In hash-checking mode[1], pip will verify downloaded package archives (source tarballs in our case) against known SHA256 hashes before installing the packages. As a consequence, this requires the use of requirements files[2] and pinning packages to known versions. The syntax for package Makefiles has changed slightly; HOST_PYTHON3_PACKAGE_BUILD_DEPENDS no longer accepts requirement specifiers like "foo>=1.0", only requirements file names (which are the same as package names in the most common case). This also updates affected packages, in particular: * python-zipp: "setuptools_scm[toml]" has been split into "setuptools-scm toml" to reuse the requirements file for setuptools-scm (the extra depends installed by "setuptools_scm[toml]" is toml). * python-pycparser: This previously used ply 3.10, whereas the requirements file will now install 3.11. [1]: https://pip.pypa.io/en/stable/reference/pip_install/#hash-checking-mode [2]: https://pip.pypa.io/en/stable/user_guide/#requirements-files Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2 lines
187 B
Text
2 lines
187 B
Text
Django==1.11.29 --hash=sha256:4200aefb6678019a0acf0005cd14cfce3a5e6b9b90d06145fcdd2e474ad4329c
|
|
pytz==2020.1 --hash=sha256:c35965d010ce31b23eeb663ed3cc8c906275d6be1a34393a1d73a41febf4a048
|