rapid reaction and analysis, @itamarst !
I have personally always assumed the pip cache was multiprocess safe. FWIW, having several pip instances installing in different environments in parallel and sharing a common cache has always worked fine for my group at work. From #4766 I gather we removed Solution 3 would be interesting, but it would change the cache format, right? Not necessarily a blocking point. The One little problem with |
Noting that protecting the cache from failed partial downloads is also important: #3792 (not sure if this still an issue). |
Another idea might be to download to a temporary folder and then try to rename (with os.replace()) the folder once both files have been created. If the rename does not work you can assume that another process just downloaded it (and you can delete the temporary folder). The penalty here is that a file could be downloaded twice. E.g. os.replace(".cache/pip/http-v2/f/c/f/6/e_tmp_g27322g", ".cache/pip/http-v2/f/c/f/6/e") |
Failed partial downloads should be orthogonal to storage mechanism. |
OK, I couldn't reproduce in initial tests, but! >>> hashlib.sha256(b"").hexdigest()
'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' Notice that's the hash that was reported in original bug report. So this does seem like race condition: pip A sets metadata and then starts setting body, meanwhile pip B gets metadata and body, the body comes back as None, I came up with a minimal, There should still be fixes in CacheControl, for other potential users, but that seems less urgent. |
Oh! I also had this error and this hash yesterday. After investigating I realized I was getting the same error going to the previous version of Pip and therefore wasn't related to the Pip upgrade. I found that our corporate firewall was blocking a wheel (specifically Flower 1.2.0), and rather than throwing an exception that the file failed to download I got this hash error. Could this be the issue here? Can OP downgrade Pip, clear their cache, and rerun their tests. |
The downside of this fix is that the cache can no longer be used for non-downloads, e.g. redirects; is that a use case at all? It doesn't seem like it. |
The merged solution works fine in our environment |
pip 23.3.1 has been released with the fix for this. |
Bumps [pip](https://github.com/pypa/pip) from 23.2.1 to 23.3.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>23.3.1 (2023-10-21)</h1> <h2>Bug Fixes</h2> <ul> <li>Handle a timezone indicator of Z when parsing dates in the self check. (<code>[#12338](pypa/pip#12338) <https://github.com/pypa/pip/issues/12338></code>_)</li> <li>Fix bug where installing the same package at the same time with multiple pip processes could fail. (<code>[#12361](pypa/pip#12361) <https://github.com/pypa/pip/issues/12361></code>_)</li> </ul> <h1>23.3 (2023-10-15)</h1> <h2>Process</h2> <ul> <li>Added reference to <code>vulnerability reporting guidelines <https://www.python.org/dev/security/></code>_ to pip's security policy.</li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Drop a fallback to using SecureTransport on macOS. It was useful when pip detected OpenSSL older than 1.0.1, but the current pip does not support any Python version supporting such old OpenSSL versions. (<code>[#12175](pypa/pip#12175) <https://github.com/pypa/pip/issues/12175></code>_)</li> </ul> <h2>Features</h2> <ul> <li>Improve extras resolution for multiple constraints on same base package. (<code>[#11924](pypa/pip#11924) <https://github.com/pypa/pip/issues/11924></code>_)</li> <li>Improve use of datastructures to make candidate selection 1.6x faster. (<code>[#12204](pypa/pip#12204) <https://github.com/pypa/pip/issues/12204></code>_)</li> <li>Allow <code>pip install --dry-run</code> to use platform and ABI overriding options. (<code>[#12215](pypa/pip#12215) <https://github.com/pypa/pip/issues/12215></code>_)</li> <li>Add <code>is_yanked</code> boolean entry to the installation report (<code>--report</code>) to indicate whether the requirement was yanked from the index, but was still selected by pip conform to :pep:<code>592</code>. (<code>[#12224](pypa/pip#12224) <https://github.com/pypa/pip/issues/12224></code>_)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Ignore errors in temporary directory cleanup (show a warning instead). (<code>[#11394](pypa/pip#11394) <https://github.com/pypa/pip/issues/11394></code>_)</li> <li>Normalize extras according to :pep:<code>685</code> from package metadata in the resolver for comparison. This ensures extras are correctly compared and merged as long as the package providing the extra(s) is built with values normalized according to the standard. Note, however, that this <em>does not</em> solve cases where the package itself contains unnormalized extra values in the metadata. (<code>[#11649](pypa/pip#11649) <https://github.com/pypa/pip/issues/11649></code>_)</li> <li>Prevent downloading sdists twice when :pep:<code>658</code> metadata is present. (<code>[#11847](pypa/pip#11847) <https://github.com/pypa/pip/issues/11847></code>_)</li> <li>Include all requested extras in the install report (<code>--report</code>). (<code>[#11924](pypa/pip#11924) <https://github.com/pypa/pip/issues/11924></code>_)</li> <li>Removed uses of <code>datetime.datetime.utcnow</code> from non-vendored code. (<code>[#12005](pypa/pip#12005) <https://github.com/pypa/pip/issues/12005></code>_)</li> <li>Consistently report whether a dependency comes from an extra. (<code>[#12095](pypa/pip#12095) <https://github.com/pypa/pip/issues/12095></code>_)</li> <li>Fix completion script for zsh (<code>[#12166](pypa/pip#12166) <https://github.com/pypa/pip/issues/12166></code>_)</li> <li>Fix improper handling of the new onexc argument of <code>shutil.rmtree()</code> in Python 3.12. (<code>[#12187](pypa/pip#12187) <https://github.com/pypa/pip/issues/12187></code>_)</li> <li>Filter out yanked links from the available versions error message: "(from versions: 1.0, 2.0, 3.0)" will not contain yanked versions conform PEP 592. The yanked versions (if any) will be mentioned in a separate error message. (<code>[#12225](pypa/pip#12225) <https://github.com/pypa/pip/issues/12225></code>_)</li> <li>Fix crash when the git version number contains something else than digits and dots. (<code>[#12280](pypa/pip#12280) <https://github.com/pypa/pip/issues/12280></code>_)</li> <li>Use <code>-r=...</code> instead of <code>-r ...</code> to specify references with Mercurial. (<code>[#12306](pypa/pip#12306) <https://github.com/pypa/pip/issues/12306></code>_)</li> <li>Redact password from URLs in some additional places. (<code>[#12350](pypa/pip#12350) <https://github.com/pypa/pip/issues/12350></code>_)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/5364f26f9631dc07ed1bdfc88e1bec1bead2bce3"><code>5364f26</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/5e7cc16c3b4442055a4a9892e9231758b6714e28"><code>5e7cc16</code></a> Fix parallel pip cache downloads causing crash (<a href="https://redirect.github.com/pypa/pip/issues/12364">#12364</a>)</li> <li><a href="https://github.com/pypa/pip/commit/8a0f77c171d60344e6a3bf6e95ad5740c21575fd"><code>8a0f77c</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12355">#12355</a> from sbidoul/build-using-build</li> <li><a href="https://github.com/pypa/pip/commit/f3620cdb5be06cee223a3606a1525ee45372085b"><code>f3620cd</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12363">#12363</a> from pfmoore/safe_isoformat</li> <li><a href="https://github.com/pypa/pip/commit/fb06d12d5a32581ae531fc26143c14ac6c8ea8fe"><code>fb06d12</code></a> Handle ISO formats with a trailing Z</li> <li><a href="https://github.com/pypa/pip/commit/9f213bf69ac32c60c84055261c862ff169389e43"><code>9f213bf</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12356">#12356</a> from sbidoul/clarify-changelog</li> <li><a href="https://github.com/pypa/pip/commit/a982c7bc3550afb27a3a792d84fe91bf7c3254ca"><code>a982c7b</code></a> Add a few PEP links in the changelog</li> <li><a href="https://github.com/pypa/pip/commit/e1e227d7d6b5ae04ae3a2104bf8185622201f5f6"><code>e1e227d</code></a> Clarify changelog</li> <li><a href="https://github.com/pypa/pip/commit/9b0abc8c40459dd16a9c1205e15f6d3363bf202e"><code>9b0abc8</code></a> Build using <code>build</code></li> <li><a href="https://github.com/pypa/pip/commit/9d4be7802f45790bdb994f943c8d8731927cf25c"><code>9d4be78</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12353">#12353</a> from sbidoul/release/23.3</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.2.1...23.3.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.2.1&new-version=23.3.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pip](https://github.com/pypa/pip) from 23.3 to 23.3.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>23.3.1 (2023-10-21)</h1> <h2>Bug Fixes</h2> <ul> <li>Handle a timezone indicator of Z when parsing dates in the self check. (<code>[#12338](pypa/pip#12338) <https://github.com/pypa/pip/issues/12338></code>_)</li> <li>Fix bug where installing the same package at the same time with multiple pip processes could fail. (<code>[#12361](pypa/pip#12361) <https://github.com/pypa/pip/issues/12361></code>_)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/5364f26f9631dc07ed1bdfc88e1bec1bead2bce3"><code>5364f26</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/5e7cc16c3b4442055a4a9892e9231758b6714e28"><code>5e7cc16</code></a> Fix parallel pip cache downloads causing crash (<a href="https://redirect.github.com/pypa/pip/issues/12364">#12364</a>)</li> <li><a href="https://github.com/pypa/pip/commit/8a0f77c171d60344e6a3bf6e95ad5740c21575fd"><code>8a0f77c</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12355">#12355</a> from sbidoul/build-using-build</li> <li><a href="https://github.com/pypa/pip/commit/f3620cdb5be06cee223a3606a1525ee45372085b"><code>f3620cd</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12363">#12363</a> from pfmoore/safe_isoformat</li> <li><a href="https://github.com/pypa/pip/commit/fb06d12d5a32581ae531fc26143c14ac6c8ea8fe"><code>fb06d12</code></a> Handle ISO formats with a trailing Z</li> <li><a href="https://github.com/pypa/pip/commit/9f213bf69ac32c60c84055261c862ff169389e43"><code>9f213bf</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12356">#12356</a> from sbidoul/clarify-changelog</li> <li><a href="https://github.com/pypa/pip/commit/a982c7bc3550afb27a3a792d84fe91bf7c3254ca"><code>a982c7b</code></a> Add a few PEP links in the changelog</li> <li><a href="https://github.com/pypa/pip/commit/e1e227d7d6b5ae04ae3a2104bf8185622201f5f6"><code>e1e227d</code></a> Clarify changelog</li> <li><a href="https://github.com/pypa/pip/commit/9b0abc8c40459dd16a9c1205e15f6d3363bf202e"><code>9b0abc8</code></a> Build using <code>build</code></li> <li><a href="https://github.com/pypa/pip/commit/9d4be7802f45790bdb994f943c8d8731927cf25c"><code>9d4be78</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12353">#12353</a> from sbidoul/release/23.3</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.3...23.3.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.3&new-version=23.3.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 23.3 to 23.3.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>23.3.1 (2023-10-21)</h1> <h2>Bug Fixes</h2> <ul> <li>Handle a timezone indicator of Z when parsing dates in the self check. (<code>[#12338](pypa/pip#12338) <https://github.com/pypa/pip/issues/12338></code>_)</li> <li>Fix bug where installing the same package at the same time with multiple pip processes could fail. (<code>[#12361](pypa/pip#12361) <https://github.com/pypa/pip/issues/12361></code>_)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/5364f26f9631dc07ed1bdfc88e1bec1bead2bce3"><code>5364f26</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/5e7cc16c3b4442055a4a9892e9231758b6714e28"><code>5e7cc16</code></a> Fix parallel pip cache downloads causing crash (<a href="https://redirect.github.com/pypa/pip/issues/12364">#12364</a>)</li> <li><a href="https://github.com/pypa/pip/commit/8a0f77c171d60344e6a3bf6e95ad5740c21575fd"><code>8a0f77c</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12355">#12355</a> from sbidoul/build-using-build</li> <li><a href="https://github.com/pypa/pip/commit/f3620cdb5be06cee223a3606a1525ee45372085b"><code>f3620cd</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12363">#12363</a> from pfmoore/safe_isoformat</li> <li><a href="https://github.com/pypa/pip/commit/fb06d12d5a32581ae531fc26143c14ac6c8ea8fe"><code>fb06d12</code></a> Handle ISO formats with a trailing Z</li> <li><a href="https://github.com/pypa/pip/commit/9f213bf69ac32c60c84055261c862ff169389e43"><code>9f213bf</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12356">#12356</a> from sbidoul/clarify-changelog</li> <li><a href="https://github.com/pypa/pip/commit/a982c7bc3550afb27a3a792d84fe91bf7c3254ca"><code>a982c7b</code></a> Add a few PEP links in the changelog</li> <li><a href="https://github.com/pypa/pip/commit/e1e227d7d6b5ae04ae3a2104bf8185622201f5f6"><code>e1e227d</code></a> Clarify changelog</li> <li><a href="https://github.com/pypa/pip/commit/9b0abc8c40459dd16a9c1205e15f6d3363bf202e"><code>9b0abc8</code></a> Build using <code>build</code></li> <li><a href="https://github.com/pypa/pip/commit/9d4be7802f45790bdb994f943c8d8731927cf25c"><code>9d4be78</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12353">#12353</a> from sbidoul/release/23.3</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.3...23.3.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.3&new-version=23.3.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 23.2.1 to 23.3.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>23.3.1 (2023-10-21)</h1> <h2>Bug Fixes</h2> <ul> <li>Handle a timezone indicator of Z when parsing dates in the self check. (<code>[#12338](pypa/pip#12338) <https://github.com/pypa/pip/issues/12338></code>_)</li> <li>Fix bug where installing the same package at the same time with multiple pip processes could fail. (<code>[#12361](pypa/pip#12361) <https://github.com/pypa/pip/issues/12361></code>_)</li> </ul> <h1>23.3 (2023-10-15)</h1> <h2>Process</h2> <ul> <li>Added reference to <code>vulnerability reporting guidelines <https://www.python.org/dev/security/></code>_ to pip's security policy.</li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Drop a fallback to using SecureTransport on macOS. It was useful when pip detected OpenSSL older than 1.0.1, but the current pip does not support any Python version supporting such old OpenSSL versions. (<code>[#12175](pypa/pip#12175) <https://github.com/pypa/pip/issues/12175></code>_)</li> </ul> <h2>Features</h2> <ul> <li>Improve extras resolution for multiple constraints on same base package. (<code>[#11924](pypa/pip#11924) <https://github.com/pypa/pip/issues/11924></code>_)</li> <li>Improve use of datastructures to make candidate selection 1.6x faster. (<code>[#12204](pypa/pip#12204) <https://github.com/pypa/pip/issues/12204></code>_)</li> <li>Allow <code>pip install --dry-run</code> to use platform and ABI overriding options. (<code>[#12215](pypa/pip#12215) <https://github.com/pypa/pip/issues/12215></code>_)</li> <li>Add <code>is_yanked</code> boolean entry to the installation report (<code>--report</code>) to indicate whether the requirement was yanked from the index, but was still selected by pip conform to :pep:<code>592</code>. (<code>[#12224](pypa/pip#12224) <https://github.com/pypa/pip/issues/12224></code>_)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Ignore errors in temporary directory cleanup (show a warning instead). (<code>[#11394](pypa/pip#11394) <https://github.com/pypa/pip/issues/11394></code>_)</li> <li>Normalize extras according to :pep:<code>685</code> from package metadata in the resolver for comparison. This ensures extras are correctly compared and merged as long as the package providing the extra(s) is built with values normalized according to the standard. Note, however, that this <em>does not</em> solve cases where the package itself contains unnormalized extra values in the metadata. (<code>[#11649](pypa/pip#11649) <https://github.com/pypa/pip/issues/11649></code>_)</li> <li>Prevent downloading sdists twice when :pep:<code>658</code> metadata is present. (<code>[#11847](pypa/pip#11847) <https://github.com/pypa/pip/issues/11847></code>_)</li> <li>Include all requested extras in the install report (<code>--report</code>). (<code>[#11924](pypa/pip#11924) <https://github.com/pypa/pip/issues/11924></code>_)</li> <li>Removed uses of <code>datetime.datetime.utcnow</code> from non-vendored code. (<code>[#12005](pypa/pip#12005) <https://github.com/pypa/pip/issues/12005></code>_)</li> <li>Consistently report whether a dependency comes from an extra. (<code>[#12095](pypa/pip#12095) <https://github.com/pypa/pip/issues/12095></code>_)</li> <li>Fix completion script for zsh (<code>[#12166](pypa/pip#12166) <https://github.com/pypa/pip/issues/12166></code>_)</li> <li>Fix improper handling of the new onexc argument of <code>shutil.rmtree()</code> in Python 3.12. (<code>[#12187](pypa/pip#12187) <https://github.com/pypa/pip/issues/12187></code>_)</li> <li>Filter out yanked links from the available versions error message: "(from versions: 1.0, 2.0, 3.0)" will not contain yanked versions conform PEP 592. The yanked versions (if any) will be mentioned in a separate error message. (<code>[#12225](pypa/pip#12225) <https://github.com/pypa/pip/issues/12225></code>_)</li> <li>Fix crash when the git version number contains something else than digits and dots. (<code>[#12280](pypa/pip#12280) <https://github.com/pypa/pip/issues/12280></code>_)</li> <li>Use <code>-r=...</code> instead of <code>-r ...</code> to specify references with Mercurial. (<code>[#12306](pypa/pip#12306) <https://github.com/pypa/pip/issues/12306></code>_)</li> <li>Redact password from URLs in some additional places. (<code>[#12350](pypa/pip#12350) <https://github.com/pypa/pip/issues/12350></code>_)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/5364f26f9631dc07ed1bdfc88e1bec1bead2bce3"><code>5364f26</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/5e7cc16c3b4442055a4a9892e9231758b6714e28"><code>5e7cc16</code></a> Fix parallel pip cache downloads causing crash (<a href="https://redirect.github.com/pypa/pip/issues/12364">#12364</a>)</li> <li><a href="https://github.com/pypa/pip/commit/8a0f77c171d60344e6a3bf6e95ad5740c21575fd"><code>8a0f77c</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12355">#12355</a> from sbidoul/build-using-build</li> <li><a href="https://github.com/pypa/pip/commit/f3620cdb5be06cee223a3606a1525ee45372085b"><code>f3620cd</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12363">#12363</a> from pfmoore/safe_isoformat</li> <li><a href="https://github.com/pypa/pip/commit/fb06d12d5a32581ae531fc26143c14ac6c8ea8fe"><code>fb06d12</code></a> Handle ISO formats with a trailing Z</li> <li><a href="https://github.com/pypa/pip/commit/9f213bf69ac32c60c84055261c862ff169389e43"><code>9f213bf</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12356">#12356</a> from sbidoul/clarify-changelog</li> <li><a href="https://github.com/pypa/pip/commit/a982c7bc3550afb27a3a792d84fe91bf7c3254ca"><code>a982c7b</code></a> Add a few PEP links in the changelog</li> <li><a href="https://github.com/pypa/pip/commit/e1e227d7d6b5ae04ae3a2104bf8185622201f5f6"><code>e1e227d</code></a> Clarify changelog</li> <li><a href="https://github.com/pypa/pip/commit/9b0abc8c40459dd16a9c1205e15f6d3363bf202e"><code>9b0abc8</code></a> Build using <code>build</code></li> <li><a href="https://github.com/pypa/pip/commit/9d4be7802f45790bdb994f943c8d8731927cf25c"><code>9d4be78</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12353">#12353</a> from sbidoul/release/23.3</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.2.1...23.3.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.2.1&new-version=23.3.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pip](https://github.com/pypa/pip) from 23.3 to 23.3.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>23.3.1 (2023-10-21)</h1> <h2>Bug Fixes</h2> <ul> <li>Handle a timezone indicator of Z when parsing dates in the self check. (<code>[#12338](pypa/pip#12338) <https://github.com/pypa/pip/issues/12338></code>_)</li> <li>Fix bug where installing the same package at the same time with multiple pip processes could fail. (<code>[#12361](pypa/pip#12361) <https://github.com/pypa/pip/issues/12361></code>_)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/5364f26f9631dc07ed1bdfc88e1bec1bead2bce3"><code>5364f26</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/5e7cc16c3b4442055a4a9892e9231758b6714e28"><code>5e7cc16</code></a> Fix parallel pip cache downloads causing crash (<a href="https://redirect.github.com/pypa/pip/issues/12364">#12364</a>)</li> <li><a href="https://github.com/pypa/pip/commit/8a0f77c171d60344e6a3bf6e95ad5740c21575fd"><code>8a0f77c</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12355">#12355</a> from sbidoul/build-using-build</li> <li><a href="https://github.com/pypa/pip/commit/f3620cdb5be06cee223a3606a1525ee45372085b"><code>f3620cd</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12363">#12363</a> from pfmoore/safe_isoformat</li> <li><a href="https://github.com/pypa/pip/commit/fb06d12d5a32581ae531fc26143c14ac6c8ea8fe"><code>fb06d12</code></a> Handle ISO formats with a trailing Z</li> <li><a href="https://github.com/pypa/pip/commit/9f213bf69ac32c60c84055261c862ff169389e43"><code>9f213bf</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12356">#12356</a> from sbidoul/clarify-changelog</li> <li><a href="https://github.com/pypa/pip/commit/a982c7bc3550afb27a3a792d84fe91bf7c3254ca"><code>a982c7b</code></a> Add a few PEP links in the changelog</li> <li><a href="https://github.com/pypa/pip/commit/e1e227d7d6b5ae04ae3a2104bf8185622201f5f6"><code>e1e227d</code></a> Clarify changelog</li> <li><a href="https://github.com/pypa/pip/commit/9b0abc8c40459dd16a9c1205e15f6d3363bf202e"><code>9b0abc8</code></a> Build using <code>build</code></li> <li><a href="https://github.com/pypa/pip/commit/9d4be7802f45790bdb994f943c8d8731927cf25c"><code>9d4be78</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12353">#12353</a> from sbidoul/release/23.3</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.3...23.3.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.3&new-version=23.3.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
…k/test/generated-code (#4306) Bumps [pip](https://github.com/pypa/pip) from 23.3 to 23.3.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>23.3.1 (2023-10-21)</h1> <h2>Bug Fixes</h2> <ul> <li>Handle a timezone indicator of Z when parsing dates in the self check. (<code>[#12338](pypa/pip#12338) <https://github.com/pypa/pip/issues/12338></code>_)</li> <li>Fix bug where installing the same package at the same time with multiple pip processes could fail. (<code>[#12361](pypa/pip#12361) <https://github.com/pypa/pip/issues/12361></code>_)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/5364f26f9631dc07ed1bdfc88e1bec1bead2bce3"><code>5364f26</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/5e7cc16c3b4442055a4a9892e9231758b6714e28"><code>5e7cc16</code></a> Fix parallel pip cache downloads causing crash (<a href="https://redirect.github.com/pypa/pip/issues/12364">#12364</a>)</li> <li><a href="https://github.com/pypa/pip/commit/8a0f77c171d60344e6a3bf6e95ad5740c21575fd"><code>8a0f77c</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12355">#12355</a> from sbidoul/build-using-build</li> <li><a href="https://github.com/pypa/pip/commit/f3620cdb5be06cee223a3606a1525ee45372085b"><code>f3620cd</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12363">#12363</a> from pfmoore/safe_isoformat</li> <li><a href="https://github.com/pypa/pip/commit/fb06d12d5a32581ae531fc26143c14ac6c8ea8fe"><code>fb06d12</code></a> Handle ISO formats with a trailing Z</li> <li><a href="https://github.com/pypa/pip/commit/9f213bf69ac32c60c84055261c862ff169389e43"><code>9f213bf</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12356">#12356</a> from sbidoul/clarify-changelog</li> <li><a href="https://github.com/pypa/pip/commit/a982c7bc3550afb27a3a792d84fe91bf7c3254ca"><code>a982c7b</code></a> Add a few PEP links in the changelog</li> <li><a href="https://github.com/pypa/pip/commit/e1e227d7d6b5ae04ae3a2104bf8185622201f5f6"><code>e1e227d</code></a> Clarify changelog</li> <li><a href="https://github.com/pypa/pip/commit/9b0abc8c40459dd16a9c1205e15f6d3363bf202e"><code>9b0abc8</code></a> Build using <code>build</code></li> <li><a href="https://github.com/pypa/pip/commit/9d4be7802f45790bdb994f943c8d8731927cf25c"><code>9d4be78</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12353">#12353</a> from sbidoul/release/23.3</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.3...23.3.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.3&new-version=23.3.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Description
If multiple virtual environments are installing the same package at the same time one of them can/will fail with a cache error similar to the one below.
i.e. one virtual envioronment is downloading the file and caching it. Another virtual environment will try to access the cached file before the download has finished. This feature was working in 23.2.1.
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
numpy>=1.20 from https://files.pythonhosted.org/packages/98/5d/5738903efe0ecb73e51eb44feafba32bdba2081263d40c5043568ff60faf/numpy-1.24.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:
Expected sha256 901677b9c6e0973ed91ece5a79fad3c42dafd884e1d7299cf5c392a7e7c62398
Got e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Expected behavior
I expected the virtual environment either to download its own version of the package OR to wait for the cached version to be completed before accessing it.
pip version
23.3
Python version
3.8.10
OS
linux/ubuntu 20.04
How to Reproduce
Have multiple virtual environment running in parallel where at least some of the packages are shared between them.
Output
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
numpy>=1.20 from https://files.pythonhosted.org/packages/98/5d/5738903efe0ecb73e51eb44feafba32bdba2081263d40c5043568ff60faf/numpy-1.24.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:
Expected sha256 901677b9c6e0973ed91ece5a79fad3c42dafd884e1d7299cf5c392a7e7c62398
Got e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Code of Conduct
The text was updated successfully, but these errors were encountered: