Current package set fails to install
AetherUnbound opened this issue · 2 comments
Description
It seems that the current set of packages fails to install:
#0 46.84 [pipenv.exceptions.InstallError]: Collecting livereload==2.6.3
#0 46.84 [pipenv.exceptions.InstallError]: Using cached livereload-2.6.3-py2.py3-none-any.whl (24 kB)
#0 46.84 [pipenv.exceptions.InstallError]: ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
#0 46.84 [pipenv.exceptions.InstallError]: livereload==2.6.3 from https://files.pythonhosted.org/packages/e3/05/ed67ccf462fff0b559e6ea7b3e3fcb20dec9d57bf90b5c5e72a6f316183e/livereload-2.6.3-py2.py3-none-any.whl (from -r /tmp/pipenv-lwwq_5e9-requirements/pipenv-e_xlrs8z-hashed-reqs.txt (line 28)):
#0 46.84 [pipenv.exceptions.InstallError]: Expected sha256 776f2f865e59fde56490a56bcc6773b6917366bce0c267c60ee8aaf1a0959869
#0 46.84 [pipenv.exceptions.InstallError]: Got ad4ac6f53b2d62bb6ce1a5e6e96f1f00976a32348afedcb4b6d68df2a1d346e4
The package in question has the note "MAINTAINERS NEEDED" on it, which gives me concern that this could have been compromised: https://github.com/lepture/python-livereload
Reproduction
- Run
just build --no-cache
- See error.
Additional context
This was first identified in #1057 (specifically https://github.com/WordPress/openverse-api/actions/runs/3767784439/jobs/6405648796).
@AetherUnbound the package was not compromised. A new maintainer was recently onboarded (so the 'MAINTAINERS NEEDED' bit might be outdated) and on 2022-12-02, built wheels were added to the package.
Pipenv fails to install the package because it prefers wheels over the source, but then compares the hash of the wheels to the hash of the source recorded in Pipfile.lock
.
Thank you for looking into that more thoroughly @dhruvkb!